ADMINISTRATOR'S GUIDE

Transcription

1 Kaspersky Security 8.0 for Microsoft Exchange Servers ADMINISTRATOR'S GUIDE P R O G R A M V E R S I O N : 8. 0

2 Dear User! Thank you for choosing our product. We hope that this document will help you in your work and provide answers to the majority of your questions. Attention! This document is the property of Kaspersky Lab: all rights to this document are reserved by the copyright laws of the Russian Federation, and by international treaties. Illegal reproduction and distribution of this document or parts thereof will result in civil, administrative or criminal liability in accordance with the laws of the Russian Federation. Any type of reproduction or distribution of any materials, including in translated form, is allowed only with the written permission of Kaspersky Lab. This document and the graphic images it contains may be used exclusively for information, non-commercial or personal purposes. This document may be amended without additional notification. For the latest version, please refer to Kaspersky Lab s web site at Kaspersky Lab assumes no liability for the content, quality, relevance or accuracy of any materials used in this document for which the rights are held by third parties, or for the potential damages associated with using such documents. The document contains registered trademarks and service marks belonging to their respective owners. Revision date: Kaspersky Lab ZAO. All Rights Reserved

3 TABLE OF CONTENTS ABOUT THIS GUIDE... 6 In this document... 6 Document conventions... 7 ADDITIONAL SOURCES OF INFORMATION... 9 Data sources for independent search... 9 Discussing Kaspersky Lab applications on the web forum Contacting the Technical documentation development group KASPERSKY SECURITY 8.0 FOR MICROSOFT EXCHANGE SERVER Basic functionality Distribution Kit License agreement Services for registered users Hardware and software requirements APPLICATION ARCHITECTURE Application components and their purpose Security Server architecture TYPICAL DEPLOYMENT SCHEMES Microsoft Exchange Server roles and corresponding configurations Server protection deployment Application deployment on a server cluster APPLICATION SETUP Preparing installation Upgrading an earlier version Application setup procedure Step 1. Installing the required components Step 2. Greeting and License Agreement Step 3. Selecting the type of the installation Step 4. Selecting the application components Step 5. Configuring connection to Microsoft SQL Server Step 6. Copying files Getting started. Application configuration wizard Configuring updates Installing a license key License-related notifications Testing the application functionality Restoring the application Removing the application MANAGING KASPERSKY SECURITY LICENSES Viewing information about installed licenses Installing a license key Removing a license key Notification about license expiry Creating the list of protected mailboxes and storages

4 A D M I N I S T R A T O R ' S G U I D E APPLICATION INTERFACE Main window Context menu APPLICATION START AND STOP DEFAULT MICROSOFT EXCHANGE SERVER PROTECTION STATUS GETTING STARTED Launching the application Creating the list of protected Microsoft Exchange servers Connecting the Administration Console to the Security Server UPDATING THE ANTI-VIRUS AND ANTI-SPAM DATABASES Manual update Automatic database updating Selecting the updates source Editing the connection settings ANTI-VIRUS PROTECTION Enabling and disabling anti-virus server protection Creating rules for object processing Scanning attached archives and containers Creating scanning exclusions Configuring protection settings for mail accounts Background scan ANTI-SPAM PROTECTION Configuring the anti-spam analysis Creating the black and white lists of senders Advanced Anti-Spam configuration Using external services for spam processing Using additional Anti-Spam functionality BACKUP STORAGE Viewing the Backup storage Viewing properties of a backed-up object Filtering of Backup Restoring objects from the Backup Sending objects for analysis Deleting objects from Backup Configuring the Backup storage settings NOTIFICATIONS Configuring notification settings Configuring notification delivery settings REPORTS Configuring Quick reports settings Configuring Anti-Virus reports settings Configuring Anti-Spam reports settings View the Ready reports Delivery of reports via

5 T A B L E O F C O N T E N TS APPLICATION EVENT LOGS Configuring the diagnostics level Configuration of the logs settings FREQUENTLY ASKED QUESTIONS CONTACTING THE TECHNICAL SUPPORT SERVICE GLOSSARY KASPERSKY LAB INFORMATION ABOUT THIRD-PARTY CODE Software code BOOST , bzip2/libbzip EXPAT 1.2, FREEBSD LIBC GECKO SDK ICU INFO-ZIP LIBJPEG 6B LIBNKFM LIBPNG LIBSPF LIBUNGIF LIBXDR LOKI LZMA SDK MICROSOFT ENTERPRISE LIBRARY MICROSOFT VISUAL STUDIO 2008 (MSVCP80.DLL, MSVCR80.DLL) OPENSSL 0.9.8D PCRE 7.4, RFC1321-BASED (RSA-FREE) MD5 LIBRARY SPRING.NET SQLITE WPF TOOLKIT ZLIB 1.2, Other information KASPERSKY LAB END USER LICENSE AGREEMENT INDEX

6 ABOUT THIS GUIDE Greetings from the team of Kaspersky Lab CJSC (hereinafter referred to as Kaspersky Lab)! We hope that this Administrator's Guide will help you understand basic working principles of Kaspersky Security 8.0 for Microsoft Exchange Servers (hereinafter referred to as KS 8.0 for Exchange Servers or Kaspersky Security). The document is intended for administrators of mail servers using Microsoft Exchange Server 2007 or 2010 (further - Microsoft Exchange Server), who have chosen Kaspersky Security as the protection solution for the mail servers. The aim of the document: assist Microsoft Exchange Server administrators in installing the application components on server, activating the server protection and ensuring its optimal configuration considering the current tasks; provide quickly searchable information about installation-related issues; provide alternate sources of information about the application and the ways of getting technical support. IN THIS SECTION In this document... 6 Document conventions... 7 IN THIS DOCUMENT Administrator's Guide for Kaspersky Security 8.0 for Microsoft Exchange Servers consists of the following chapters: About this Guide. The chapter outlines the structure of this Administrator's Guide. Additional sources of information (on page 9). The section describes various sources of information pertaining to the purchase, installation and operation of Kaspersky Security. Kaspersky Security 8.0 for Microsoft Exchange Servers (on page 11). The chapter describes the main features of the application. Application architecture (on page 14). The chapter describes the application components and methods of their interaction. Typical deployment schemes (on page 16). The chapter describes the roles of a Microsoft Exchange server and the schemes for deployment of server protection. Application setup (on page 18). The chapter details the procedure of Kaspersky Security installation. License management (see section "Managing Kaspersky Security licenses" on page 29). The chapter describes the types of licenses and the procedure of license installation and removal. Application interface (on page 33). The chapter describes the user interface of Kaspersky Security. Application start and stop (on page 36). The chapter explains how to start and stop the application. Default protection of Microsoft Exchange Server (on page 38). The chapter describes the peculiarities of Kaspersky Security operation using the default settings. Getting started (on page 39). The chapter explains how to begin using Kaspersky Security, enable the mail server protection and create the list of protected servers. 6

7 A B O U T T H I S G U I D E Updating the Anti-Virus and Anti-Spam databases (on page 42). The chapter describes configuring of the update settings for the databases of Kaspersky Security. Anti-virus protection (on page 46). The chapter is devoted to the configuration of anti-virus protection of mail servers. Anti-Spam protection (on page 52). The chapter describes the opportunities for anti-spam protection of mail servers. Backup (on page 60). The chapter explains the Backup functionality, the methods used to restore objects from Backup as well as Backup configuration. Notifications (on page 68). The chapter describes the methods used to receive notifications about the events occurring in Kaspersky Security. Reports (on page 70). The chapter contains information on creation of reports, their reviewing and delivery via . Event logs (see section "Application event logs" on page 77). The chapter describes configuration of the settings for reporting of the Anti-Virus and Anti-Spam activity, and other Kaspersky Security events. Frequently asked questions (on page 79). The chapter is devoted to the questions that users ask most often. Contacting the technical support service (on page 81). The chapter describes available technical support options for the application users. Kaspersky Lab (on page 85). The chapter contains a brief description of the company Information about third-party code (on page 86). The chapter contains information about software code and tools of other vendors used in the application development. DOCUMENT CONVENTIONS Document conventions described in the table below are used in this Guide. Table 1. Document conventions SAMPLE TEXT Please note that... It is recommended to use... DOCUMENT CONVENTIONS DESCRIPTION Warnings are highlighted in red and framed. Warnings contain important information, for example, related to the actions which are critical for the computer security. Notes are framed. Notes contain additional and reference information. Example:... Examples are given in sections with the yellow background under the header "Example". 7

8 A D M I N I S T R A T O R ' S G U I D E SAMPLE TEXT Update is... ALT+F4 Enable help To configure a task schedule, perform the following steps: <IP address of your computer> DOCUMENT CONVENTIONS DESCRIPTION New terms are printed in italics. Names of the keyboard keys are capitalized and printed in bold type. Names of the keys linked with the "plus" sign mean key combinations. UI elements, for example, names of entry fields, menu options, buttons are in bold. Instructions are marked with an arrow sign. Introductory phrase on an instruction is printed in italics. Commands entered in the command line, or messages displayed on the screen are highlighted with special font. The variables are put in angle brackets. A variable is replaced in each case with the corresponding value substituted instead, angle brackets are omitted then. 8

9 ADDITIONAL SOURCES OF INFORMATION If you have any questions regarding selection, purchasing, installing or using Kaspersky Security, you can quickly find relevant answers. Kaspersky Lab provides various sources of information about the application. You can select the most convenient source, depending on the urgency or importance of your question. IN THIS SECTION Data sources for independent search... 9 Discussing Kaspersky Lab applications on the web forum Contacting the Technical documentation development group DATA SOURCES FOR INDEPENDENT SEARCH You may refer to the following sources of information about the application: application page at Kaspersky Lab's web site; application page at the Technical Support web site (in the Knowledge Base); online help system; documentation. Application page at Kaspersky Lab's web site On this page you can find general information about Kaspersky Security, its features and peculiarities. Application page at the Technical Support web site (in the Knowledge Base) This page contains articles published by the Technical Support experts. These articles contain useful information, guidelines, and answers to frequently asked questions pertaining to the operation of Kaspersky Security. Online help system The online help system contains information on setting up the program components, as well as directions and recommendations on program management. To open the help system, select Help. If you have a question about a certain window or tab in Kaspersky Security, you can use the context help. To open the context help, open the window or the tab that interests you, and click the Help button or press the F1 key. 9

10 A D M I N I S T R A T O R ' S G U I D E Documentation Installation Guide for Kaspersky Security contains complete information necessary to install the application and is included in the application package. DISCUSSING KASPERSKY LAB APPLICATIONS ON THE WEB FORUM If your question does not require an urgent answer, you can discuss it with Kaspersky Lab's specialists and other users in our forum located at In this forum you can view existing topics, leave your comments, create new topics, and use the search engine. CONTACTING THE TECHNICAL DOCUMENTATION DEVELOPMENT GROUP If you have any questions regarding documentation, have found an error or if you would like to provide feedback, you can contact the Technical documentation development group. Click the Leave feedback link in the top right part of the Help window to open the default client on your computer. The displayed window will contain automatically substituted address of the documentation development group (docfeedback@kaspersky.com) and the message subject (Kaspersky Help Feedback: Kaspersky Security). Write your feedback and send the without changing the subject. 10

11 KASPERSKY SECURITY 8.0 FOR MICROSOFT EXCHANGE SERVER 2007 Kaspersky Security 8.0 for Microsoft Exchange Servers is an application designed for protection of mail servers based on Microsoft Exchange Server against viruses, Trojan software and other types of threats that may be transmitted via . Malware can cause serious damage; these programs are designed specifically to steal, block, modify or destroy data disrupting the operation of computers and computer networks. Massive virus mailing can quickly spread infection in corporate networks paralyzing both running servers and workstations and resulting in unwanted downtime and damages. Moreover, virus attacks may also cause data losses which can negatively affect your business and the business of your partners. Kaspersky Security provides for anti-spam protection on the level of your corporate mail server saving your employees the trouble of deleting unwanted mail manually. IN THIS SECTION Basic functionality Distribution Kit Hardware and software requirements BASIC FUNCTIONALITY Kaspersky Security protects mailboxes, shared folders and relayed mail traffic passing a Microsoft Exchange Server against malware and spam. The application scans all traffic passing through the protected Microsoft Exchange Server. Kaspersky Security can perform the following operations: Scan incoming, outgoing mail and the messages stored on a Microsoft Exchange Server (including shared folders) checking them for malware presence. While scanning, the application processes the whole message and all its attached objects. Depending upon the selected settings, the application disinfects, removes detected harmful objects and provides to users complete information about such accidents. Filter mail traffic screening out unsolicited mail (spam). The Anti-Spam component scans mail traffic checking it for spam content. In addition, Anti-Spam allows creation of white list of sender addresses and supports flexible configuration of anti-spam analysis intensity. Save backup copies of objects (attachments or message bodies) and spam messages prior to their disinfection or deletion to enable subsequent restoration, if required, thus preventing the risk of data losses. Configurable filters allow easy location of individual stored objects. Notifying the sender, the recipient and the system administrator about messages that contain malicious objects. Maintain event logs, collect statistics and create regular reports on the application activity. The application can create reports automatically according to the schedule or by request. Configure the application settings to match the volume and type of relayed traffic, in particular, define the connection timeout to optimize scanning. 11

12 A D M I N I S T R A T O R ' S G U I D E Update the databases of Kaspersky Security automatically or in manual mode. Updates can be downloaded from the FTP or HTTP servers of Kaspersky Lab, from a local / network folder that contains the latest set of updates, or from user-defined FTP or HTTP servers. Re-scanning messages for the presence of new viruses, using a schedule. This task is performed as a background scan, and has only a small effect on the mail server s performance. Manage anti-virus protection on the storage level and create the list of protected storages. Managing licenses. A license is provided for a certain number of mailboxes, not user accounts. DISTRIBUTION KIT You can purchase Kaspersky Security from our partners, or purchase it online from Internet shops, such as the estore section of Kaspersky Security is supplied as a part of Kaspersky Security for Mail Server( or, or, or of the Kaspersky Open Space Security products ( included into the Kaspersky Enterprise Space Security and Kaspersky Total Space Security solutions. After purchasing a license for Kaspersky Security, you will receive an containing a link to download the application from the web site of Kaspersky Lab and a key file for license activation, or an installation CD containing the distribution package of the product. Before breaking the seal on the installation disk envelope, carefully read through the EULA. LICENSE AGREEMENT The End-User License Agreement is a legal agreement between you and Kaspersky Lab that specifies the terms on which you may use the software you have purchased. Read the EULA through carefully! If you do not accept the terms and conditions of the license agreement, you can decline the product offer and receive a refund. Please note that the envelope with the installation CD should remain sealed. By opening the sealed installation disk, you accept all the terms of the EULA. SERVICES FOR REGISTERED USERS Kaspersky Lab Ltd. offers an extensive service package to all legally registered users of Kaspersky Security, enabling them to boost the application's performance. After purchasing a license, you become a registered user and, during the period of your license, you will be provided with these services: regular updates to the application databases and updates to the software package; support on issues related to the installation, configuration and use of the purchased software product. Services will be provided by phone or via ; information about new Kaspersky Lab products and about new viruses appearing worldwide. This service is available to users who subscribe to Kaspersky Lab's newsletter on the Technical Support Service web site( Support on issues related to the performance and the use of operating systems, or other non-kaspersky technologies, is not provided. 12

13 K A S P E R S K Y S E C U R I T Y 8. 0 F O R M I C R O S O F T E X C H A N G E S E R V E R HARDWARE AND SOFTWARE REQUIREMENTS Hardware requirements The hardware requirements of Kaspersky Security are identical to the requirements of Microsoft Exchange Server. Depending upon the application settings and its mode of operation, considerable disk space may be required for Backup storage and other service folders (the default size of the Backup storage folder can be up to 5120 MB). Hardware requirements of the Administration Console installed with application include: Intel Pentium 400 MHz or faster processor (1000 MHz recommended); 256 MB free RAM; 500 MB disk space for the application files. Software requirements Installation of Kaspersky Security requires one of the following operating systems: Microsoft Small Business Server 2008 Standard / Microsoft Small Business Server 2008 Premium / Microsoft Essential Business Server 2008 Standard / Microsoft Essential Business Server 2008 Premium / Microsoft Windows Server 2008 x64 R2 Enterprise Edition / Microsoft Windows Server 2008 x64 R2 Standard Edition / Microsoft Windows Server 2008 x64 Enterprise Edition Service Pack 1 / Microsoft Windows Server 2008 x64 Enterprise Edition Service Pack 2 / Microsoft Windows Server 2008 x64 Standard Edition Service Pack 1 / Microsoft Windows Server 2008 x64 Standard Edition Service Pack 2 / Microsoft Windows Server 2003 x64 R2 Enterprise Edition Service Pack 2 / Microsoft Windows Server 2003 x64 R2 Standard Edition Service Pack 2 / Microsoft Windows Server 2003 x64 Enterprise Edition Service Pack 2 / Microsoft Windows Server 2003 x64 Standard Edition Service Pack 2. The following components are required for installation: Microsoft Exchange Server (2007 and 2010) x64 Service Pack 1 or Microsoft Exchange Server (2007 and 2010) Service Pack 1 deployed in at least one of the roles: Hub Transport or Mailbox; MS SQL Server 2005 Express Edition, MS SQL Server 2005 Standard Edition, MS SQL Server 2005 Enterprise Edition, MS SQL Server 2008 Express Edition, MS SQL Server 2008 Standard Edition, MS SQL Server 2008 Enterprise Edition; Microsoft.NET Framework 3.5 Service Pack 1. Installation of the Administration Console requires one of the following operating systems: Microsoft Small Business Server 2008 Standard / Microsoft Small Business Server 2008 Premium / Microsoft Essential Business Server 2008 Standard / Microsoft Essential Business Server 2008 Premium / Microsoft Windows Server 2008 / Microsoft Windows Server 2003 x64 (with Service Pack 2 installed) / Microsoft Windows Server 2003 x64 R2 Standard Edition / Microsoft Windows Server 2003 x64 R2 Enterprise Edition / Microsoft Windows XP x64 (with Service Pack 2 installed) / Microsoft Windows Vista х64 / Microsoft Windows Server 2003 R2 Standard Edition / Microsoft Windows Server 2003 R2 Enterprise Edition / Microsoft Windows Vista / Microsoft Windows Server 2003 (with Service Pack 2 installed) / Microsoft Windows XP (with Service Pack 3 installed). The following components are required for installation: Microsoft Management Console 3.0; Microsoft.NET Framework 3.5 Service Pack 1; SQL server accessible over the network. 13

14 A D M I N I S T R A T O R ' S G U I D E APPLICATION ARCHITECTURE Kaspersky Security performs anti-virus scanning of all incoming, outgoing mail and messages stored on server, and filters spam. The application analyzes the message body and attached files in any format. The detection of malicious programs is based on records contained in Kaspersky Security's databases. Databases are regularly updated by Kaspersky Lab, and uploaded to Kaspersky Lab's update servers. Additionally, the application uses a special analysis facility called a heuristic analyzer which can detect previously unknown viruses. Spam checks are performed by the Anti-Spam component, which employs a combination of several methods to fight spam. The application scans objects received by the server in real time. The user cannot open and view a new message before it is scanned. The application processes each object using the rules specified by the administrator for each type of object. For instance, an infected object can be disinfected, deleted, or replaced by a notification text. An object recognized as spam may be allowed to pass, deleted or rejected. Administrators can configure the application to allow delivery of spam or messages containing infected objects to users, changing, however, the names of such objects and appending to it information about infection or spam content. In addition, the application changes the extension of such objects. Prior to modifying an object, the application can save a copy of it in a special Backup storage to allow subsequent restoration, or for forwarding to Kaspersky Lab for analysis. The application sends notifications about events as they occur to the anti-virus security administrator, the recipient, and the sender of the infected message, and also places a record of the event in the application log file and in the Microsoft Windows event log. IN THIS SECTION Application components and their purpose Security Server architecture APPLICATION COMPONENTS AND THEIR PURPOSE The application consists of two basic components: Security Server The component is installed on the protected Microsoft Exchange server, it carries out actual anti-spam filtering of mail traffic and its anti-virus protection. Security Server intercepts the messages arriving on the Microsoft Exchange Server and uses its internal Anti-Virus and Anti-Spam modules to perform anti-virus scanning and anti-spam filtration of that traffic respectively. If infection or spam is detected in a message, it can be saved in Backup or deleted depending upon the Anti-Virus and Anti-Spam settings. Administration Console is a dedicated isolated snap-in integrated into MMC 3.0. Administration Console can be installed locally on the protected Microsoft Exchange server or on a different computer for remote management of the server protection. You can use the Administration Console to create and edit the list of protected Microsoft Exchange servers, manage the Security Server and configure the application. SECURITY SERVER ARCHITECTURE The server component of the application, the Security Server, consists of the following main subsystems: The Interceptor intercepts objects arriving at the Microsoft Exchange Server and forwards them to the anti-virus scan subsystem. It is integrated into the Microsoft Exchange Server processes using either VSAPI 2.6 or Transport Agents, according to the configuration selected during Microsoft Exchange Server deployment. 14

15 A P P L I C A T I O N A R C H I T E C T U R E The Anti-Virus performs anti-virus scans of objects. The component is essentially the anti-virus engine running within the program process of Kaspersky Security 8.0 for Microsoft Exchange Servers. The anti-virus scan subsystem also includes storage for temporary objects while scanning objects in RAM. The storage is located in the working folder Store. Store is a subfolder within the application folder, which must be excluded from the scan scope of any anti-virus programs installed in the corporate network. Otherwise the application may function incorrectly. The Anti-Spam component filters unwanted mail. The component is essentially the anti-spam engine running within the program process of Kaspersky Security 8.0 for Microsoft Exchange Servers. Once a message is intercepted, it is transferred to the Anti-Spam engine for analysis. Depending upon the analysis result and the produced verdict, the message will be allowed to pass or deleted. Copies of deleted messages are stored in Backup. The Internal Application Management and Integrity Control Module is launched in a separate process and is a Microsoft Windows service. The service is called Kaspersky Security 8.0 for Microsoft Exchange Servers, and is launched automatically when either the first message is being transferred, when the Management Console attempts to connect to the Security Server and after the initial configuration wizard has completed. This service does not depend on the state of the Microsoft Exchange Server (that is, whether it is started or stopped), so that he application can be configured even if the Microsoft Exchange Server is stopped. When background scan mode is enabled, the Internal Application Management Module will receive all messages located in public folders and protected storage areas from the Microsoft Exchange server, in accordance with the current settings. If a message has not been analyzed using the latest databases, it will be sent to the Anti-Virus component for processing. Objects are processed in background mode in the same way as in traffic scan mode. For correct operation of the application, the Internal Application Management Module must always be running; stopping this service manually is not recommended. 15

16 TYPICAL DEPLOYMENT SCHEMES Kaspersky Security should be installed on a Microsoft Exchange server. The application components, which you can install depends upon the role that the Microsoft Exchange Server performs. Kaspersky Security also supports deployment on a server cluster. You are advised to read through this chapter to select the most suitable deployment scheme. IN THIS SECTION Microsoft Exchange Server roles and corresponding configurations Server protection deployment Application deployment on a server cluster MICROSOFT EXCHANGE SERVER ROLES AND CORRESPONDING CONFIGURATIONS Successful operation of Kaspersky Security requires that the protected Microsoft Exchange Server should be deployed at least in one of the following roles: Mailbox. Hub Transport. Edge Transport. If Microsoft Exchange Server is deployed as a Mailbox, Kaspersky Security interacts with it using the VSAPI 2.6 standard. In other cases the Transport Agents technology is used. Please note that in the Hub Transport role, objects are first scanned by Kaspersky Security and then processed by Microsoft Exchange Transport Agents. In the Edge Transport role, the procedure is reversed - the objects are first processed by Microsoft Exchange Transport Agents and then by Kaspersky Security. SERVER PROTECTION DEPLOYMENT The following procedure should be used to deploy the protection system for mail servers: 1. The Security Server component has to be installed on all protected Microsoft Exchange servers within the network. The installation must be performed from the distribution kit individually for each server. 2. Management console is installed together with Security server. It provides centralized access to all Security servers of Kaspersky Security from the single administrator's workplace. If necessary, Administration Console can be installed separately on a computer within the corporate network. If several administrators are working jointly, the Administration Console can be installed on each administrator's computer. 3. Create the list of managed servers (see section "Creating the list of protected Microsoft Exchange servers" on page 39). 4. Administration Console connects to the Security Server (see section "Connecting the Administration Console to the Security Server" on page 41). 16

17 T Y P I C A L D E P L O Y M E N T S C H E M E S APPLICATION DEPLOYMENT ON A SERVER CLUSTER Kaspersky Security supports the following cluster types: single copy cluster (SCC); cluster continuous replication (CCR). During setup the application recognizes a server cluster automatically. This means that the order in which the application is installed to different cluster nodes does not matter. The procedure for installing Kaspersky Security on a cluster of servers differs from the usual procedure in that: Before installation of Kaspersky Security is completed on all cluster nodes, the clustered mailbox servers (CMS) must not be moved between different cluster nodes. In the course of installation of Kaspersky Security to all cluster nodes, all installation folders must have the same location. The account used to perform the installation procedure must be authorized to write to the Active Directory configuration section. After installation to a cluster of servers, all application settings are stored in the Active Directory, and all cluster nodes use those parameters. However, parameters which refer to the physical server are set for each cluster node manually. Kaspersky Security automatically defines active cluster nodes, and applies the Active Directory settings to them. When a cluster node moves from active to passive mode, a notification about disconnection from the server will appear (the notification will appear only if the Management Console is open and connected to the server). The scan results for each cluster node will be displayed only for those messages which were forwarded by the Microsoft Exchange virtual server to this cluster node. The scan results include: the Backup storage content; information presented in reports; the set of events registered in the application logs; The procedure for uninstalling Kaspersky Security from a cluster of servers differs from the usual procedure in that: Clustered mailbox servers (CMS) must not be moved between nodes before application removal is completed. In the process of uninstalling the application from the active cluster node, the cluster resource of the Microsoft Exchange Information Store, and all resources of the Microsoft Exchange Database Instance which depend upon it, are stopped. Once the removal procedure is complete, the original status of these services will be automatically restored. 17

18 APPLICATION SETUP Kaspersky Security consists of two main components: the Security Server and Administration Console. Security Server is always installed together with the Administration Console. Administration Console can be installed separately on another computer for remote management of a Security Server. Depending upon your corporate server architecture, you can select one of three available installation variants: Security Server will be installed on the computer running Microsoft Exchange Server. Administration Console will be installed to the same host. Security Server and Administration Console will be installed on the computer running Microsoft Exchange Server. Administration Console can be installed on any computer within your corporate network for remote management of the Security Server. Security Server will be installed on a cluster of servers running Microsoft Exchange Server. In that case the Security Server and Administration Console should be installed together on each node of the cluster. Some services of Microsoft Exchange Server have to be restarted after Kaspersky Security installation. IN THIS SECTION Preparing installation Upgrading an earlier version Application setup procedure Getting started. Application configuration wizard Restoring the application Removing the application

19 A P P L I C A T I O N S E T U P PREPARING INSTALLATION To install Kaspersky Security, you will need domain administrator privileges. Besides, an Internet connection is necessary for installation of the following required components:.net Framework 3.5 SP1; Microsoft Management Console 3.0; Microsoft SQL Server 2005 / 2008 (Standard, Express, Enterprise); Microsoft Windows Installer 4.5. To create a database on the SQL server, you will need the local access rights for the computer where Kaspersky Security will be installed and administrator privileges on the SQL server. If SQL server is running on a domain controller, you must be a member of the Enterprise Admins and / or Domain Admins group. 19

20 A D M I N I S T R A T O R ' S G U I D E UPGRADING AN EARLIER VERSION Kaspersky Security does not support upgrading of earlier versions. An earlier application version installed on the computer must be removed before Kaspersky Security setup. The data and settings of the earlier version will not be preserved. APPLICATION SETUP PROCEDURE Kaspersky Security installer is designed as a wizard providing information about the operations, which you have to perform during each step of the procedure. The Back and Next buttons can be used to navigate between the installation screens (steps) at any time. The Exit and Cancel buttons allow you to exit the installer. The Finish button completes the installation procedure. The installation procedure begins with starting the setup_en.exe file. Further we shall discuss in detail the steps performed by the Setup Wizard. IN THIS SECTION Step 1. Installing the required components Step 2. Greeting and License Agreement Step 3. Selecting the type of the installation Step 4. Selecting the application components Step 5. Configuring connection to Microsoft SQL Server Step 6. Copying files STEP 1. INSTALLING THE REQUIRED COMPONENTS During this step you have to make sure that the following required components are installed on your computer:.net Framework 3.5 SP1. You can install the component by clicking the button Download and install.net Framework 3.5 SP 1. The computer must be restarted after.net Framework 3.5 SP1 installation! If you continue setup without restart, it may cause problems in the operation of Kaspersky Security. Microsoft Windows Installer (MSI) 4.5. This component is required to install Microsoft SQL Server 2008 Express Edition. You can install the component by clicking the button Download and install Microsoft Windows Installer 4.5. Microsoft SQL Server 2008 Express Edition or another SQL server. To install the component, click the button Install Microsoft SQL Server 2008 Express Edition. For working with Kaspersky Security, a fresh installation of SQL Server is recommended. Microsoft Management Console 3.0 (MMC 3.0). Microsoft Management Console 3.0 (MMC 3.0) is a part of the operating system in Microsoft Windows Server 2003 R2 and later versions. To install the program in earlier versions of Microsoft Windows Server, you need to upgrade MMC to version 3.0. To do that, click the button Download and install MMC 3.0. You can proceed to the next setup step by clicking the link Kaspersky Security 8.0 for Microsoft Exchange Servers. In addition, you can click the Installation guide button to download and install an installation guide. 20

21 A P P L I C A T I O N S E T U P STEP 2. GREETING AND LICENSE AGREEMENT The welcome screen informs you that Kaspersky Security installation to your computer has been started. Clicking the Next button opens the License Agreement window. License Agreement is an agreement between the application user and Kaspersky Lab. Checking the box I accept the terms and conditions of this Agreement means that you have read the License Agreement and accepted its terms and conditions. STEP 3. SELECTING THE TYPE OF THE INSTALLATION The installation type selection screen contains two buttons: Standard. Clicking the button will continue the procedure installing the standard set of components, which suits most users. Please see Step 5 for further instructions. Custom. Clicking this button allows you to select manually the application components, which you would like to install. Custom installation mode is recommended for experienced users. Once the installation type is selected, the Setup Wizard proceeds to the next step. STEP 4. SELECTING THE APPLICATION COMPONENTS If you have selected the Custom setup type, the installer will offer you to select the components which you would like to install. The set of components available for installation will differ depending on whether Microsoft Exchange Server is installed, and how it is configured. If Microsoft Exchange Server is deployed to act both as a Mailbox and Hub Transport, the following components will be available for selection and installation: Management Console; Anti-Spam protection component; Anti-Virus for the Mailbox configuration; Anti-Virus for the Hub Transport configuration. If Microsoft Exchange Server is deployed to act just as an Edge Transport or Hub Transport only, the following components will be available for selection and installation: Management Console; Anti-Spam protection component; Anti-Virus for the Hub Transport configuration. If Microsoft Exchange Server is deployed to act as a Mailbox only, the following components will be available for selection and installation: Management Console; Anti-Virus for the Mailbox configuration; In all other cases, only the Management Console is available for installation. The full name for the default installation folder is displayed in the lower part of the window. To change the installation folder, click the Browse button and specify another location. The data storage folder is displayed below. The data folder contains the following items: 21

22 A D M I N I S T R A T O R ' S G U I D E Anti-Virus database; Anti-Spam database; quarantined objects. If you suppose that the folder will occupy more space than the selected drive has available, you can click the Browse button to change the data folder location. Clicking the Reset button cancels the user-defined selection of components and restores the default selection. Clicking the Drives button opens the dialog containing information about free space available on local drives and required for installation of the selected components. STEP 5. CONFIGURING CONNECTION TO MICROSOFT SQL SERVER The purpose of this step is to configure a connection to an SQL server. To create a database on the SQL server, you will need the local access rights for the computer where Kaspersky Security will be installed and administrator privileges on the SQL server. If SQL server is running on a domain controller, you must be a member of the Enterprise Admins and / or Domain Admins group. If you are using a remote connection to the SQL server, make sure that TCP/IP support is enabled in SQL Server Configuration Manager. Configuring connection to Microsoft SQL Server In the Name of SQL server field specify the name (or IP address) of the computer and the SQL server instance. Clicking the Browse button next to that field allows you to select an SQL server within the current network segment. To create a database on the SQL server, you will have to choose an account that will be used to create the SQL database. The following options are available: Active account. Current user account will be used then. Other account. In that case you should enter the name and password for the specified user account. You can click the Browse button to select an account. SQL server browser must be started on the computer running the SQL server. Otherwise you will be unable to see the instance of the SQL server that you need. Select an account for the operation of application service In the next window you will see an offer to choose the account that will be used to connect to the SQL server. The window contains two options: Local System Account. In that case the local system account will be used to establish a connection to the SQL server. If the SQL server is running on a remote server, connection will be impossible. Account. In that case you will have to specify the name and password for an account with the privileges sufficient to connect to the SQL server and start the application service. STEP 6. COPYING FILES To proceed with the installation, press the Install button in the Setup Wizard window. It will initiate copying of the application files to the computer, registration of the components in the system, creation of the corresponding database on the SQL server and restarting some services of Microsoft Exchange Server. 22

23 A P P L I C A T I O N S E T U P GETTING STARTED. APPLICATION CONFIGURATION WIZARD Once the files are copied and the components are registered in the system, the Setup Wizard will display a notification informing about completion of the application setup. Clicking the Next button in the Setup Wizard will start the Application Configuration Wizard. Application Configuration Wizard will assist you in configuring the update settings, installing the license, and testing the application functionality. To start product configuration in the Application Configuration Wizard, click Next. IN THIS SECTION Configuring updates Installing a license key License-related notifications Testing the application functionality CONFIGURING UPDATES You can use the Update settings window of the Application Configuration Wizard to configure the updating settings of Kaspersky Security. To define the update settings, perform the following steps: 1. Leave the box Enable automatic update checked, if you wish the application to update automatically according to the specified schedule. 2. To connect to an update server of Kaspersky Lab through a proxy server, enable the option to Use proxy server and specify the corporate proxy address in the Proxy server address line. 3. Define the proxy server port in the entry field. By default, port 8080 is used. 4. To enable authentication with the proxy server, check the box Use authentication and enter in the Account and Password fields relevant information about the user account selected for that purpose. 5. If you wish to download updates from a local corporate server directly, check the box Bypass proxy server for local addresses. INSTALLING A LICENSE KEY In the Licenses window you can install a license for Kaspersky Security. To install a license, perform the following steps: 1. Press the Add button. 2. In the displayed File name dialog specify the file containing the license key (file with the *.key extension) and click Open. A license will be installed that allows you to use Kaspersky Security with unlimited functionality for one year. Over the entire period when the license is active, you can download Antivirus and Anti-spam database updates and contact Kaspersky Lab on all the issues related to the use of the application. 23

24 A D M I N I S T R A T OR' S G U I D E Removing a license key To remove a license, click the Delete button. LICENSE-RELATED NOTIFICATIONS The Notification Settings window allows you to configure the notifications sent by . Using notifications, you will always know in time of all the Kaspersky Security events. To define the notification settings, perform the following steps: 1. In the Web-service address field specify the address of the web service that will be used to mail messages via Microsoft Exchange Server. 2. Specify in the Account field any account registered on the Microsoft Exchange Server. To do that, click Browse or enter the account name manually. 3. Type in the Password field the password for the selected account. 4. In the address field specify the mail recipient's address. 5. Click the Test button to send a test message. If the test message arrives in the specified mailbox, it means that delivery of notifications is configured properly. 6. Click Next to finish setting up the application options. 7. Click the Finish button in the final window of Application Setup Wizard to quit the wizard.. If the Start Administration Console when the Wizard quits flag is left checked, the Administration Console will start automatically. TESTING THE APPLICATION FUNCTIONALITY After Kaspersky Security is installed and configured, you are advised to verify its settings and operation using a test "virus" and its modification. The test "virus" was specifically designed by EICAR (The European Institute for Computer Antivirus Research) to test anti-virus products. The test "virus" is not a malicious program and it contains no code that can harm your computer. However, most anti-virus products identify it as a virus. You can download the test "virus" from the official web site of EICAR at: Testing the Anti-Virus functionality To send a message with the test "virus", perform the following steps: 1. Create an message with an attached EICAR test "virus". 2. Send the message via Microsoft Exchange Server with installed Kaspersky Security and connected Security Server. After virus detection the mailbox that you have specified in the Notification Settings (see section "Configuring notifications" on page 24) window of the Initial Configuration Wizard should receive a notification about the intercepted virus. 24

25 A P P L I C A T I O N S E T U P To view the application report about the detected virus, perform the following steps: 1. Launch Kaspersky Security using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree to the left, select and open the node corresponding to the server which was supposed to process the message containing the "virus". 3. Select the Reports node. 4. In the details pane to the right, click the Generate report button in the Quick reports and / or Anti-Virus report section. 5. View the created report in the Ready reports section. To do that, double-click the necessary report to open it. If the report contains information about EICAR infection, the application is properly configured. To receive the reports to an address, perform the following steps: 1. In the details pane, use the Quick reports and / or Anti-Virus report sections to check the box Administrator to enable sending notifications to the address, which you have specified in the Notification Settings (see section "Configuring notifications" on page 24) window of the Application Configuration Wizard. If you have not specified the address in the Initial Configuration Wizard, click the link sending settings to set up notifications (see section "Configuring notifications" on page 24). 2. To make sure that reports arrive in the specified mailbox, click the Test button to send a test message. By default, the application saves a copy of an infected object in Backup. To check, whether a copy of an infected object has been saved in Backup, perform the following steps: 1. In the console tree, select the node Backup. 2. Check to make sure that the infected object (message with attached "virus") appears in the details pane. Testing the Anti-Spam functionality To test normal functioning of the Anti-Spamcomponent, perform the following steps: 1. Launch Kaspersky Security using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree to the left, select and open the node corresponding to the server which will be used to transfer the test message. 3. Select the Server protection node. 4. Select the Anti-Spam protection tab in the details pane. 5. Open the White and black list settings section. 6. Check the box Add sender's address to black list. 7. Type the sender's address in the entry line. 8. Click the addition button to the right of the field. 9. Open the Scan settings section. 10. In the Blacklisted field, select Allow. 25

26 A D M I N I S T R A T O R ' S G U I D E 11. In the same field check the box Add label. 12. Send a message to the administrator's address through the protected mail server. If the message arrives with the [Blacklisted] label in the header, the Anti-Spam component functions correctly. 26

27 A P P L I C A T I O N S E T U P RESTORING THE APPLICATION If the application encounters a failure while running (for example, if its binary modules get damaged), you can use the restoration functionality provided in the installer. During restoration the installer will preserve the selected settings and user configuration including notifications, paths to the application databases, Quarantine, etc. To restore Kaspersky Security, perform the following steps: 1. Start the setup_en.exe file. 2. Click the link Kaspersky Security 8.0 for Microsoft Exchange Servers. 3. Click the Next button in the welcome screen of the Initial Configuration Wizard. 4. In the Change, Repair or Remove the application window click the Restore button. 5. In the Restoring window, click the Repair button. Restoration of the application will be impossible, if its configuration files are damaged. Removing and reinstalling the application is recommended then. 27

28 A D M I N I S T R A T O R ' S G U I D E REMOVING THE APPLICATION To remove Kaspersky Security from a computer, perform the following steps: 1. Start the setup_en.exe file. 2. Click the link Kaspersky Security 8.0 for Microsoft Exchange Servers to start the Setup Wizard and click Next. 3. In the Change, Repair or Remove the application window click the Remove button. 4. In the Remove window click the Remove button. You can also uninstall the application using the standard software management tools in Microsoft Windows. During Kaspersky Security removal some services of Microsoft Exchange Server will need a restart. 28

29 MANAGING KASPERSKY SECURITY LICENSES When you purchase Kaspersky Security, you enter into a license agreement with Kaspersky Lab. This agreement grants you the right to use the software you purchased to protect the specified number of mailboxes, and to have access to the attendant services, for a defined period. The anti-virus protection covers both mailboxes and public folders. Therefore, no additional license is needed to protect public folders when working in the Microsoft Exchange environment. When using the application on a cluster of servers, the license is valid for the whole cluster. The following features will be available to you during the license period: use the anti-virus functionality of the application; anti-spam functionality of the application; regular updates for the anti-virus and anti-spam databases; application updates; support on issues related to the installation, configuration and the use of the purchased software product, provided 24 hours a day, by phone or . The application verifies the validity of the license agreement through the Kaspersky Security license key file, which is an integral part of any Kaspersky Lab product. Kaspersky Security will not work without a license key! Active license The application can use only one active license key. This license key contains restrictions imposed on the use of Kaspersky Security, which the application verifies using its internal algorithms. If a violation of the terms and conditions of the license agreement is detected: the application functionality will be restricted; a record of the detected violation will be entered into the event logs; if the notification settings are configured, a notification about the violation will be issued and sent by . You can manage the number of protected mailboxes excluding from the scan scope certain storages (see section "Creating a list of protected mailboxes and storages" on page 32) containing accounts that the application will not scan. You are advised to purchase a license able to protect all your mailboxes, as any unprotected storage areas increase the possibility of penetration and propagation of viruses via the system. Once a commercial license expires, the application functionality will remain available, i. e. the application will continue anti-virus and anti-spam traffic scanning; however, database updates and application upgrades will no longer be provided as well as the opportunity to contact the Technical Support service for assistance. The application will continue anti-virus scanning of traffic, and background scanning of storage areas, but will use outdated database versions. In this case, it is difficult to guarantee comprehensive protection against new viruses and spam, which may appear after the license expires. By default, a notification is sent when the application is running, two weeks prior to the license expiration date. This message indicates when the currently installed license key will expire, and gives information about renewing a license. The date of the notification and its destination address can be changed (see section "Notification about license expiry" on page 31). 29

30 A D M I N I S T R A T O R ' S G U I D E Additional license Once you have installed a commercial license, you can purchase an additional license for the product (see section "Distribution Kit" on page 12) including Kaspersky Security and install it. After the current license expires, the additional license becomes active and the application continues to function without changes. Thus you can ensure uninterrupted protection of your corporate mail servers. Kaspersky Security supports only one additional license. Trial license You may use a trial license to evaluate the benefits of Kaspersky Security. If a trial license key has been used, upon its expiration the anti-virus functionality of the application will also be disabled in addition to the above limitations. Note that the validity period of a trial key starts from the moment when the first trial key is added. The validity period of all the subsequent trial keys will be adjusted in accordance with the validity period of the first key. License restrictions In some cases (for example, if the sales contract was terminated or if the license agreement restrictions were changed), Kaspersky Lab terminates the license agreement with the user. In this case, the serial number of the license key will be added to the list of cancelled licenses, the so-called black list. If your active license is found in the black list, the reserve license will not be activated and the application will be disabled except for the management and anti-virus database updating services. If your license has been accidentally blacklisted, you are advised to update your databases and, if the error persists, contact the Technical Support Service. IN THIS SECTION Viewing information about installed licenses Installing a license key Removing a license key Notification about license expiry Creating the list of protected mailboxes and storages VIEWING INFORMATION ABOUT INSTALLED LICENSES To view information on installed licenses, perform the following steps: 1. Start the Administration Console of the application. 2. In the Administration Console tree select the necessary server node and then the Licensing node. The details pane will display information about installed licenses. The following information is displayed: Type - Describes the license key type. Owner. Identifies the license owner. Restrictions. Defines the number of user accounts (mailboxes) supported in the license. Expiration date. Indicates the date of license expiry. License key serial number. Displays the license serial number. Status. Displays the status of the current license. 30

31 M A N A G I N G K A S P E R S K Y S E C U R I T Y L I C E N S E S INSTALLING A LICENSE KEY To install a license for Kaspersky Security, perform the following steps: 1. In the Management Console, select the node Licensing. 2. Click the Add button in the details pane. 3. In the displayed File name dialog specify file name containing the license key (file with the *.key extension) and click Open. Once you have installed a commercial license, you can install an additional license. To install a reserve license, perform the following steps: 1. In the Administration Console, select the node Licensing. 2. In the details pane, click the Add button in the Additional license section. 3. In the displayed File name dialog specify file name containing the license key (file with the *.key extension) and click Open. REMOVING A LICENSE KEY To remove a license for Kaspersky Security, perform the following steps: 1. Select the Licensing node in the Administration Console. 2. In the details pane, click the Delete button in the Active license or Additional license section. NOTIFICATION ABOUT LICENSE EXPIRY The application verifies compliance with the license agreement after every database update. The check may return one the following results: the active key expires within the next few days; the license has expired; the active license was found in the black list; In these cases the application logs an appropriate record and, provided that notifications are configured (see section "Configuring notification settings" on page 68), s the information to the address specified in the settings. By default, a notification will be issued 15 days prior to the expiration of your license period. You can set up an earlier or a later notification date. To configure notifications about expiry of the license to use Kaspersky Security, perform the following steps: 1. Select the Licensing node in the Administration Console. 2. In the details pane, specify in the field Notify about license expiry in the number of days remaining until a license expires when you should be notified about the forthcoming expiry. 3. Click the Save button. 31

32 A D M I N I S T R A T O R ' S G U I D E CREATING THE LIST OF PROTECTED MAILBOXES AND STORAGES The application will protect the number of mail boxes specified in the active license. If this number is not sufficient, you must decide which mailboxes should be left unprotected and moved into storage areas not covered by anti-virus protection. By default, the application protects all public folders created on the protected mail server. You can remove protection from public folders if you think that their scan would be redundant. To remove protection from the mailbox storage or public folders storage: 1. In the Management Console, select the node Server protection. 2. On the Anti-Virus protection tab, open the Protection for mailboxes configuration section. 3. In the Protected mailbox storages section check the boxes corresponding to the mailbox storages, which you wish to protect. 4. In the Protected public folder storages section check the boxes corresponding to the public folder storages, which you wish to protect. 5. To apply the changes, click the Save button. The list includes all mailbox storage areas created on the protected Microsoft Exchange server. By default, the application protects the storages that already existed when the application was installed and all new storage areas. 32

33 APPLICATION INTERFACE The user interface of the application is provided by the Microsoft Management Console (MMC) component. The Management Console is a dedicated isolated facility integrated into MMC. IN THIS SECTION Main window Context menu MAIN WINDOW Main window of the Administration Console contains (see figure below): Toolbar. It is displayed in the upper part of the main window. The buttons on the toolbar allow direct access to some frequently accessed features of the application. Menu. It is displayed right above the toolbar. The menu provides management functions for files and windows, as well as access to the help system. Console tree. It is located in the left part of the main window. The console tree displays connected Security Servers and the settings of Kaspersky Security. Connected servers and the settings of Kaspersky Security are listed as nodes. You can open parent nodes by clicking the corresponding plus sign. An open node is displayed with the minus sign next to it. Details window. It is located in the right part of the main window. The window displays the contents of the node selected in the tree. 33

34 A D M I N I S T R A T O R ' S G U I D E Figure 1: Main application window The topmost node of the console tree is Kaspersky Security 8.0 for Microsoft Exchange Servers. Double-clicking it in the console tree with the mouse opens the list of connected servers running installed Kaspersky Security. The details window also displays connected servers and the Add server button. Left-clicking the connected server node with the mouse displays in the results window general information about protection components installed on the selected server, license type and the application installation folder. Clicking the plus sign next to a connected server opens in the console tree the list of configurable Kaspersky Security settings for that server. You can view and configure the following settings of Kaspersky Security: Server protection used for viewing and editing the settings for anti-virus and anti-spam protection. Updates used for viewing and editing the settings for anti-virus and anti-spam database update. Notifications used for viewing and editing the settings for notifications. Backup used for Backup storage viewing. Reports used for viewing and editing the settings for anti-virus and anti-spam reports. Settings used for viewing and editing the settings for notifications, reporting and statistics. Licensing used to install or remove licenses and review information about the current license. Selection of any node in the console tree displays in the details window the corresponding configurable settings of that node. 34

35 A P P L I C A T I O N I N T E R F A C E CONTEXT MENU Each category of objects in the console tree has its own context menu, which opens by right-clicking on the object. In addition to the standard Microsoft Management Console (MMC) commands, this context menu contains commands used for handling particular objects. You can use the context menu to perform the following operations: Add server. In the Administration Console tree, right-click the Kaspersky Security 8.0 for Microsoft Exchange Servers node. Select the Add server command from the context menu. Enable snap-in diagnostics. In the Administration Console tree, right-click the Kaspersky Security 8.0 for Microsoft Exchange Servers node. Select in the context menu the command to Enable snap-in diagnostics. Remove a connected server. In the Administration Console tree, right-click the connected server node. Select the Delete command in the context menu.. Update the Anti-Virus and the Anti-Spam databases. In the Administration Console tree, right-click the Update node. Select in the context menu the command to Update the anti-virus database or Update Anti-Spam database. Configure the settings for delivery of notifications. In the Administration Console tree, right-click the Notifications or the Reports node. Select in the context menu the command to sending settings. 35

36 APPLICATION START AND STOP The Security Server is started automatically when Microsoft Exchange Server loads and at Microsoft Windows startup. If anti-virus protection of the server is enabled (see figure below), it will start immediately after the Microsoft Exchange Server is launched. Figure 2: Enabling server protection To enable protection on a connected Microsoft Exchange server, perform the following steps: 1. Launch KasperskySecurity using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 36

37 A P P L I C A T I O N S T A R T A N D S T O P 3. Select the Server protection node. 4. On the Anti-Virus protection tab of the details window, open the Scan settings section. 5. Check the boxes enabling anti-virus protection for all roles of that Microsoft Exchange Server. 6. Click the Save button. 7. To disable protection, uncheck all the anti-virus protection boxes and click Save. 8. You can leave protection enabled for specific roles of Microsoft Exchange Server. To do that, check the boxes enabling anti-virus protection for the selected roles of Microsoft Exchange Server. Click the Save button. 37

38 DEFAULT MICROSOFT EXCHANGE SERVER PROTECTION STATUS The anti-virus and anti-spam protection of the Exchange server starts immediately after the Security Server component is installed. The default operation mode of the application in this case is as follows: The application will scan objects for the presence of currently known malicious software: the body of the message, and attached objects in any format, will be scanned, except for container objects with a nesting level above 32. the maximum time for scanning an object is 180 seconds; Selection of the operation performed upon detection of an infected object depends upon the role of the Microsoft Exchange server where the object was found. When an infected object is detected on a server functioning as a Hub Transport or Edge Transport, the object will be deleted automatically and the prefix [Malicious object deleted] will be added to the corresponding message subject. When an infected object is detected on a server functioning as a Mailbox, the application saves a copy of the object (attachment or message body) in Backup storage, and attempts to disinfect the object. If disinfection is impossible, the application deletes the object and replaces it with a text file containing a notification in the following format: Malicious object <VIRUS_NAME> has been detected. The file (<OBJECT_NAME>) was deleted by Kaspersky Security 8.0 for Microsoft Exchange Servers. Server name: <server_name> When a suspicious object is detected, the application saves its copy (message body or attachment) in Backup or deletes the object using the same rules, which it applies to infected objects. When a protected or corrupted object is found, the application by default skips such object. Users can select the Delete operation for this category of objects. In that case the application saves a copy of the object (message body or attachment) in Backup. The application protects the content of public folders and messages stored on the server. Anti-spam mail filtering is performed. By default, low intensity level of anti-spam scanning is used. The level provides an optimal combination of scanning performance and quality: "Allow" operation is used to handle all messages; however, mail with the "Spam" verdict will bear a special [!!Spam] label. The "Probable Spam" verdict is enabled. Messages with that verdict will receive the [!!Probable Spam] label. Maximum duration of single message scan is 30 seconds. Maximum size of an object to scan 300 KB. External services are used to check the IP addresses and URLs: DNSBL and SURBL. These services allow spam filtering using public black lists of IP addresses and URLs. If during installation the update procedure for Kaspersky Security databases has been enabled, updates will be downloaded regularly from the update servers of Kaspersky Lab using the settings specified in the Application Configuration Wizard. 38

39 GETTING STARTED The application s operation can be controlled from the administrator's workstation, through Management Console. You can connect to the Administration Console any number of Security Servers and manage them both locally and remotely. IN THIS SECTION Launching the application Creating the list of protected Microsoft Exchange servers Connecting the Administration Console to the Security Server LAUNCHING THE APPLICATION To start the Administration Console, perform the following steps: 1. In the Start menu, select Programs. 2. Select Kaspersky Security 8.0 for Microsoft Exchange Servers from the list of programs. 3. Click Administration Console. When the Administration Console starts, Kaspersky Security snap-in connects to MMC, so the console tree displays the application icon and the node of Kaspersky Security 8.0 for Microsoft Exchange Servers. The console tree also displays the node of the local Security Server (if it has been installed) connected to the console. CREATING THE LIST OF PROTECTED MICROSOFT EXCHANGE SERVERS You can create a list of protected Microsoft Exchange servers. To do that, each of the Microsoft Exchange servers that you wish to protect must have the Security Server component installed. You can add either the local computer (see figure below) or any Exchange server within the network to this list. A connection between the Management Console and the Kaspersky Security can also be established immediately after adding a server. To add a Security Server of Kaspersky Security to the list of protected servers, perform the following steps: 1. Launch Kaspersky Security using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. Select the node Kaspersky Security 8.0 for Microsoft Exchange Servers in the console tree. 39

40 A D M I N I S T R A T O R ' S G U I D E 3. Select in the context menu of the node the command to Add server or the corresponding item in the Action menu. You can also click the Add server button in the details window. Figure 3: Adding a Security Server 4. Select one of two suggested options: Local computer. Then you will add the Security Server running on the local computer. Other computer. In that case you can connect a Security Server installed on a remote Microsoft Exchange server. To connect to a Security Server located on a remote computer, you should add the Kaspersky Security service to the trusted applications list of the remote computer's firewall, or allow RPC connection. 5. If you have selected the Other computer option, type its name in the entry field. You can enter the name manually, by specifying one of the following: IP address; 40

41 G E T T I N G S T A R T E D fully-qualified domain name (FQDN) in the format <Computer name>.<dns-domain name>; the computer name in the Microsoft Windows network (NetBIOS name); 6. Click OK. or select the computer using the Browse button. You can configure the settings of Kaspersky Security individually for every connected server. CONNECTING THE ADMINISTRATION CONSOLE TO THE SECURITY SERVER After Kaspersky Security installation the Administration Console will be connected automatically to the local Security Server; the Server will appear then in the Administration Console tree. To connect to a Security Server located on a remote computer, you should add the Kaspersky Security service to the trusted applications list of the remote computer's firewall, or allow RPC connection. To connect to remote server, perform the following steps: 1. Launch Kaspersky Security using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. Select the node Kaspersky Security 8.0 for Microsoft Exchange Servers in the console tree. 3. Use the Add server command from the context menu or the corresponding command in the Action menu. You can also click the Add server button in the details window. 4. Select in the displayed window the Other computer option and click the Browse button to specify its name in the entry field. You can enter the name manually. To do that, specify one of the following: IP address; fully-qualified domain name (FQDN) in the format <Computer name>.<dns-domain name>; the computer name in the Microsoft Windows network (NetBIOS name); 5. Click OK. 41

42 UPDATING THE ANTI-VIRUS AND ANTI- SPAM DATABASES Kaspersky Lab provides all its users with the opportunity to update (see figure below) Kaspersky Security anti-virus databases, which are used to detect malicious programs, and to disinfect infected objects. The database files contain a description of all currently known malware and methods of disinfection of infected objects, and also a description of potentially dangerous software. 42

43 U P D A T I N G T H E A N T I - V I R U S A N D A N T I - S P A M D A T A B A S E S The Anti-Spam database is regularly updated, too. To maintain the highest efficiency of anti-spam filtering on a server, you are advised to configure updating of the Anti-Spam database with the minimum interval of five minutes. It is extremely important to keep all databases up-to-date. You are advised to update your databases immediately after your application is installed, because the databases included in the distribution kit will be out of date by the time you install your application. The anti-virus databases on Kaspersky Lab's update servers are updated every hour. The Anti-Spam database is updated every five minutes. You are advised to set up automatic updates to run with the same frequency (on page 44). Figure 4: Anti-virus database update The Kaspersky Security databases can be updated from the following sources: from Kaspersky Lab's update servers on the Internet; from a local updates source, such as a local or a network folder; from another HTTP or FTP server, such as your Intranet server. 43

44 A D M I N I S T R A T O R ' S G U I D E The updating is performed either manually or automatically, according to a schedule. After the files are copied from the specified update source, the application automatically connects to the new databases, and uses them to scan mail for viruses and spam. IN THIS SECTION Manual update Automatic database updating Selecting the updates source Editing the connection settings MANUAL UPDATE To view the information about updates to the anti-virus and Anti-Spam databases and update them, if necessary, perform the following steps: 1. Start the Administration Console of the application. 2. In the Administration Console tree select the necessary server node and then the Updates node. 3. Open the Anti-virus database update and Anti-Spam databases update groups of settings. Information about database update contains the following data: Result of the last update. Information about the database update status. Database issued on. Information about the last database update from a server of Kaspersky Lab. Records. The number of virus signatures in the current anti-virus database. 4. In the Run mode dropdown list, select Manually. 5. Press the Launch the update button. 6. To stop the update procedure, click the Stop button. AUTOMATIC DATABASE UPDATING To enable automatic updating of the anti-virus and Anti-Spam databases, perform the following steps: 1. Start the Administration Console of the application. 2. In the Administration Console tree select the necessary server node and then the Updates node. 3. Open the Anti-virus database update and Anti-Spam databases update groups of settings in the details window. 4. Select from the Run mode dropdown list in each of these two groups one of the following options: Periodically. Use the entry field every N minutes, hours, days to define the frequency of future updates. Daily. Define precise time in HH:MM format. 44

45 U P D A T I N G T H E A N T I - V I R U S A N D A N T I - S P A M D A T A B A S E S On selected day. Check the boxes next to the days of the week, when you would like to update the database and also specify the update time. 5. Click the Save button. 6. To stop the update procedure, click the Stop button. You can only stop the update in progress. The next update will be performed according to the schedule. SELECTING THE UPDATES SOURCE To choose a database update source: 1. Start the Administration Console of the application. 2. In the Administration Console tree select the necessary server node and then the Updates node. 3. Open the Anti-virus database update and Anti-Spam databases update groups of settings in the details window. 4. In each of these two groups of settings, select one of the following options: Kaspersky Lab's update servers, if you wish to download updates from the servers of Kaspersky Lab. HTTP server, FTP server, local or network folder, if you wish to download updates from any of these sources. 5. Specify in the entry field the address of the corresponding server, a local or network folder. 6. Click the Save button. EDITING THE CONNECTION SETTINGS To view or modify the network connection settings, perform the following steps: 1. Start the Administration Console of the application. 2. In the Administration Console tree select the necessary server node and then the Updates node. 3. Open in the details window the Connection settings group of settings. 4. If you connect to the internet using a proxy server, check the Use proxy server box and specify the proxy server address and number of the port used for connection. Default proxy port number is If you use a password to access the proxy server, specify the proxy user authentication settings. To do this, check the Proxy server authentication box and fill in the User name and Password fields. 6. If you wish to download updates from a local corporate server directly, check the box Bypass proxy server for local addresses. 45

46 ANTI-VIRUS PROTECTION One of the main purposes of Kaspersky Security is anti-virus scanning of mail traffic, messages in mailboxes and shared folders as well as disinfection of infected objects using the current (latest) version of its databases. Depending on the protection level selected by the administrator, the application can detect: malicious objects; potentially dangerous objects. All messages arriving at the Microsoft Exchange server are scanned in real time. Both incoming and outgoing traffic are processed, as are all transit messages. When traffic scan mode is enabled, the application remains loaded in the computer's RAM, and the Interceptor analyzes traffic received from the Microsoft Exchange server and transfers it to the Anti-Virus Scan Subsystem. The Anti-Virus Scan Subsystem processes each message based on its current settings: it scans and analyzes the message using the anti-virus database; if an message or its part is infected, the application processes the detected object in accordance with the selected settings; before processing, a copy of the object can be saved in the Backup storage. If anti-virus protection of the server is enabled, traffic scans will start and stop simultaneously with the startup and stopping of the Microsoft Exchange Server. Kaspersky Security does not scan messages created by protected users in the Public folders of unprotected Microsoft Exchange servers. If messages are transferred from the Public folders of an unprotected area to a protected one, the application will scan them. During data replication between protected and unprotected storages, any changes made by the application as a result of the anti-virus scan are not synchronized. messages which are stored on the server, and the contents of public folders, are also rescanned on a regular basis using the latest version of the anti-virus database (if the background storage scan is enabled (see section "Background scan" on page 50)). Using background scan mode decreases the load on the servers during busy hours, and increases the security level of the infrastructure in general. Background scans can be launched either automatically (using a schedule), or manually. Operation of the application in background scan mode may slow down the operation of Microsoft Exchange Server: therefore it is best to use it during periods of minimum load on mail servers, for example at night. When background scan mode is enabled, the Internal Application Management Module will receive all messages located in public folders and protected storage areas from the Microsoft Exchange server, in accordance with the current settings. If a message has not been analyzed using the latest anti-virus database, it will be sent to the anti-virus component for processing. Objects are processed in background mode in the same way as in traffic scan mode. The application analyzes the message body and attached files in any format. It must be remembered that Kaspersky Security differentiates simple objects, such as executable files, or messages with a simple attachment, from containers, which consist of several objects (such as an archive, or a message with an attachment). When scanning multivolume archives, Kaspersky Security treats and processes each volume as a separate object. In this case, the Kaspersky Security can detect malicious code only if the code is fully located in one of the volumes. If a virus is also divided into parts between volumes, it cannot be detected when only part of the data is loaded. In this situation, the malicious code may propagate after the object is restored as one entity. Multiple-volume archives can be scanned after they are saved to the hard drive by the anti-virus application installed on the user's computer. 46

47 A N T I - V I R U S P R O T E C T I O N If necessary, you can define a list of objects that should not be scanned for viruses. The following types of objects can be excluded from the scan scope: archives, all containers with the nesting level above the specified value, files matching specified masks. Files over 1 MB will be saved to the working folder Store for processing. The Store folder is located in the data folder of the application. The Store folder and the temporary file storage folder TMP must be excluded from the scan scope of any anti-virus applications operating in the enterprise local network. IN THIS SECTION Enabling and disabling anti-virus server protection Creating rules for object processing Scanning attached archives and containers Creating scanning exclusions Configuring protection settings for mail accounts Background scan ENABLING AND DISABLING ANTI-VIRUS SERVER PROTECTION If the anti-virus server protection is enabled, anti-virus scanning of the traffic will be started or stopped at the same time as Microsoft Exchange Server. If the anti-virus protection settings specify background scanning of storage areas (see section "Background scan" on page 50), scanning can be launched manually or according to the schedule. Please note that disabling the anti-virus server protection considerably increases the risk of malware penetrating the system. You are advised not to disable anti-virus protection for long periods of time. To enable or disable anti-virus protection, perform the following steps: 1. Launch Kaspersky Security using the menu Start Programs Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 4. On the Anti-Virus protection tab of the details window, open the Scan settings section. 5. Check the boxes enabling anti-virus protection for all roles of that Microsoft Exchange Server. 6. Click the Save button. 7. To disable protection, uncheck all the anti-virus protection boxes and click Save. 8. You can leave protection enabled for specific roles of Microsoft Exchange Server. To do that, check the boxes enabling anti-virus protection for the selected roles of Microsoft Exchange Server. Click the Save button. If you need to disable the Kaspersky Security service manually, perform the following actions: 1. Disable the anti-virus and anti-spam protection using the Administration Console (see above). 2. Stop Kaspersky Security service and set it to the Disabled startup type. 47

48 A D M I N I S T R A T O R ' S G U I D E To start the application after automatic startup has been disabled for the Kaspersky Security perform the following steps: 1. Make sure that Kaspersky Security service is configured for Automatic startup. 2. Enable the anti-virus and anti-spam protection using the Administration Console (see above). CREATING RULES FOR OBJECT PROCESSING Object processing rules allow you to select the operation used to handle every type of objects. Following an anti-virus scan, each object is assigned a status which can take the following values: Infected - object contains at least one known virus. Clean the object contains no viruses. Protected - the object is password-protected. Corrupted - object is corrupted. To create an object processing rule, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Virus protection tab of the details window, open the Scan settings section. 4. In the Objects processing rules section use the Infected object dropdown list to select the action: Allow. Allow an object to pass unchanged. Delete the object. Delete revealed infected objects. Delete the message. Delete messages containing an infected object with all attachments. 5. In the Protected object dropdown list, select the action: Allow. Password protection may prevent anti-virus scanning of protected objects. Select the option to Allow, if you wish to skip such objects. Delete the message. Select this option if you want to delete password-protected objects. The message will be deleted completely. 6. In the Corrupted object dropdown list, select the action: Allow. Select this option, if you wish to skip such objects. Delete the message. Select this option to delete corrupted objects. To ensure that a copy of the object is saved to backup storage before the object is processed, check the box Save a copy of the object in the backup storage. 48

49 A N T I - V I R U S P R O T E C T I O N SCANNING ATTACHED ARCHIVES AND CONTAINERS To configure scanning of nested archives and containers, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details window, open on the Anti-Virus protection tab the section Rules for exclusion from the scan scope. 4. Check the box Scan archives, if you want the application to scan archives. 5. Check the box Scan containers with the nesting level not more than and specify the nesting level value for containers in the entry field. Maximum nesting level is 128. You can disable scanning of attachments to optimize the operation of Kaspersky Security, decrease the server load and improve traffic processing performance. To do that, uncheck the boxes Scan archives and Scan containers. It is not recommended to disable scanning of attachments for a long while, since they may contain viruses and other malicious objects. CREATING SCANNING EXCLUSIONS To decrease the load on the server imposed by anti-virus scanning, you can limit the list of objects to be scanned. These scanning restrictions will apply both to the traffic scan, and to the background storage scan. To decrease the load on server, you can disable scanning of archives and containers (see section "Scanning attached archives and containers" on page 49) and specify the masks for files, which will be skipped and the recipients whose mail will be allowed to pass without scanning. To exclude files from scanning using file masks, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details window, open on the Anti-Virus protection tab the section Rules for exclusion from the scan scope. 4. Check the Do not scan files matching the masks box. 5. Input in the entry field the mask for the files which will not be scanned. Examples of allowed masks: *.txt - all files with the *.txt extension, for example, readme.txt or notes.txt. readme.??? all files named readme with an extension of three characters, for example, readme.txt or readme.doc; test - all files without extension named test. 6. Click the button to the right of the field to add the mask from the entry field to the general list of the excluded masks. 7. Click the Save button. 49

50 A D M I N I S T R A T O R ' S G U I D E To exclude from the scan scope messages for the selected recipients, perform the following steps: 1. Check the Do not scan messages for the following recipients box. 2. Specify in the entry field the address of the recipient whose incoming mail will not be scanned. 3. Click the button to the right of the field to add the address to the trusted list. 4. To export the list of recipients to a file, click the button. 5. In the displayed window, enter the file name in the File name field and click the Save button. 6. To import a list of recipients in the application, click the button. 7. In the displayed window, specify in the File name field the file containing the list of exclusions and click Open. 8. Click the Save button. CONFIGURING PROTECTION SETTINGS FOR MAIL ACCOUNTS To enable selective protection of mailboxes, perform the following steps: 1. In the Administration Console select the Server protection node. 2. On the Anti-Virus protection tab, open the Protection for mailboxes configuration section. 3. In the Protected mailbox storages section check the boxes corresponding to the mailbox storages, which you wish to protect. 4. In the Protected public folder storages section check the boxes corresponding to the public folder storages, which you wish to protect. 5. To apply the changes, click the Save button. The list includes all mailbox storage areas created on the protected Microsoft Exchange server. By default, the application protects the storages that already existed when the application was installed and new storage areas. BACKGROUND SCAN Kaspersky Security performs background anti-virus scanning of the mail stored on server and the content of public folders with user-defined settings. The application checks all shared protected folders and mail storage areas. Only those messages which have not been scanned using the current version of the Kaspersky Security database will be scanned. The application scans message bodies and attached files using the general anti-virus scan settings. Background scanning is available only if Microsoft Exchange Server deployed as in Mailbox mode. The application scans public folders and boxes only in protected storage areas. To ensure that Kaspersky Security scans the messages stored on the server and the content of public folders: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server Protection node. 3. On the Anti-Virus protection tab of the details window, open the Protection for mailboxes section. 50

51 A N T I - V I R U S P R O T E C T I O N 4. In the Background scan section, use the Schedule dropdown list to select the option that suits you best: Manually. Users will start background scanning manually. Daily. Specify precise scan time in the entry field in HH:MM format. On selected day. Check the boxes next to the days of the week, when you would like to perform the background scan, and precise time when the procedure should start - in the entry field in HH:MM format. Monthly. Use the arrows to specify the day of the month for scanning and input the time in the time entry field in HH:MM format. 5. Enable the option to Scan message body to check message bodies during background scanning. 6. Check the box Scan recent messages only, to scan just the mail that has arrived within the specified time interval before the background scan. 7. Specify the number of days in the entry field Scan messages received not later than N days until background scan. Maximum number of days is Check the box Limit the scan time and define the necessary value for the setting Stop the scan in N hours after scan start to optimize the procedure duration. 9. To apply the changes, press the Save button. 10. To launch the scan immediately, press the Start scan button. 11. After start you can stop the background scan by clicking the Stop button. Background scanning start and stop actually occur within a minute after the corresponding buttons are pressed. 51

52 ANTI-SPAM PROTECTION Main purposes of Kaspersky Security include filtering of unwanted messages (spam) in the mail traffic passing a relay server. The Anti-Spam component filters during its arrival via SMTP, i.e. before the mail appears in the mailboxes of the users. Anti-spam checks are used with the following data types: internal and external traffic via SMTP using anonymous authentication on the server; messages arriving on the server through anonymous external connections (edge server). Anti-spam checks are not used with the following data types: internal corporate traffic; external traffic arriving on the server during authenticated sessions. You can enable scanning of such traffic manually (see section "Using additional Anti-Spam functionality" on page 58). Each is checked for the presence of spam signs. To do that, the application first checks various message attributes: the sender's and recipients addresses, message size, headers (including From and To). Second, it uses content-based filtration analyzing the actual message content (including the Subject header) and attached files. The application uses unique linguistic and heuristic algorithms based on comparison with sample messages and in-depth analysis of the text, layout and other attributes. After filtering the application produces one of the following verdicts for the inspected messages: Spam. The application unambiguously recognizes the message as spam. Probable spam. The message may contain spam. Formal notification. An automatic message informing, for example, about mail delivery to the recipient. Object contains no spam. The message has been checked and contains no spam. Blacklisted. or IP address of message sender is present in the black list of addresses. Administrators can use available flexible settings to choose the type of operation that will be applied to messages with each possible status. The following operations are available for mail handling: Allow. Deliver a message to the recipient without changes. Reject. If you select this operation, the sending server will receive in response a return code informing about an error during message delivery (error code 500). The message will not be delivered to the recipient. Delete. If you select this operation, the sending server will receive in response a notification about message delivery (code 250); however, the message will not be delivered to the recipient. Add SCL value. The application will assign to messages the rating indicating the probability of spam content inside (SCL, Spam Confidence Level). SCL rating can be a number ranging from -1 to 9. Higher SCL rating means higher probability of spam content in a message. Add label. messages recognized by Kaspersky Security as spam or potential spam are tagged with special [!!SPAM], [??Probable Spam] or [!!Blacklisted] labels in the Subject field. The labels can be modified. Furthermore, the application supports flexible configuration of anti-spam analysis intensity. The following intensity levels are available: 52

53 A N T I - S P A M P R O T E C T I O N Maximum. This intensity level should be used if you receive spam frequently. When you select this level, the frequency of false positives rises: that is, useful mail is more often recognized as spam. High. This level is considered as optimal by the experts at Kaspersky Lab as regards anti-spam protection. This level should be used in most cases. Low. This intensity level offers slightly lower protection compared to high level. The level provides an optimal combination of scanning performance and quality. Minimum. This intensity level should be used if you receive spam rarely. By default the application uses Low intensity level of anti-spam protection. You can increase or decrease the level. To ensure more thorough anti-spam filtration, the application supports by default external DNSBL and SURBL services and user-defined DNSBL and SURBL lists. SURBL is a list of domains known to generate unsolicited mail. DNSBL is a public list of IP addresses known to generate spam. DNSBL and SURBL are updated with the Anti-Spam database every five minutes. The application calculates spam rating for messages taking into account the responses from DNSBL and SURBL servers. Spam rating is an integer ranging from 0 to 100. During spam rating calculation the application considers the weight assigned to each responding DNSBL and SURBL server. If the summarized rating of the servers that have responded exceeds 100, spam rating of such message will be increased by 100. If it is smaller, spam rating will not be increased. Kaspersky Security allows using a dynamic DNS client. Dynamic DNS client detects potential participation of a sender's IP address in a botnet using reverse lookup of its DNS. The functionality can be used provided that the protected SMTP server has no dial-up users. You can enable the SPF technology for anti-spam processing. SPF (Sender Policy Framework) allows validation of the sender's domain to make sure it is not forged. Domains use SPF to authorize certain computers to send mail on their behalf. If message sender is not included into the list of authorized senders, such mail will not be accepted. IN THIS SECTION Configuring the anti-spam analysis Creating the black and white lists of senders Advanced Anti-Spam configuration Using external services for spam processing Using additional Anti-Spam functionality CONFIGURING THE ANTI-SPAM ANALYSIS To configure the anti-spam scanning settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Spam protection tab of the details window, open the Scan settings section. 4. Check the box Anti-spam mail scanning, if you wish to scan incoming mail using the Anti-Spam component. 5. Use the slider to set the Intensity level of anti-spam analysis. Kaspersky Security uses four intensity levels to filter messages: 53

54 A D M I N I S T R A T O R ' S G U I D E Maximum. This intensity level should be used if you receive spam frequently. When you select this level, the frequency of false positives rises: that is, useful mail is more often recognized as spam. High. This level is considered as optimal by the experts at Kaspersky Lab as regards anti-spam protection. This level should be used in most cases. Low. This intensity level offers slightly lower protection compared to high level. The level provides an optimal combination of scanning performance and quality. Minimum. This intensity level should be used if you rarely receive spam, for example, if you are working in protected corporate environment. 6. In the Rules for spam processing section select one of the operations available for each of the verdicts: Allow. The message will be delivered to recipients unchanged. Reject. If you select this operation, the sending server will receive in response a return code informing about an error during message delivery (error code 500). The message will not be delivered to the recipient. Delete. If you select this operation, the sending server will receive in response a notification about message delivery (code 250); however, the message will not be delivered to the recipient. 7. Specify other operations that you wish to perform with the mail. To do that, selectively check the following boxes as necessary: Add SCL value. The application will add to the message the rating indicating the probability of spam content in it (SCL, Spam Confidence Level). SCL rating can be a number ranging from -1 to 9. Higher SCL rating means higher probability of spam content in a message. Save a copy. Copy of the message can be saved in the Backup storage. Add label. messages recognized by Kaspersky Security as spam, potential spam or blacklisted mail are tagged with special [!!SPAM], [??Probable Spam] or [!!Blacklisted] labels in the Subject field. The labels can be modified. CREATING THE BLACK AND WHITE LISTS OF SENDERS You can create lists of senders whom you trust (white list) or do not trust (black list). You may specify an or an IP address of the sender. Once you have created the list, click the Save button to apply the changes. To configure theblack and white lists, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Spam protection tab of the details window, open the White and black list settings configuration section. Creating the black and white lists of mail addresses To create the white list of senders, perform the following steps: 1. Check the box Add sender's address to white list. 2. In the entry field specify the address of the sender whose mail will not be checked by the Anti-Spam component. 3. Click the button to add to the list the record from the entry field. 54

55 A N T I - S P A M P R O T E C T I O N 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. To create the black list of senders, perform the following steps: 1. Check the box Add sender's address to black list. 2. Specify in the entry field the address of the sender whose mail will be recognized as spam. 3. Click the button to add to the list the record from the entry field. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. Creating the black and white lists of sender IP addresses To create the white list of IP addresses, perform the following steps: 1. Check the box for the Add the sender's address to the white list of IP addresses setting. 2. Enter in the IP address entry field the sender whose mail will not be checked by the Anti-Spam component. 3. Click the button to add to the list the record from the entry field. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. To create the black list of IP addresses, perform the following steps: 1. Check the box for the Add the sender's address to the black list of IP addresses setting. 2. Enter in the IP address entry field the address of the sender whose mail will be recognized as spam. 3. Click the button to add to the list the record from the entry field. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. 55

56 A D M I N I S T R A T O R ' S G U I D E Creating the white list of recipients' addresses To add recipients to the white list, perform the following steps: 1. Check the box for the Add recipient's address to white list setting. 2. Enter in the SMTP address entry field the recipient whose incoming mail will not be checked by the Anti-Spam component. 3. Click the button to add to the list the record from the entry field. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. ADVANCED ANTI-SPAM CONFIGURATION You can use advanced Anti-Spam configuration to fine-tune the anti-spam scanning settings. Advanced configuration allows you to increase the spam rating of a message based on the analysis of its sender's address, subject and foreign language in the content. To increase mail spam rating based on the analysis of its sender's address, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Spam protection tab of the details window, open the Advanced settings section. 4. In the Increase spam rating while parsing the sender's address group: check the boxes for the following settings as necessary: If the "To" field is empty. Spam rating of a message will be increased if its "To" field is empty. If the Sender's address contains digits. Spam rating of a message will be increased if the address of its sender and / or recipients contain digits. If the sender's address does not contain a domain part (@domain.com). Spam rating of a message will be increased if the address of its sender contains no domain. To increase mail spam rating based on the analysis of its subject, perform the following steps: 1. On the Anti-Spam protection tab of the details window, open the Advanced settings section. 2. In the Increase spam rating while analyzing message subject: check the boxes for the following settings as necessary: If the subject is longer than 250 characters. Spam rating of a message will be increased, if its subject contains more than 250 characters. If the subject of the message contains many spaces and/or full stops. Spam rating of a message will be increased, if its subject contains multiple spaces and / or dots. If the message subject contains a timestamp. Spam rating of a message will be increased, it its subject contains a digital ID or a timestamp. 56

57 A N T I - S P A M P R O T E C T I O N In the Increase spam rating for messages written in: group of settings, check the boxes for the languages, mail in which you believe to contain spam: Chinese, if you consider messages in the Chinese language as spam. Korean, if you consider messages in the Korean language as spam. Thai, if you consider messages in the Thai language as spam. Japanese, if you consider messages in the Japanese language as spam. USING EXTERNAL SERVICES FOR SPAM PROCESSING Kaspersky Security can use external services for spam processing. External services are publicly available Internet resources and services, for example, black lists of IP addresses, etc. You can also use the UDS (Urgent Detection System) technology. UDS service creates on the client side an irreversible message signature (it cannot be used to restore message subject, text or recipient / sender addresses) and sends it to a UDS server. If the signature is found in the black lists of the UDS server, spam rating of the message will be increased. Service functioning requires opening the following ports: 7060 for UDS1 and 7080 for UDS2. To use external services checking IP addresses and URLs, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Spam protection tab of the details window, open the Using external services section. Check the box Use external services for validation of IP or URL addresses to detect spam if you want the anti-spam checks to use additionally external services. 4. In the Management of the DNSBL services in use group of settings, check the box Use the default DNSBL, to employ DNSBL (Domain Name System Block List) services for the purposes of anti-spam analysis. DNSBL is a public list of IP addresses known to generate spam. 5. Check the box Use another list from the set of DNSBL to enable the corresponding option. When enabled, the option allows you to create a custom list below. Specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button. To remove a record, click the button. You can use the buttons and respectively to import and export the list. 6. In the SURBL configuration group of settings, check the box SURBL configuration, to use the SURBL (Spam URI Realtime Block List) service. SURBL is a list of domains known to generate unsolicited mail. Thus, if a message contains an URL from that list, it will be identified as spam. 7. Check the box Use the default SURBL to analyze messages using the default SURBL. 8. Check the box Use another list from the set of SURBL to enable the corresponding option. When enabled, the option allows you to create a custom list below. To add a record to the list, specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button. To remove a record, click the button. You can use the buttons and respectively to import and export the list. 9. To perform reverse DNS lookup for the sender's IP address, check the box Check sender IP for presence in DNSBL. 10. To use the SPF (Sender Policy Framework) technology, check the box Use SPF. 11. To use dynamic DNS client, check the box Use dynamic DNS client. 12. Specify in the entry field the timeout for DNS requests. By default, the timeout is set to 10 seconds. 57

58 A D M I N I S T R A T O R ' S G U I D E To use the UDS technology, perform the following steps: 1. Check the Use the Urgent Detection Service (UDS). 2. Specify in the entry field the timeout for UDS requests. By default, the timeout is set to 10 seconds. USING ADDITIONAL ANTI-SPAM FUNCTIONALITY You can use additional functionality of the Anti-Spam component. Additional features include certain analysis methods, the settings for inspection of documents and other options. To specify scanning restrictions based on procedure duration and object size, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-Spam protection tab of the details window, open the Additional settings section. In the Scan settings section, use the Maximum time for scanning a message (sec.) entry field to specify the necessary value. If the scanning procedure takes longer than specified, the scan will be skipped. The default value is 30 seconds. The application will produce for such objects the clean object verdict, but if x-headers are enabled, they will contain a record informing about exceeded scan duration. 4. In the Scan settings section, use the Maximum object size to scan entry field to specify the necessary value. If an object exceeds the specified size, its scan will be skipped. The default value is 300 KB. The application will produce for such objects the clean object verdict, but if x-headers are enabled, they will contain a record informing about exceeded object size. To configure the scan settings for documents, perform the following steps in the Scan settings for Microsoft Office files configuration section: 1. Check the box Scan DOC files to scan the documents in Microsoft Word format. 2. Check the box Scan RTF files, to scan RTF documents. To configure additional settings, use the Other settings section to perform the following steps: 1. Check the box Use the "Probable Spam" verdict, if you want to application to use the "Probable Spam" rating for suspicious messages. 2. Check the box Use image analysis, if you want the application to analyze images in mail attachments using the GSG (image analysis) technology. It is used to analyze images checking them against the samples in the antispam database. If a match is found, spam rating of such message will be increased. 3. Check the box Enable storage and use of spam samples in multibyte encoding, to enable storage and use of spam samples in UTF8 encoding. The mode helps avoid data losses in spam samples in East Asian languages but slightly increases the time necessary to process each message. Enabling it is recommended if UTF8 encoding is used in correspondence. Modification of this setting will become effective after the Anti-Spam database is updated. 4. Check the box Enable service headers to enable addition of x-headers containing information about the scan results to messages. 5. Check the box Scan authorized connections to enable scanning of the mail received via a Trusted Connection. 6. Check the box Skip anti-spam scanning for messages sent to the Postmaster address to disable scanning of messages arriving for the Postmaster address. 58

59 A N T I - S P A M P R O T E C T I O N If a received message has SCL rating of -1, Kaspersky Security will not perform its anti-spam checks. 59

60 BACKUP STORAGE Kaspersky Security allows duplicates of untreated objects to be placed in Backup storage before the object is processed. Subsequently, objects located in Backup storage may be: saved to disk to retrieve the data in the object. Additionally, you can restore the infected object and have the application re-scan it using an updated anti-virus database; deleted; sent for analysis to Kaspersky Lab - only for suspicious files containing a modification of a known virus, or an unknown virus. Our specialists will analyze the file, attempt to recover the data, and if the file is infected with malicious code, make an entry in the anti-virus database. Then, when you re-scan this file using the updated database, you can disinfect it and recover the data intact; sent to the recipients. Saved objects will be delivered to the recipient(s). A backup copy of the object scanned by the Anti-Virus is created only if in the anti-virus protection settings the box Save a copy of the object in the backup storage is checked. Objects processed by the Anti-Spam component are saved in Backup, too. The object is stored in Backup in encrypted form, which ensures: no risk of infection, as the object is not accessible without decoding; better performance for the anti-virus application, as encrypted files stored in Backup storage are not identified as infected and are not rescanned. The data volume that can be stored in the Backup storage may be restricted by one of the two following parameters: The total number of objects in the backup storage should not exceed one million. This restriction cannot be lifted. The user can additionally specify restrictions on the Backup storage size, and the length of an object s storage period. The application checks compliance with these restrictions regularly (every minute). The application performs the following actions: if the allowed number of objects in the backup storage is exceeded, the application will remove the required number of the "oldest" objects; if the backup storage size is limited and there is not enough free disk space to save the new object, the application will free the required space by again deleting the "oldest" objects; if the object storage period is limited, the application will remove objects which have been stored for longer than the limit. You can use the Backup node to perform the following operations: view the Backup storage content; manage backed-up copies of objects: view their properties, restore them, send them to recipients, send them for analysis and remove them. Quick data filtering can be configured to enable convenient viewing and searching of the Backup storage area (see section "Filtering of Backup" on page 64). 60

61 B A C K U P S T O R A G E IN THIS SECTION Viewing the Backup storage Viewing properties of a backed-up object Filtering of Backup Restoring objects from the Backup Sending objects for analysis Deleting objects from Backup storage Configuring the Backup storage settings VIEWING THE BACKUP STORAGE In the Backup (see figure below) you can view all stored objects listed in a table with specific headers. Each column header indicates a certain type of information about the listed objects. The lower left part of the details window displays the total number of objects in Backup, the disk space occupied by these items and the number of objects displayed in the details window after a filter is applied. To view the Backup content, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. The list of objects' copies saved in Backup will appear in the details window. By default, you can view the following information about each object in Backup: From. The addresses of senders of the message To. The addresses of recipients of the message Subject. Message subject. Type - The component that the object describes. (Anti-Spam or Anti-Virus). Verdict. Message status. Reception time. Precise time of message arrival on Microsoft Exchange server. Message creation date. Date when the message was created. Size on disk. Disk space occupied by an object. Path. Object path in the storage of a Microsoft Exchange server. 61

62 A D M I N I S T R A T O R ' S G U I D E Release date of the databases. The release date of the database used by the component, which has detected the object. Figure 5: Viewing the Backup To configure the details window view, perform the following steps: 1. To add more columns to the details pane, click the button Add / Remove columns. 2. In the displayed dialog check the boxes corresponding to the data types, which you would like to review in the details window. You can sort the data in the table in the ascending or descending order by any column. To do that, click one of the headers, for example From, To, Subject, etc. The sorting can also be performed using filters (see section "Filtering of Backup" on page 64). The number of objects that the details window can display at a time is limited. To view other objects, use the navigation buttons in the lower right corner of the details window. Current window number is displayed between the two pairs of navigation buttons. To proceed to the next wizard step, press the > button. To proceed to the previous wizard step, press the < button. To proceed to the last wizard step, press the >> button. To return to the first wizard step, press the << button. VIEWING PROPERTIES OF A BACKED-UP OBJECT To view the Backup content, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 62

63 B A C K U P S T O R A G E 2. Select the Backup node. 3. Select in the details window an objects stored in Backup. 4. Click the button Additionally and select from the displayed menu Properties. The Message properties dialog will appear. You can view the following information in the properties: Virus. Virus name will appear in this field, if a message is infected. Type - Object type. From. The sender's address To. Recipient address. Cc. Copy recipient(s). Size on disk. Disk space occupied by the message. Subject. Message subject. Folder. Folder where the message is stored. Delivery time - Precise time of message delivery (day, month, year, hour, minute) Creation time. Precise time of message creation (day, month, year, hour, minute). Size. Message size (bytes). You can select several objects and view their properties. To do that, select the objects, click the button Additionally and select Properties in the displayed menu. You can use the displayed Properties of the selected objects window to review the verdicts for all selected objects. 63

64 A D M I N I S T R A T O R ' S G U I D E FILTERING OF BACKUP The use of filters (see figure below) allows searching and structuring of the data contained in Backup storage, as only the information complying with the filtering parameters becomes available. This feature is helpful as the number of objects in the Backup storage increases. The filter can be used, for example, to search for objects that must be restored. Figure6: Configuring the Backup filters To configure Backup filters, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select from the dropdown list at the top of the details window one of the criteria that will be used to filter the objects in Backup. You can select one of the suggested options: Only spam. In that case the details window will only display objects with the "Spam" verdict. Only viruses. In that case the details window will only display infected messages or mail containing viruses in attachments, message body, etc. Search for words. If you select this option, specify in the entry field the key words, which will be used to search for matching messages. The application will search the Subject field and the addresses of message senders and recipients. Custom filter. In that case select the criterion for the filter from the dropdown list, define its condition based on a certain value (e.g., is equal to or is not equal to) and specify that value. For the Message creation 64

65 B A C K U P S T O R A G E date, Reception time and Database release date criteria specify the date using the calendar. For the Verdict criterion, select the sought verdict from the dropdown list. For the Type criterion, select the type of object from the dropdown list (All messages, Attachment, Mail body). For other criteria input the value manually in the entry field. 4. Press the Search button. Applied filter will appear above the details window while the window itself will list the objects matching the search criteria. 5. To reset a filter, click the Remove button to the right of the filter. 6. To delete all objects, click the Remove all button. You can also sort the data in the table in the ascending or descending order by any column. To do that, click one of the column headers, for example From, To, Subject, etc. RESTORING OBJECTS FROM THE BACKUP To restore an object from the Backup, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select in the details window the object, which you would like to restore. 4. Click the Additionally button and select from the displayed menu Save on disk. 5. In the warning dialog box that will open, confirm the restoration of the object by pressing the Yes button. 6. In the window that will open, specify the folder to which you wish to save the restored object, and if necessary, enter or modify the object name. 7. Click the Save button. The application will decode the encrypted object, move it to the specified folder and save it with the specified name. The restored object will be identical to its original state before it was first processed by the application. After the object is successfully restored, a corresponding notification is displayed on the screen. Please keep in mind that restoring such objects may cause infection of your computer. You can also send a copy of a message stored in Backup to its original recipients. To do that, click the Additional button and select from the displayed menu Send to recipients. SENDING OBJECTS FOR ANALYSIS Objects can only be sent for analysis by Kaspersky Lab's specialists if they have the status suspicious. Before you send objects for analysis, you should configure the general notification settings (see section "Configuring notification settings." on page 68). To send an object for examination, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Use the table displaying backup storage contents to select an object with the suspicious status, which you wish to send for analysis. You can use a filter to search for objects (see section "Filtering of Backup" on page 64). 65

66 A D M I N I S T R A T O R ' S G U I D E 4. Select in the context menu the Send for analysis command. As a result, the application will create an message, with the selected object as an attachment, on the computer where the managed Security Server is installed and send it to Kaspersky Lab. The object is sent in encrypted form, and therefore will not be detected by Kaspersky Security again. After the message is sent, a notification confirming that the file has been sent will be displayed by the computer from which the administration is run. DELETING OBJECTS FROM BACKUP. The following objects are automatically deleted from Backup: The "oldest" object, if adding a new object will exceed the restriction imposed on the total number of objects in backup storage. The maximum number of files in this version is limited to one million. "Older" objects if there is a restriction imposed on the backup storage size, and if there is not enough space to store a new object. Objects whose storage period has expired, if there is a restriction imposed on the storage period. Objects may also be manually removed from Backup storage. This feature may prove useful to delete objects that have been successfully restored or sent for analysis, and to create free space in the Backup storage if automatic object removal methods did not help. To delete objects from the Backup, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select in the details window the object(s), which you would like to delete. You can use a filter to search for objects (see section "Filtering of Backup" on page 64). 4. Click the Delete button. 5. To delete all objects at once, click the Remove all button. The objects will be deleted from Backup. CONFIGURING THE BACKUP STORAGE SETTINGS The backup storage is created during installation of the Security Server component. The backup storage settings have default values that can be altered by the administrator. To change the Backup settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Configuration node. 3. In the details window, check in the Data storage configuration section the box Restrict the Backup storage size. 4. Specify in the Backup size cannot exceed entry field the maximum allowed Backup size. The default value is 5120 Mb. 5. Check the box Restrict the duration of object storage in Backup and specify the necessary number of days in the Store objects no longer than field. The default value is 30 days. 66

67 B A C K U P S T O R A G E If none of the options is enabled, the backup storage size will only be restricted by the number of objects stored. The limit in this application version is one million objects. To apply the changes, press the Save button. 67

68 NOTIFICATIONS Kaspersky Security can send notification messages about infected objects that it discovers during scans. Notifications can be delivered using the following methods: by sending messages, which requires you to edit the general settings that will be used to send notifications. by registering the event in the Microsoft Windows system log on the computer where the Security Server component is installed. In this case, the information is accessible through the use of Events viewer, a standard Microsoft Windows logs viewing and management tool. Notifications can be sent to inform senders and message recipients about infected, protected and corrupted objects. This allows the sending of notification messages to additional recipients, such as the administrator or a security officer. IN THIS SECTION Configuring notification settings Configuring notification delivery settings CONFIGURING NOTIFICATION SETTINGS. To define the notification settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Notifications node. In the details window you can configure notifications for the following types of objects: Infected objects. To configure notifications about infected objects, open the Notify about infected objects configuration section. Corrupted objects. To configure notifications about corrupted objects, open the Notify about corrupted objects configuration section. Protected objects. To configure notifications about protected objects, open the Notify about protected objects configuration section. System errors. To configure notifications about system errors, open the Notify about system errors configuration section. Sender and recipient notifications for that type of objects are not supported. 3. Define notification settings for each type of objects in the Notify by section. 4. Check the box Administrator, if you want to have the notifications sent to the administrator's address. 5. Check the box sender, if you want to have the notifications sent to the sender of the message where the corresponding object is detected. 6. Check the box recipient, if you want to have the notifications sent to the recipient of the message where the corresponding object is detected. 7. Check the box the following recipients and specify in the entry field the mail address(es) where notifications should be sent. 68

69 N O T I F I C A T I O N S 8. To record the event in the Microsoft Windows system log, enable the checkbox Register in Windows event log. CONFIGURING NOTIFICATION DELIVERY SETTINGS. To define the notification sending settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Notifications node. 3. Open the window sending settings using the context menu of the Notifications node or the sending settings link in the details window. Figure 7: Configuring the delivery settings 4. In the Web-service address field specify the address of the web service that will be used to mail messages via Microsoft Exchange Server. 5. Specify in the Account field any account registered on the Microsoft Exchange Server. To do that, click Browse or enter the account name manually. 6. Type in the Password field the password for the selected account. 7. In the Administrator's address field specify the mail recipient's address. 8. Click the Test button to send a test message. If the test message arrives in the specified mailbox, it means that delivery of notifications is configured properly. You can also configure delivery of notifications in the Notification Settings section of the Settings node. 69

70 REPORTS Kaspersky Security supports creation and reviewing of reports on the activity of the Anti-Virus and Anti-Spam components. You can use the reports to review the statistics of application activity for a specific time interval. The application generates for each component a separate report covering time interval ranging from a day to one month. The reports may be standard and detailed. Standard reports contain information about objects processed during the entire time period without additional indication of the time when each individual event occurred. Detailed reports provide more precise time frame for each event. Minimum time interval reflected in the detailed report is one hour. Reports can be generated automatically according to schedule or manually. You can view the reports in the application or receive them via . ed reports are attached to a message. The message contains explanatory text as follows: Attached file contains an activity report of Kaspersky Security 8.0 for Microsoft Exchange Servers. Furthermore, you can create Quick reports about all events that occurred within a user-defined time interval. Quick reports can be generated separately for the Anti-Virus and the Anti-Spam components. Quick reports are used if you wish to define manually the reporting period. IN THIS SECTION Configuring Quick reports settings Configuring Anti-Virus reports settings Configuring Anti-Spam reports settings View the Ready reports Delivery of reports via CONFIGURING QUICK REPORTS SETTINGS To configure Quick reports settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open in the details window the Quick reports configuration section. 3. Enter in the Report name field the name for the report being created. 4. Select one of the following options from the Type dropdown list: Anti-Virus. A report for the Anti-Virus component will be generated. Anti-Spam. A report for the Anti-Spam component will be generated. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain brief information about objects processed during the entire reporting period without additional indication of the time frame when each individual event occurred. Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is equal to one day, the minimum time frame for each event is one hour. If the period is equal to a week, the minimum time frame for each event is six hours. If the period is equal to one month, the minimum time frame for each event is one day. 70

71 R E P O R T S 6. Select one of the options from the Interval dropdown list: For the last day. The report will cover the last 24 hours. For the last week. The report will cover the last week. For the last month. The report will cover the last month. 7. Specify in the Start with field the beginning date of the reported period or pick the necessary date from the calendar. 8. To create a quick report using the defined settings, click the Generate report button. 9. To apply the changes, click the Save button. CONFIGURING ANTI-VIRUS REPORTS SETTINGS To configure Anti-Virus reports settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open in the details window the Anti-Virus report configuration section. 3. Check the box in the Use schedule to generate reports automatically field if you want the application to generate the reports on the Anti-Virus activity in accordance with the specified schedule. 4. Enter in the Report name field the name for the report being created. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain information about objects processed during the entire reporting period without indication of the time frame for each individual event. Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is equal to one day, the minimum time frame for each event is one hour. If the period is equal to a week, the minimum time frame for each event is six hours. If the period is equal to one month, the minimum time frame for each event is one day. 6. Select one of the options in the Report schedule dropdown list: Daily. If you choose this option, specify the precise report creation time in the entry field. Weekly. If you choose this option, use the dropdown list to select the day of the week when the report should be created. Specify in the entry field precise time for report generation. Monthly. If you choose this option, select the day of the month when you want to have the report generated. Specify in the entry field precise time for report generation. 7. To create an Anti-Virus report using the defined settings, click the Generate report button. 8. To apply the changes, click the Save button. 71

72 A D M I N I S T R A T O R ' S G U I D E CONFIGURING ANTI-SPAM REPORTS SETTINGS To configure Anti-Spam reports settings, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open in the details window the Anti-Spam report configuration section. 3. Check the box Use schedule to generate reports automatically, if you want the application to generate the reports on the Anti-Spam activity in accordance with the specified schedule. 4. Enter in the Report name field the name for the report being created. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain information about objects processed during the entire reporting period without indication of the time frame for each individual event. Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is equal to one day, the minimum time frame for each event is one hour. If the period is equal to a week, the minimum time frame for each event is six hours. If the period is equal to one month, the minimum time frame for each event is one day. 6. Select one of the options in the Report schedule dropdown list: Daily. If you choose this option, specify the precise report creation time in the entry field. Weekly. If you choose this option, use the dropdown list next to it to select the day of the week when the report should be created. Specify in the entry field precise time for report generation. Monthly. If you choose this option, select the day of the month when you want to have the report generated. Specify in the entry field precise time for report generation. 7. To create an Anti-Spam report using the defined settings, click the Generate report button. 8. To apply the changes, click the Save button. VIEW THE READY REPORTS To view the reports on the operation of application components, perform the following steps: 1. In the console tree, select the node of the connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open in the details window the Ready reports configuration section. 3. You can use the table of ready reports to review all created reports. The table displays the following information about each report: Name - Default name or user-defined name. Type - The component that the report describes. Date. Report creation time in the HH / MM / YY format. Detail level. Standard or Detailed. Period. Time interval covered in the report. 72

73 R E P O R T S 4. To view a specific report, select it in the list and click the Display button Figure 8: View the Ready reports Viewing an Anti-Virus report The header of the standard Anti-Virus report contains the following information: Report type; Name of the server running the reported component; Time interval covered in the report. Day, month, year of report creation (UTC). You can view the following information in the standard Anti-Virus report table: Verdict. Object status after Anti-Virus processing. 73