Trend Micro InterScan Messaging Security Virtual Appliance 8.5. Best Practice Guide

Transcription

1 Trend Micro InterScan Messaging Security Virtual Appliance 8.5 Best Practice Guide

2 Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2013 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Authors: Steve Pak / Jarno Buenaobra / Bryan Xu / Marcel Rieger / Eric Cai Editorials: Nadia Trivinio Released: September Trend Micro Inc. 2

3 <Table of Contents Table of Contents Table of Contents... 3 Chapter 1: Preface... 5 Chapter 2: Product Description... 6 Chapter 3: Hardware > Sizing Guidelines > Recommended Hardware IMSVA Server... 9 Chapter 4: Software > Recommendations LDAP TMCM Logging DDA server version requirement Chapter 5: Deployment > Network Topology INTERNET IMSVA Mailbox servers INTERNET MTA IMSS Mail box servers > Component Layout > Fault Tolerance and Load Balancing Chapter 6: > GUI Configuration Scanning Exceptions Notifications SMTP Routing Cloud Pre-Filter Steps to enable DDA integration > Policy Settings Policy Routing Global Antivirus Rule Regular Expressions Filter Ordering Creating Global White List for Inbound Mails Separating Phishing/WRS Checking from Anti-Spam Rule Scan Method C&C Contact Alert Services Scan Engine Trend Micro Inc. 3

4 <Table of Contents 6.3 > Configuration Files imss.ini File foxdns.ini File > Database Updating the configuration settings in the database Database Maintenance Schedule > Others Spam Settings EUQ SMTP Authentication Rule Samples Chapter 7: Backup and Disaster Recovery > Backup and Restore from the GUI > Manual Database Backup and Recovery > Backing up and Restoring Cloud Pre-filter account settings Chapter 8: References > Communication Ports > ERS Console > TLS (Transport Layer Security) Settings > Product Updates > Upgrade/Migration Trend Micro Inc. 4

5 Preface Chapter 1: Preface Welcome to Trend Micro InterScan Messaging Security Virtual Appliance v8.5 Best Practices Guide. This document is designed to help resellers and customers develop a set of best practices when deploying and managing the InterScan Messaging Security Virtual Appliance (IMSVA). This document is also designed to be used in conjunction with the following guides, both of which provide more details about IMSVA than are given here: Trend Micro InterScan Messaging Security Virtual Appliance v8.5 Installation Guide Trend Micro InterScan Messaging Security Virtual Appliance v8.5 Administrator s Guide Trend Micro IMSVA 8.5 Reviewers Guide Trend Micro Inc. 5

6 Product Description Chapter 2: Product Description InterScan Messaging Security Virtual Appliance (IMSVA) is a comprehensive antivirus and content management solution for the Internet mail gateway. There are 5 major components in an IMSVA environment that need to be identified when architecting the deployment. Each component is briefly described below. 1. Central Controller The main IMSS server that allows administrators to manage multiple IMSS Scanners using one IMSS Web Console 2. Scanner Service Accepts and scans SMTP and POP3 connections. 3. EUQ Service End User Quarantine service allows end users to checked their quarantined spam mails to check if they are spam or not. The first server where you will install EUQ on will become the Primary EUQ server where end-users will connect. Secondary EUQ servers provide load-balancing and better performance. 4. Cloud Pre-Filter Managed security service powered by the Trend Micro Security Platform. This allows the inbound messages to be scanned for spam, phishing, malware, and other messaging threats before reaching the network. 5. IP-Filter Consists of Reputation Service and IP-Profiler modules. The two modules provide anti-spam capability that can filter SMTP connection based on the IP-address of the connecting SMTP server. 6. Reputation Services First part of the IP-Filterring module, which prevents spam mails. It identifies and blocks spam using RBL to block SMTP connectiton based on the IP-address of the connecting MTA server. 7. IP Profiler Second part of the IP-filterring module. It allows administrators to block SMTP connections based on security violations and threshold settings Trend Micro Inc. 6

7 Hardware Chapter 3: Hardware On top of the normal MTA tasks of receiving and delivering s, IMSS has to disassemble, evaluate, scan and reassemble the s. This makes IMSVA a CPU and disk I/O intensive application. Careful planning needs to be done to make sure the IMSVA hardware can handle the load of the environment. 3.1 > Sizing Guidelines Important: This information can be used as a starting reference only. Actual performance will vary depending on features enabled, topology, performance tweaks, and scan-exclusions as outlined throughout this best practice document. This Sizing Guidelines are based off IMSVA 7.0. When doing sizing planning for IMSVA 8, the main goal is to determine how many IMSVA Scan Servers are needed using the two given customer environment data. These are the Average Message Size and the Total Throughput. 1. Average Message Size (KBytes) This is the average message size as seen in your environment. 100 KBytes is a common size for an environment if the other details are unknown. 2. Total Throughput (Messages/hour) This is the number of messages passing through the SMTP gateway per hour. If growth is expected, size for the planned growth. This is the number of messages passing through the proposed IMSS gateway. If IMSS is to be used to filter both incoming and outgoing mail, the total number of mail messages must be used. Internal messages that do not pass through IMSS at the gateway should not be included the Total Throughput variable. Messages that will be filtered by the IP-Filtering (ERS or IP-Profiler) module should not be included. STEP 1: Using Ave. Message Size, determine the Maximum Steady Throughput. Maximum Steady Throughput is the max number of messages/hr IMSVA can process without queuing. Use the following tables to determine the Maximum Steady Throughput. Please take note that these data assumes that the user is using the 2 default IMSVA filters (Antivirus and AntiSpam Filters).The values may vary if additional Filters are used but these numbers make a very good baseline as seen in other customers Trend Micro Inc. 7

8 Trend Micro InterScan Messaging Security Virtual Appliance 8.5 Hardware Volume Category Item 0 Estimated Seats per Server Throughput Server Hardware Item information High Volume ~38,000 ~240,100 Messages per hour (67 Messages per second) VMware ESX 3.5 Virtual Machine -4 Virtual CPUs -4 GB RAM -VM Network adapter -LSI Logic SCSI controller -80 GB Virtual Disk Host Server Hardware GHz Intel Xeon CPU -8 GB available on Host -Perc 6/I SAS -3 x 73 GB 15,000 RPM SAS hard drive NOTE Notes on Test Results Dedicated host (only one IMSVA 7.0 virtual machine running on this host) Default Configuration of IMSVA 7.0: o Antivirus + Anti-spam active o ERS, IP Profiling, Web EUQ inactive The above sizing estimates imply no message queuing on the IMSVA server. An average user is defined: o 50 messages sent/received across the gateway per 8 hour day (total) o Average message size 108 KB o This is mildly aggressive sizing to ensure accurate capacity planning If only antivirus or anti-spam is enabled, increase throughput by 10 percent in Table 1 Content filtering can be more expensive in resource consumption than both Antivirus and Anti-spam depending on the number and type of filters used. If the customer requires many content filters. STEP 2: Determine the number of IMSS servers required. Number of servers = Total Throughput / Max Steady Throughput Trend Micro Inc. 8

9 Hardware I.e. Ave Msg size is 100KB. IMSVA 7 with the High Volume specs and the Total Throughput is 300,000 Mgs/hour Number of servers = 300,000/240,100 = 1.25 In this example, the number of IMSVA servers recommended is 2 (1.25 rounded up) NOTE The data present is based of IMSVA 7.0. Using Content Filter with complex rules and other options can greatly reduce the throughput. 3.2 > Recommended Hardware IMSVA performs heavy disk I/O operations similar to most SMTP applications. Leveraging the fastest disk RPM and RAID configuration is known to significantly improve performance. IMSVA will also automatically spawn more processes to keep up with incoming traffic. Therefore, adding more RAM is another key element to increasing performance IMSVA Server Below are the recommended hardware specifications for an IMSVA Server. Please note that these are not the minimum system requirements for this product. CPU: Four Intel Xeon processors 3.16GHz. RAM: 8 GB Disk Drive: 15,000RPM hard disk drive or faster Trend Micro Inc. 9

10 Software Chapter 4: Software This section will go over software best practices for IMSVA. Since IMSVA is a virtual appliance, you do not need to worry about hardening or tuning the softwar. This section will give you guidelines on the third party software that are used by IMSVA. 4.1 > Recommendations LDAP IMSVA supports the following three types of LDAP servers: Microsoft Active Directory 2003, 2008 or Global Catalog IBM Lotus Domino 6.5 and 8.5 Sun One LDAP 5.2 or above OpenLDAP TMCM Version 5.5 Service Pack 1 Patch 3 Version 6.0 Patch Logging To maintain optimum performance for the modules that read and write information from the database, Trend recommends maintaining the database to the smallest possible size. To do this, you can decrease the configured number of days for storing event logs (under Logs Settings) and quarantined/archived events 2013 Trend Micro Inc. 10

11 SuBest Practice Guide Software (under Quarantine & Archive Settings) and lessen the number of reports to save (under Reports Settings) DDA server version requirement DDA 2.92 and DDA Trend Micro Inc. 11

12 Deployment Chapter 5: Deployment This section will go over deployment best practices for IMSVA. Here we will give recommendations as to the placement of IMSVA in relation to the mailboxes and your MTA(s). You will get information on which components you can enable/disable on each IMSVA and different load balancing / fault tolerance techniques that are commonly used. 5.1 > Network Topology IMSVA 8.5 comes with Postfix, which is a complete MTA. This allows you to put IMSVA anywhere in your topology just like any other MTA. However, if you intend to use the IP Profiler and ERS features, you must place your IMSVA on the edge of the network. Cloud Pre-Filter has no impact on how IMSVA should be deployed. With Cloud Pre-Filter, Trend Micro recommends adding the IMSVA s address to the domain s MX records, and the placing IMSVA at a lower priority than the Cloud Pre-Filter. This allows IMSVA to provide service continuity as a backup to Cloud Pre-Filter. Below are some common topologies with IMSVA INTERNET IMSVA Mailbox servers This is the ideal setup especially if ERS and IP-Profiler will be used. The Postfix MTA that comes with IMSVA will act as the front MTA server. Postfix is fully compatible with all the ERS and IP-Profiler features INTERNET MTA IMSS Mail box servers This setup is recommended if you don t want to replace your current front MTA server with IMSVA. Although you will not be able to use IP Profiler, you can still use ERS depending on which MTA server you are running. Almost all popular MTAs support RBL feature which is the technology behind ERS. Please follow the links below for more information about how to enable ERS on other MTA servers. ERS Standard: 2013 Trend Micro Inc. 12

13 SuBest Practice Guide Deployment ERS Advanced: For more deployment options, refer to the InterScan Messaging Security Virtual Appliance Installation Guide. 5.2 > Component Layout Please see the InterScan Messaging Security Virtual Appliance Instation Guide and InterScan Messaging Security Virtual Appliance 8.0 Administrator s Guide for an explaination on the parent-child relationship between the IMSVA and groups. IMSVA 8.5 has major components that can run separately on different virtual machines. This allows IMSVA to support a distributed type of deployment. Although it can also support the single-server type of deployment, distributed deployment provides better performance and fault-tolerance. Below are different types of deployments and their advantages. Figure 1 Single Server Deployment All IMSVA Components are on the same server. This is the simplest type of deployment, which is best for small network environments. Use this option if the server s hardware specifications can handle the amount of s that will go through IMSVA. Considerations: If you intend to use ERS and IP Profiler, the server should be the edge of the network. An edge MTA is the one that accepts s directly from the Internet. Since there is only one IMSVA server in the environment, there is a single point of failure, which may interrupt flow if the server goes down Trend Micro Inc. 13

14 Deployment Figure 2 Distributed Deployment (medium-size environment) Server 1 has parent virtual appliance with Scanner, Policy, and EUQ services all started. Server 2 has a child virtual appliance with Scanner, Policy, and EUQ services all started. Server N has a child virtual appliance with Scanner, Policy, and EUQ services all started. Use this type of deployment for better scalability. In this type of deployment, you can easily add more virtual appliances in the future if necessary. Since there are multiple Scanner servers that can accept s, this setup provides fault-tolerance, which avoids the interruption of flow if one IMSVA goes down. The EUQ client access load is distributed to multiple secondary EUQ Servers by the parent EUQ Servers. NOTE see Section 3.1 Sizing Guidelines to determine how many IMSS Scanner servers are necessary to support your environment. Considerations: If you intend to use ERS and IP Profiler, the IMSVA Scanner servers should be at the edge of the network. The IMSVA Scanner servers should be ones accepting s directly from the Internet. EUQ Users should have access to Server 1, which is hosting the Primary EUQ Server. The parent server may become the bottleneck depending on the amount of logs, quarantined events, etc. that needs to be stored. Even with the Scanner service running on the parent, you can set this to be the least priority in the mail routing so it has more resources to run its other tasks. In environments with more than two child devices, the Scanning, Policy, and EUQ services should be disabled on the parent virtual appliance, if possible, to avoid its overload Trend Micro Inc. 14

15 SuBest Practice Guide Deployment Figure 3 Distributed Deployment (large-size environment) Server 1 has the parent virtual appliance with the Scanner, Policy, and EUQ services all disabled. Dedicated child virtual appliances with only Scanners and Policy services enabled. Dedicated child virtual appliances with only EUQ service enabled Use this type of deployment to achieve the highest level of performance, scalability and fault-tolerance. In this setup, users can add more IMSVA Scanner servers in the future if necessary. Disabling all the services on the parent device provides better performance especially if there are several child devices to manage. Specializing appliances to run either the Scanner/Policy Services or EUQ service will provide the best performance output. NOTE see Section 3.1 Sizing Guidelines to determine how many IMSS Scanner servers are necessary to support your environment. Considerations: If you intend to use ERS and IP Profiler, the IMSVA running the Scanner and Policy services should be at the edge of the network. EUQ Users should have access to Server 1, which is hosting the main EUQ Server. Multiple-location Considerations IMSVA works well in a multiple-location environment. Below are things to be aware of when implementing IMSVA on a multiple-location environment. Deploy at least one parent virtual appliance in each localtion. Use TMCM to manage multiple parent appliances Trend Micro Inc. 15

16 Deployment 5.3 > Fault Tolerance and Load Balancing Why Load Balance Load balancing provides the following network benefits: Increased / and or sustained traffic throughput without increased latency (when compared to a non-load balanced solution). Rudimentary high availability capabilities. Load Balancing Methods There are several methods for accomplishing load balancing for both SMTP and HTTP. These are: Hardware load balancing DNS round robin Hardware Load Balancing Many organizations consider hardware load balancing the preferred solution. This is because it provides a balanced delivery of services to end users. A hardware solution typically balances traffic for OSI Layers 4 through 7 and is otherwise known as an application switch. By using a hardware load balancer, all the work to determine which node should process which request is handled by the hardware, away from the nodes. Adding, removing, or updating equipment to the group also is easier. Hardware load balancing also provides several ways to balance the network, whether that solution includes a high-end switch or an additional network appliance. General Configuration for a Hardware Load Balancer for Inbound SMTP Traffic Configuring a hardware load balancer involves: Selecting the pool of IP addresses that the load-balanced devices are going to use. Configuring the load balancer to use a virtual server IP address for the load-balanced pool of devices. Choosing destination protocol triggers that send only the specified protocol from the virtual server to the loadbalanced pool Trend Micro Inc. 16

17 SuBest Practice Guide Deployment No additional changes need to be made to external DNS MX records, unless the new virtual server IP address is different from the published MX record. DNS Round Robin Round robin works by having separate DNS name records (Name Record As) bound to the same canonical name record (Name Record C) for each server that provides a specific service. These A and C name records use the zone s minimum time-to-live value (TTL) to specify the time period the DNS record is kept before it is requested again. In this way, when DNS clients request the C name record for a service, the DNS server resolves the list of servers, but only returns one entry. The client requesting the C name record uses that server for the duration of the TTL. When the end of the TTL period is reached, the query is performed again. Using this technique, a DNS record that is sent to Client A could be different from that sent to Client B thus, Client A s traffic might go to Server A and Client B s traffic might go to Server B. The effect of using DNS Round Robin is that each of the Record A servers is used in the most efficient way possible to provide the service to the end client. Example (DNS Zone Configuration): server1.mydomain.tld IN A ; server2.mydomain.tld IN A ; server3.mydomain.tld IN A ; server4.mydomain.tld IN A ; proxy.mydomain.tld IN CNAME server1.mydomain.tld; proxy.mydomain.tld IN CNAME server2.mydomain.tld; proxy.mydomain.tld IN CNAME server3.mydomain.tld; proxy.mydomain.tld IN CNAME server4.mydomain.tld; In the above example, all MTA s would be configured to use proxy.mydomain.tld and could use one of four possible servers for each TTL period Trend Micro Inc. 17

18 Chapter 6: This section will go over the different configuration best practice for IMSVA. You can change the IMSVA configuration in three ways. Via the GUI Via local configuaration files (ini files) Via the database Changes made in the GUI are stored in either the local configuration files and/or the database. The priority in which IMSS will use the configuration settings if there is a conflict between the local files and the database is it will prioritize the setting specified in the local ini files. If the particular setting is not found in the local ini files, IMSS will use the setting in the database. The next sections will focus on the different configuration methods. 6.1 > GUI Configuration Scanning Exceptions Policy -> Scanning Exceptions -> Security Settings Violations Category Description This is the maximum size a message including attachment can be. Set this according to your company policy. The default value is set to 30 MB. Total # recipients exceeds Total # embedded layers in compressed The maximum number of recipients allowed within a single message. Messages with a lot of recipients can cause increased latency in message rule matching. A layer is defined by a compressed file within a compressed file. Has been used in previous attacks to hide malware deeper than scan 2013 Trend Micro Inc. 18

19 SuBest Practice Guide Category Description file exceeds engines previously scanned. Recommended value is 5. The default value is set at 20 layers. Total decompressed size of any single file exceeds Total # files in compressed file exceeds This setting is to prevent zip file attacks. The size set here should be relative to your total message size limit. Example: If you set your maximum message size to 5MB, the total size should not exceed 50MB. The default value is set at 50 MB. This setting is to prevent zip file attacks. Having a zip file with 50,000 files inside of it, although small in size, could cause significant scan time. Set this at a reasonable rate for the message size you are accepting. The default value is at 1000 files. Log Settings Logs -> Settings Category Database log update interval Number of days to keep logs for query. Number of days to keep in log files Maximum log file size for each service Description Logs are uploaded for reports and message tracking at this interval. For quicker updates to Message tracking, you can lower this to one minute. However, you will have more regular connections to the database instead of fewer connections but sending more data during each. The default value is set at 1 minute. This is the amount of days to keep the logs in the database which can be used to control the size of the database. Remember if you set it under 30 days, you will lose monthly report functionality. The default value is set at 30 days. Log files should be kept as long as necessary. Care should be taken to keep past log files for an extended period of time to prevent hard drive space consumption. Input 0 to remove any size restriction. Clear the input box to prevent IMSS from deleting any log files. The default value is set at 90 days. Acceptable values are between 100 and As above, please keep hard drive storage in mind. Input 0 to remove any size restriction. The default value is set at 2000 MB Trend Micro Inc. 19

20 Administration -> Updates -> Components PARAMETER Enable Scheduled Update USAGE / NOTES It is recommended to enable scheduled update to be performed at least hourly. If hourly is specified, change the minute interval so all Trend Micro products do not update at a single time which could cause a drop in the amount of bandwidth available Notifications Administration -> Notifications -> Events PARAMETER Delivery queue contains more messages than Retry queue folder contains more messages than USAGE / NOTES This number should be scaled based on the amount of messages received by the IMSS installation. (Example: If you receive 100,000 s a day, it should be set much lower than if you receive 1,000,000 s a day). The default value is set at messages Much like the delivery queue, this number should be scaled based on the amount of messages received by the IMSS installation. The default value is at messages NOTE It is best to get the baseline of Mails in Delivery Queue and Mails in Deffered Queue during peak operation to set the values. Also, note that if the there is a large influx of s, the notification can be trigger, so the setting can be increased to reflect this normal behavior. Administration -> Notifications -> Delivery Settings PARAMETER To Addresses Server name or IP Address SMTP Server Port USAGE / NOTES This should list all of the administrative addresses which require notifications in the Events tab. All policy based notifications are configurable for different addresses. The server IP address of the IMSVA machine should be listed here with a port number of This is a bypass port where no scanning will occur. If you d like to filter your own notifications, a port of or 25 can be used. Care should be taken as this adds additional load to the server and notifications could get filtered by your policies Trend Micro Inc. 20

21 SuBest Practice Guide SMTP Routing Administration -> SMTP Routing -> Connections Category Simultaneous Connections Incoming Transport Layer Security Settings Description This is the Postfix simultaneous SMTP client connection setting (maxproc column for smtpd in master.cf). The default value is 200. That is good number to start with then can be increased gradually depending on the available CPU and RAM of the server, if needed. See Section 8.3 for more information about TLS and certificates Administration -> SMTP Routing -> Message Rule Category Maximum Message Size Maximum number of recipients (1 to unlimited) Incoming Message Settings Permitted Senders of Relayed Mail Description This is the Postfix message size limit setting (message_size parameter in main.cf). The value depends on the company policy. In most customers, the limit is 5mb to 10mb. The default value is at 20 MB. If the size is larger than this, it will be rejected during the mail transaction. This is more efficient than taking action on the size of the message in Security Settings or a Size policy. This is the Postfix single message recipient limit setting (smtpd_recipient_limit parameter in main.cf). This is the maximum number of recipients allowed for a single message. A large number of recipients can cause delays during policy matching. If more recipients are specified in the mail envelope, they will receive a 452 Too many recipients error and it s up to the sending mail server to split and retry the message. Most of the time, legitimate mails will only have less than 100 recipients. The default value is at 1000 recipients. This is a Postfix anti-relay setting (relay_domains parameter in main.cf). To ensure that IMSVA receives incoming messages, Trend Micro recommends adding all internal domains in your network. This is another Postfix anti-relay setting (mynetworks parameter in main.cf). Add the ip addresses or network addresses of the hosts that you want to be able to send mails through postfix regardless of the destination domain Trend Micro Inc. 21

22 Administration -> SMTP Routing -> Domain-based Delivery PARAMETER Message Delivery Settings USAGE / NOTES All domains should be listed that to be used as SmartHosts. IMSVA will use DNS to delivery other domains Cloud Pre-Filter In order to use Cloud Pre-Filter, administrator should has control on their MX records, or at least has a way to request MX records change. Mail flow impact for inbound mail Enabling Cloud Pre-filter will change the inbound mail flow demonstrated as below: Without Cloud Pre-Filter With Cloud Pre-Filter 2013 Trend Micro Inc. 22

23 SuBest Practice Guide Steps to enable DDA integration 1. Open IMSVA web console, navigate to Policy Scan Engine, and select Enable Advanced Threat Scan Engine to enable ATSE. 2. Navigate to Administration IMSVA Configuration Deep Discovery Advisor Configuration, enable DDA and configure DDA server info. An example as following chart: // Administrator can get API key from DDA console Administrator About info. 1. Administrator can query DDA analysis status from IMSVA web console: 6.2 > Policy Settings Policy Routing Enter the Internal Addresses which can be either domains or LDAP groups. When selecting Both Incoming and Outgoing, you will have to specify all the internal domains for which IMSS is accepting mail Trend Micro Inc. 23

24 The easiest way is to gather all your internal domains in a text file. The file can be imported under the Internal Addresses area so IMSS will correctly know Incoming vs. Outgoing in the reports. If you are using incoming messages or outgoing messages, in the Recipients and Senders section of the policy creation, you can create a new Address Group and import all your domains Global Antivirus Rule Scanning Conditions For the scanning conditions of the Global Antivirus Rule in the GUI (Policy -> Policy List -> Global antivirus rule -> And scanning conditions match), it is recommended to have IntelliTrap turned on for better protection. Please also enable as many Spyware/Grayware Scan options as your company policy will allow. Action on Special Viruses For the actions on special viruses found in the Policy -> Policy List -> Global antivirus rule -> The action is - > Special Viruses, it is recommended to keep the setting for mass-mailing viruses enabled and the action to be delete. This way all messages that are detected to be mass-mailers will be deleted and will not enter your network Regular Expressions InterScan Messaging Security Virtual Appliance (IMSVA) 8.5 treats all keyword expressions as regular expressions and supports the following regular expressions. Characters Regular Expression Description. (dot) Any character (byte) except newline x The character 'x' \\ The character '\' \a The alert (bell) character (ASCII 0x07) \b 1. If this meta-symbol is within square brackets [] or, it will be treated as the backspace character (ASCII 0x08). For example, [\b] or \b 2013 Trend Micro Inc. 24