Trend Micro InterScan Messaging Security Suite. Certification Training Course. Student Textbook

Transcription

1 Trend Micro InterScan Messaging Security Suite Certification Training Course Student Textbook

2 Information in this document is subject to change without notice, The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2003 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Niche Associates, Inc. Released: October 2003 v01

3 Table of Contents InterScan Messaging Security Suite...5 Course Objectives... 5 Prerequisites... 6 Chapter 1: Overview of InterScan Messaging Security Suite...7 Product Features New Feature: Spam Prevention Service Enterprise Protection Strategy Chapter 2: Setup, Installation, and Registration...23 Preparing to Install InterScan MSS Upgrading from InterScan MSS Installing InterScan MSS Registering InterScan MSS Upgrading From the Evaluation Period Update Settings Chapter 3: Configuring SMTP Routing Settings...55 SMTP Routing Delivery Settings Message Settings Testing the InterScan MSS Installation Chapter 4: Configuring POP3 Scanning Settings...75 POP3 Scanning Chapter 5: Configuring General and Security Settings...87 General Settings Security Chapter 6: Understanding and Configuring Policies Policy Overview Two Types of Policies Editing Global Policy Filters Creating a Sub-Policy Creating New Filter Actions Chapter 7: Understanding Filters Filters The Antivirus Filter Configuring the Advanced Content Filter Configuring a Message-Attachment Filter Configuring General Content Filter Configuring Message-Size Filters Configuring Disclaimer Manager Filter Configuring the emanager Anti-Spam Filter Spam Prevention Service (SPS) Managing the Quarantine Area

4 Chapter 8: Configuring System Monitor and Log Maintenance Settings System Monitor Settings Log Maintenance Settings Chapter 9: Troubleshooting Troubleshooting Common Problems Troubleshooting the Installation Process Getting Support from Trend Micro SolutionBank Changes to the ISNTSmtp.ini File Appendix A: Using Trend Micro Online Resources Contacting Trend Micro Trend Micro Virus Doctors Client Scans with HouseCall Trend Micro Security Information Center Appendix B: Adding Entries to DNS and Excluding Files From Scanning Adding Entries to DNS Excluding Certain Types of Text Files from Scanning Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite Appendix D: Example Logs Appendix E: Interpreting Header Information Appendix F: Answers to Review Questions...245

5 InterScan Messaging Security Suite InterScan Messaging Security Suite Course Objectives After studying this course as part of an ATC Training Program, you should be able to: Knowledge Describe the main features of InterScan Messaging Security Suite (InterScan MSS) Explain how InterScan MSS protects your system from viruses and other malware Describe the main features of emanager Explain how emanager controls the content entering your system Describe how heuristic scan engine works and how Spam Prevention Service (SPS) uses it to filter spam. Skills Install InterScan MSS Use the Management Console to configure InterScan MSS for varying network conditions and preferences Test the capabilities of InterScan MSS Monitor the performance of InterScan MSS Update the virus pattern, scan-engine, and program files of InterScan MSS How to Use This Material To help you understand how to use InterScan MSS, this course is based on a learning model comprised of the following: Chapters Each chapter focuses on one aspect of using InterScan MSS to protect your network from viruses in the wild. In addition to defining important concepts and terms, each chapter outlines the various administration tasks you need to perform. For example, you will learn how to install, configure, and troubleshoot InterScan MSS. The PowerPoint slides your instructor uses to teach the course appear at the beginning of each chapter. The rest of the chapter contains detailed information that you can read or refer to after class Trend Micro Incorporated 5

6 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter Objectives Each chapter starts with a list of objectives so you can see how the chapter fits into the overall course goal. After reading the chapter, you should be able to fulfill the chapter objectives. Summary Each chapter ends with a summary, listing the important information explained in the chapter. The summary mirrors the chapter objectives. Review Questions To help you fulfill the chapter objectives, each chapter includes review questions that test your understanding of the chapter material. After reading the chapter, you should be able to answer the questions easily and quickly. If you cannot answer a question, you should review the chapter material. The answers to the review questions are provided in Appendix F: Answers to Review Questions. Prerequisites This course is designed for end users and resellers who need to install and set up InterScan MSS and for those who seek Trend Micro antivirus suite certification. The following professionals benefit most from this course: System administrators Network engineers Before you take this course, Trend Micro recommends that you have the following knowledgebase: A general knowledge of TCP/IP A working knowledge of Microsoft Windows 2000 and Windows 2000 Advanced Server A working knowledge of Simple Mail Transfer Protocol (SMTP) A working knowledge of Microsoft Internet Information Server (IIS) A working knowledge of Microsoft Exchange and Microsoft Outlook Express Familiarity with the physical aspects of networking (such as network interface boards, cables, jacks, hubs, routers and so on) Trend Micro Incorporated

7 Chapter 1: Overview of InterScan Messaging Security Suite Chapter 1: Overview of InterScan Messaging Security Suite Chapter Objectives After completing this chapter, you should be able to Describe the main features of InterScan Messaging Security Suite (InterScan MSS) 2003 Trend Micro Incorporated 7

8 Trend Micro InterScan Messaging Security Suite Student Textbook Notes Trend Micro Incorporated

9 Chapter 1: Overview of InterScan Messaging Security Suite Notes 2003 Trend Micro Incorporated 9

14 Trend Micro InterScan Messaging Security Suite Student Textbook Product Features InterScan MSS is a high-performance, policy-based antivirus and content-security Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) server. InterScan MSS performs the following functions: Protects enterprise messaging systems from Internet-borne malware Blocks the transmission and receipt of spam and other non-business-related content InterScan MSS can be deployed into an existing SMTP messaging environment and protects networks from virus infection through the SMTP gateway. In addition to SMTP traffic, InterScan MSS can scan Post Office Protocol 3 (POP3) messages. POP3 scanning is performed using the InterScan MSS POP3 proxy that runs on the same server as the SMTP scanning function (using a different port). InterScan MSS emanager filters messages for spam and non-business-related content such as profanity, sexually offensive content, and racially offensive content. emanager includes filters that you can configure to block any type of content from your system. You can also configure the Spam Prevention Service (SPS) filters to block unwanted content from your network. AMON Support InterScan MSS 5.5 supports Application Monitoring (AMON ) from Check Point Software Technologies, LTD. InterScan MSS uses AMON to report scanning statistics to Check Point System Status Viewer. Automatic Detection of Multiple Network Interface Card If you install InterScan MSS on a server that has multiple network interface cards, the setup program automatically detects the IP address of each card. You can then select the IP address that you want the program to use. Best-Match Algorithm The best-match algorithm is the method that InterScan MSS uses to determine which policy to apply to an . InterScan MSS applies the policy with the route that most closely matches the addresses of the incoming . Cluster Servers InterScan MSS supports cluster servers for increased performance. When you install multiple instances of InterScan MSS on clustered servers, you can save your customized settings, which are stored in INI, DAT files, and registry entries. You can then apply these settings to each instance of InterScan MSS running on the cluster servers Trend Micro Incorporated

15 Chapter 1: Overview of InterScan Messaging Security Suite Content Management You can use InterScan MSS to inspect messages and attachments and stop unwanted content at the gateway. is an indispensable business tool, but it must be managed properly to ensure it is used productively. You can create filters that use keyword expressions to eliminate anything from violent, sexually offensive, or racially offensive content to personal communications. Domain-Based Message Routing With InterScan MSS, routing is based on the recipient domain. This domain-based routing capability provides flexible message delivery through multiple smarthosts or specific Domain Name System (DNS) servers. Early Detection of Mass- ing Viruses InterScan MSS detects mass- ing viruses such as the Melissa, Loveletter, and AnnaKournikova viruses. These -aware viruses use the infected computer s client and address book to spread themselves. Trend Micro publishes a list of these auto-spamming viruses in the antispam pattern file, which InterScan MSS updates from the Trend Micro ActiveUpdate server. InterScan MSS also protects your network from new mass- ing viruses before they are added to the antispam pattern file. InterScan MSS recognizes the symptoms of infected messages and blocks them. For example, the file attachment name or extension and the text that appears in the message body or header typically remain the same as the virus spreads. InterScan MSS can recognize these identifying characteristics and determine that a mass-mailing virus is spreading the file. Because -aware viruses can be so damaging, InterScan MSS may take different actions when it detects mass- ing viruses than the actions it takes against other viruses. For example, if InterScan MSS detects a macro virus in a Microsoft Office document, it can quarantine the document, in case it contains important information that has to be retrieved. If InterScan MSS detects a mass- ing virus, however, the program can automatically delete the infected file. Deleting the file saves resources that would be used to scan, quarantine, or otherwise process a file that has no value. In addition to saving resources, deleting the file can prevent help-desk calls from concerned employees and eliminate post-outbreak cleanup. Enhanced Performance InterScan MSS includes an enhanced built-in transfer agent (MTA), delivery agent (MDA), and virus/content scanner to ensure that your messaging system runs efficiently. In addition, InterScan MSS has a multithreaded design that takes full advantage of multiprocessor systems Trend Micro Incorporated 15

16 Trend Micro InterScan Messaging Security Suite Student Textbook Policy-Based Management InterScan MSS provides policy-based management, which makes it easier to regulate content and filter for viruses. To enforce usage guidelines, you can create multiple virus and content-filtering policies on a single InterScan MSS server. You can also set up different policies for individuals or groups, based on sender and recipient addresses. A policy consists of the following three attributes: Who What Action To whose messages the policy applies What message or attachment characteristics, such as addresses, keyword expressions, file types and sizes are to be filtered The action to take with that triggers the filters Quarantine Manager You can use the Quarantine Manager to manage messages in the quarantine area. The Quarantine Manager is part of the InterScan MSS Web console. You can view the messages in the quarantine area and decide what action you want to take with them. The Quarantine Manager has a query feature that you can use to retrieve information about the messages in the quarantine area, including the reason the message was quarantined. Secure, Web-Based Management Console InterScan MSS includes a Secure Sockets Layer (SSL)-compatible, Web-based Management Console. Using this Management Console, you can control access to InterScan MSS servers and sessions from any Web-enabled workstation on your network. Server Access Control You can set connection and relay restrictions that prevent unauthorized use of your InterScan MSS server. Such restrictions can prevent spammers from using your servers to relay messages. To ensure that InterScan MSS processes only messages you deem acceptable, you can also set limits on inbound connections, message sizes, and other parameters. Single-Server, Multiple-Policy Support A single InterScan MSS server can enforce company rules on use. You can set up different policies for individuals or groups based on the sender and recipient addresses. You can create a maximum of 3,000 sub-policies within a single InterScan MSS installation. However, each sub-policy can have an unlimited number of filters Trend Micro Incorporated

17 Chapter 1: Overview of InterScan Messaging Security Suite SMTP Load Balancing to Downstream Servers InterScan MSS has an enhanced domain-based delivery mechanism and delivers to downstream SMTP servers in round-robin fashion. This delivery mechanism balances the load for all downstream SMTP servers (see Figure 1-1). InterScan MSS forwards to the first available server. 1 SMTP 4 IMSS 5 2 SMTP Internet 6 3 SMTP Figure 1-1: InterScan MSS uses a round-robin method to forward to downstream SMTP servers. Support for POP3 InterScan MSS can scan POP3 traffic. The POP3 proxy runs on the same server as the SMTP scanning function, but it uses a different port. InterScan MSS also includes a POP3 Client Tool, which is an ActiveX control for configuring clients. You can use the POP3 Client Tool to automate the configuration of several common clients. Note: The ActiveX configuration tool only works with Outlook Express. All other clients require manual configuration. System Monitor InterScan MSS includes a built-in agent, called the System Monitor, which monitors the status of the InterScan MSS server. The System Monitor can notify you by or Simple Network Management Protocol (SNMP) trap when fault conditions, such as a virus, threaten to disrupt the flow. Detailed logging helps you take a proactive approach to these issues and eliminate them before they become a problem. Event monitoring helps you identify potential trouble spots and provides notifications so that you can correct problems and keep the system running smoothly Trend Micro Incorporated 17

18 Trend Micro InterScan Messaging Security Suite Student Textbook Some events are handled automatically. For example, if the InterScan MSS service stops, it restarts automatically to ensure flow is not interrupted. New Feature: Spam Prevention Service The addition of Spam Prevention Service (SPS) 2.0 provides InterScan MSS with heuristic spam filtering capabilities. Heuristic technology calculates the probability that a particular message is spam. Unlike other methods used to identify spam, heuristic technology is capable of identifying first-time spam, or spam that has not been previously documented. Because spammers frequently change the techniques they use, heuristic scanning is an important layer of defense against new spam. Enterprise Protection Strategy InterScan MSS protects your network at the SMTP gateway, which is one of the main entry points to your network. However, you must also protect the other entry points to your network. For example, when users browse the Internet or download files from Web sites, their workstations might be attacked by malware. When mobile users plug their laptops into public networks, home networks, or networks at other companies, their laptops might be attacked by malware. When these users reconnect to your network, malware on their computers can spread to your network. Once the malware enters your network, it can quickly spread to all vulnerable devices. To help you protect all the entry points to your network, Trend Micro offers variety of products that you can use to protect all the entry points to your network (see Table 1-1). Product Protection Platform InterScan Web Security Suite HTTP and FTP Windows and Solaris InterScan VirusWall SMTP, HTTP, and FTP Windows, Solaris, HP-UX, Linux, and IBM AIX InterScan Messaging Security Suite SMTP and POP3 Windows and UNIX InterScan Web Manager HTTP Windows ScanMail for Microsoft Exchange SMTP Microsoft Exchange on Windows ScanMail for Lotus Notes SMTP IBM Lotus Domino on Windows, IBM AIX, IBM S/390, IBM AS/400, Linux, Solaris, and SUSE Trend Micro Incorporated

19 Chapter 1: Overview of InterScan Messaging Security Suite Product Protection Platform ScanMail for OpenMail SMTP OpenMail on HP-UX ServerProtect File system Windows, NetWare, Network Appliance Filers, EMC Celerra, and Linux PortalProtect File system Microsoft SharePoint Portal Server on Windows Damage Cleanup Server PC-cillin OfficeScan Corporate Edition Cleaning templates that repair damage to device, including changes made to registry, files, and open ports File system, network shares, POP3 File system, TCP/IP, Outlook client, PDAs, and wireless devices Client: Windows Server: Windows Windows Client: Windows Server: Windows Table 1-1: Trend Micro products that you can use to protect the different entry points on your network. Note: To help you protect your network against the latest malware threats, Trend Micro is constantly updating its products. For up-todate information, visit Protecting individual devices and systems is only the first layer of defense. To prevent malware from damaging your network and causing downtime, you need an integrated solution that coordinates all virus-protection products, mitigates damage caused by malware attacks, and cleans damaged systems. The Trend Micro Enterprise Protection Strategy (EPS) combines products, services, and support to protect network entry points. To rebuff a malware attack, the Enterprise Protection Strategy delivers a coordinated defense that begins when a new virus is discovered and ends when the threat is eliminated Trend Micro Incorporated 19

20 Trend Micro InterScan Messaging Security Suite Student Textbook Relying on a broad offering of specific products and resources, the Trend Micro EPS includes these basic components (see Figure 1-1): Trend Micro Control Manager Outbreak Prevention Services Virus Response Services Damage Cleanup Services CENTRALIZED MANAGEMENT Trend Micro Control Manager (outbreak lifecycle management, deployment, and reporting) OUTBREAK LIFECYCLE PHASES OUTBREAK PREVENTION VIRUS RESPONSE ASSESSMENT & RESTORATION STAGES Threat Information Attack Prevention Notification & Assurance Pattern File Scan & Eliminate Assess & Clean up Restore & Post-Mortem TREND MICRO SERVICES OUTBREAK PREVENTION SERVICES VIRUS RESPONSE SERVICES DAMAGE CLEANUP SERVICES Figure 1-1: Using Trend Micro Enterprise Protection Strategy to manage the outbreak lifecycle Trend Micro Control Manager Trend Micro Control Manager provides centralized management and enterprise-wide coordination of all Trend Micro antivirus and content-security products and services. Using Trend Micro Control Manager, you can monitor virus activity on your network from a central location. You can ensure that virus pattern files are always updated, and you can deploy and enforce virus-protection policies across the entire network. You can also respond quickly to virus outbreaks. Outbreak Prevention Services Outbreak Prevention Services (OPS) provides proactive attack updates, outbreak prevention policies, and system-wide status reports. Coupled with Trend Micro products that reside at critical points across the network, OPS accelerates response times in protecting networks against new malware. By applying information and prevention policies that focus on a specific threat, you can deflect, isolate, and restrict attacks before they spread. These early prevention measures help reduce system damage and prevent costly shutdowns that affect business operations. Virus Response Services Virus Response Services includes the Virus Response Service Level Agreement (SLA) and threat-based scanning. The SLA is a penalty-backed guarantee to deliver a virus pattern file within two hours from the time the customer submits a virus case. If Trend Micro fails to meet this promise, it will pay the customer an amount of money agreed to in the SLA Trend Micro Incorporated

21 Chapter 1: Overview of InterScan Messaging Security Suite The virus pattern file provided with Virus Response Services includes threat-based scanning. This feature increases the efficiency of virus scanning by focusing the search in areas where the threat is most likely to be found. Damage Cleanup Services The Damage Cleanup Services provides cleaning templates that scan the system and assess the damage incurred during the outbreak. The template analyzes changes that were made to the files, system settings, and network protocols. These changes include hidden guest accounts, registry entries, or memory-resident payloads. For more information about the EPS, visit Trend Micro s Web site at Trend Micro Incorporated 21

22 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 1 Summary and Review Questions Summary InterScan MSS analyzes messages and attachments for content that you want to block from your network. Because InterScan MSS supports both SMTP and POP3 traffic, it can scan all messages entering or leaving your company s system. With InterScan MSS, you can block viruses at the gateway before they enter your company s messaging system or network. In addition, you can block non-business-related , including violent, sexually offensive, or racially offensive . To enforce your company s usage rules, you can create virus and content-filtering policies. You can also set up different policies for individuals or groups, based on sender and recipient addresses. Review Questions 1. Which feature allows you to control the level of antivirus and content management that is applied to members of your organization? a. Domain-based message routing b. Quarantine manager c. Policy-based management d. Single-server, multiple policy support 2. Which feature can you use to filter unwanted , such as sexually or racially insensitive material? a. Domain-based message routing b. Content management c. Policy-based management d. Single-server, multiple policy support 3. Which feature notifies you when a fault condition threatens to disrupt flow? a. Content management b. Enhanced server access control c. Quarantine manager d. System Monitor Trend Micro Incorporated

23 Chapter 2: Setup, Installation, and Registration Chapter 2: Setup, Installation, and Registration Chapter Objectives After completing this chapter, you should be able to: List the options for incorporating InterScan Messaging Security Suite (InterScan MSS) into your current firewall setup Choose an installation server, based on the requirements of your company s network Install InterScan MSS Register InterScan MSS Configure InterScan MSS Upgrade InterScan MSS from trial to full version Update InterScan MSS 2003 Trend Micro Incorporated 23

25 Chapter 2: Setup, Installation, and Registration Notes 2003 Trend Micro Incorporated 25

37 Chapter 2: Setup, Installation, and Registration Preparing to Install InterScan MSS Before you install InterScan MSS, consider the following: Location You must decide how to incorporate InterScan MSS with your firewall. Installation server You must decide whether to install InterScan MSS on the Simple Mail Transfer Protocol (SMTP) server or on a dedicated server. Hardware requirements You must ensure that the server meets the minimum hardware requirements for running InterScan MSS. Incorporating InterScan MSS with Your Firewall Trend Micro recommends the following two options for incorporating InterScan MSS into your current firewall setup: Behind the firewall In the Demilitarized Zone (DMZ) Behind the Firewall You should always install InterScan MSS behind a firewall. In this configuration, the firewall can continue to protect your network against intrusion while InterScan MSS provides content scanning and filtering (see Figure 2-1). Note: You should never install InterScan MSS in front of your company s firewall. InterScan MSS is a content-security product, not a firewall. IMSS SMTP Server Internet Firewall domain2.com Figure 2-1: Installing InterScan MSS behind the firewall Trend Micro Incorporated 37

38 Trend Micro InterScan Messaging Security Suite Student Textbook In the DMZ You can install InterScan MSS in a DMZ, which further protects your company s network from Internet-based attacks. A DMZ isolates traffic that is coming from the Internet, preventing this traffic from directly accessing your network. You can create a DMZ by installing two firewalls to separate your network from the Internet. The area between the two firewalls is the DMZ, which is where you would place your InterScan MSS server (see Figure 2-2). DMZ Incoming (port 25) Outgoing (port 25) IMSS SMTP Server Internet External Firewall Internal Firewall Figure 2-2: Installing InterScan MSS on a dedicated server in the DMZ. You can also create a DMZ using just one firewall. In such a configuration, passes through the firewall when entering the network. After InterScan MSS has scanned the , it sends it back through the firewall and to the receiving client. (see Figure 2-3). Firewall SMTP Server Internet Receiving Client passes through the firewall on the way to the InterScan MSS server. After InterScan MSS completes the scanning, it routes the back through the firewall and to the SMTP server. IMSS Figure 2-3: Installing InterScan MSS in a one-firewall DMZ Trend Micro Incorporated

39 Chapter 2: Setup, Installation, and Registration Choosing the InterScan MSS Server You can either install InterScan MSS on your SMTP server or on a dedicated server. Installing InterScan MSS on a server that runs other applications can decrease efficiency. Trend Micro recommends that you install InterScan MSS on a dedicated server. The decision of where to install InterScan MSS, however, is based primarily on resource availability and SMTP traffic. Installing InterScan MSS on a dedicated server is ideal for networks with heavy traffic because the overhead on the server does not increase. If your server has antivirus products from other vendors, installing InterScan MSS on a dedicated server prevents problems that might arise as a result of conflicting applications. Installing InterScan MSS on your server does not require any additional servers. This configuration also uses less network bandwidth, and you do not have to make any changes to your network s DNS configuration (see Figure 2-4). IMSS Existing SMTP Gateway Client Internet Firewall Figure 2-4: Installing IMSS on the original SMTP server. If you install InterScan MSS on your server, you must configure the InterScan MSS server exactly as your existing SMTP server is configured. Matching the configuration ensures that the server and InterScan MSS both process the all . When you install InterScan MSS on the same computer as the server, ensure that the SMTP and InterScan MSS ports do not conflict. InterScan MSS binds to port 25 by default, so the port on the existing SMTP server must be changed prior to installing InterScan MSS. If you are using POP3, the POP3 port numbers should also be changed because InterScan MSS tries to bind to port 110. After you reassign these ports, you can run the InterScan MSS setup program. Configuring Flow Through Your Network Regardless of where you install InterScan MSS, you must configure your flow in the same fashion. Incoming must pass through InterScan MSS first. After InterScan MSS scans , it passes it to the network server, which then passes it to the receiving clients. Outgoing must pass through the network server first, which then passes it to InterScan MSS (see Figure 2-5) Trend Micro Incorporated 39

40 Trend Micro InterScan Messaging Security Suite Student Textbook InterScan MSS should be the first server through which incoming passes and the last server through which outgoing passes. IMSS Server Internet Firewall Receiving Client Figure 2-5: Proper configuration of flow. Checking the System Requirements Before installing InterScan MSS, you should ensure that your network meets the following hardware and software requirements: Minimum Hardware Requirements Intel Pentium III processor 650 MHz CPU 512 MB RAM 500 MB disk space for storage Note: Ensure that the minimum disk space is maintained. If this minimum is not maintained, InterScan MSS may experience critical problems. Recommended Hardware Requirements Intel Pentium III processor 1 GHz or above 1 GB RAM Minimum 2 GB of free hard disk space for storage (InterScan MSS uses a store and forward mechanism, so a large HDD is recommended.) Software Requirements Windows 2000 Server/Advanced Server (recommended), Windows 2003 server, or Windows NT 4 Server Note: Installation to Windows NT 4 has only been tested with Service Pack 6A. The Windows 2000 installation has been tested with Service Pack 4). Microsoft Internet Information Server (IIS) 4.0 or above and the latest security patches to host the InterScan MSS Web console Microsoft Internet Explorer 5.5 or above Note: Netscape Navigator is not supported Trend Micro Incorporated

41 Chapter 2: Setup, Installation, and Registration Upgrading from InterScan MSS 5.15 The InterScan MSS 5.5 installation program can automatically upgrade from both InterScan MSS 5.1 and InterScan MSS If the installation program detects either of these two previous versions, it can: Uninstall the previous version of InterScan MSS Migrate the existing settings Install InterScan MSS Note: InterScan VirusWall and versions of InterScan MSS prior to 5.1 cannot be updated. You must completely uninstall these programs before installing InterScan MSS 5.5. Once you have migrated previous InterScan MSS settings, you must activate InterScan MSS. When you activate InterScan MSS, all previously created emanager filters that you migrated will be inactive. You must use the Policy Manager to reactivate them. Note: If you choose not to migrate your old InterScan MSS settings, Trend Micro recommends that you completely uninstall InterScan MSS and perform a clean install. If the target server has a copy of InterScan MSS 5.x, then the following files are automatically backed up during migration: isntsmtp.ini domaintable.ini tmlogflag.ini localdomain.dat conn_restrict.dat relay_restrict.dat vsapi32.dll These files are migrated to your new software installation, and backup copies are created in the \IMSS_RILOG directory on the root drive. Installing InterScan MSS 5.5 You must have the following information when you run the installation program: InterScan MSS and SPS registration codes and activation codes IP address and port number of the SMTP server that currently handles your IP address and port number of the SMTP server to send notification messages (optional) 2003 Trend Micro Incorporated 41

42 Trend Micro InterScan Messaging Security Suite Student Textbook Note: Trend Micro recommends that you do NOT use the InterScan MSS server as your notification server. Using the InterScan MSS server as your notification server can cause message looping, and, if the InterScan MSS server stops working, you cannot receive notification messages from the system Monitor. Administrator s address for receiving notifications The domain name(s) of the server that processes messages for your network (as shown in the MX record on your DNS server The name of the Windows NT or Windows 2000 server where you want to install InterScan MSS An administrator credential (user name and password) with local administrative rights or domain administrator credentials If you have downloaded the InterScan MSS package from the Internet as a single compressed file, decompress the package to a folder. Preserve the folder structure that existed within the compressed file. Close all programs on the target server. If either the Microsoft Internet Explorer or the Microsoft Management Console (MMC) is open, installation will fail. Other MMC-related programs may interfere with the InterScan MSS installation console. Close these programs on both the target server and the computer from which you run the remote installation. Note: Do not disable the Distributed Component Object Model (DCOM). InterScan MSS will not function properly if this service is disabled. SSL Communication You can use Secure Socket Layer (SSL) to protect the communication between the Web console and InterScan MSS. If you choose to use SSL protection, you must generate and apply an SSL certificate to the Microsoft Internet Information Server (IIS) before installing InterScan MSS. If you do not apply the certificate prior to installation, you will have to uninstall InterScan MSS, apply the certificate, and reinstall InterScan MSS. Running the Installation Program Double-click the setup.exe file to start the InterScan MSS installation program. You can run setup.exe from the target server or any other Windows NT or 2000 server or workstation on your network. Note: The InterScan MSS installation program uses the Netlogon port (which is port 445). If you have locked down this port, you will need to open it before you run the installation program. Note: The Remote Registry Service should be activated Trend Micro Incorporated

43 Chapter 2: Setup, Installation, and Registration Accessing the Web Console To open the InterScan MSS Web console, click Start from the Start menu and select All Programs All Programs Trend Micro InterScan Messaging Security Suite for SMTP Trend Micro InterScan Messaging Security Suite for SMTP Web Configuration. The Welcome screen appears (see Figure 2-6). The InterScan WSS Web console does not have a default password. Leave the password field empty and click Enter. You can set a password after you have activated the InterScan MSS services. Note: Trend Micro recommends setting a password to restrict access to InterScan MSS. For more information on setting the password, see the General Settings section of Chapter 5: Configuring General and Security Settings. Figure 2-6: The Welcome screen for the InterScan MSS Web console. The InterScan MSS installation program creates a shortcut that takes you directly to the Welcome screen of the InterScan MSS Web console. The shortcut is located in the C:\Program Files\Trend\IMSS\UI folder (see Figure 2-7). You can copy this shortcut, paste it on the desktop, and use it for easy access to the InterScan MSS Web console Trend Micro Incorporated 43

44 Trend Micro InterScan Messaging Security Suite Student Textbook If you are using SSL communication, you must change the shortcut to point to an HTTPS URL instead of an HTTP URL. To change this setting, right click on the shortcut and select Properties. The intscan Properties menu appears (see Figure 2-8). Click the Web Document tab and make the necessary modifications to the URL. Figure 2-7: The InterScan MSS installation program creates a shortcut to the Web console that you can copy to your desktop. Figure 2-8: The intscan Properties menu Trend Micro Incorporated

45 Chapter 2: Setup, Installation, and Registration Registering InterScan MSS When you open the InterScan MSS Web console, it opens directly to the product activation page. In order to activate InterScan MSS or Spam Prevention Service (SPS), you must enter a valid Activation Code. Each product has a separate code. You can obtain an Activation Code in the following ways: As part of the product download Through a reseller Directly from the Trend Micro Web site ( Proxy Settings If you use a proxy server to connect to the Internet, you must configure your server and authentication settings before attempting an update. As a security precaution, the proxy password is sent only once from the InterScan MSS Web console to the InterScan MSS server. When you return to the Proxy Settings screen, the Password field appears blank. Displaying the password, even as a series of asterisks, would necessitate sending the proxy user name and password between the server and browser. To enter your Activation Code and configure your proxy server (if applicable), click Configuration Product License from the left-hand column of the InterScan MSS management console. The Product License screen appears, showing which products are activated. Click the Activate link next to the product you want to activate, and another Product License screen appears (see Figure 2-9). Enter the requested information to activate your product Trend Micro Incorporated 45

46 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 2-9: The Product License screen. Upgrading From the Evaluation Period If you entered an evaluation Activation Code for either InterScan MSS or SPS, you began a 30-day trial period that allows you to test the full functionality of the software. You can upgrade from the evaluation period to the registered version of either product at any time by entering a valid Activation Code in the Web console. To upgrade from the 30-day trial version, click Configuration Product License from the left-hand column of the InterScan MSS management console. The Product License screen appears. Click the View license details link next to the product that you want to permanently activate. A new Product License screen appears. Click the Enter a new code link and enter the requested information in the fields provided on the resulting screen (see Figure 2-10) Trend Micro Incorporated

47 Chapter 2: Setup, Installation, and Registration Figure 2-10: The Enter a New Code screen used when upgrading from the InterScan MSS trial version to the full version. Note: You cannot use another evaluation code if you are already using the evaluation version of the product. You must enter a full version activation code. To obtain a valid activation code, contact the Trend Micro sales department. Contact information is available at Benefits Registering your product is important because it entitles you to the following benefits: One year of program and pattern file updates Important product information Update Settings To maintain the highest level of protection against the latest virus and content threats, you must update your virus-pattern file and spam database regularly. Trend Micro updates the virus-pattern file several times per week in response to newly released viruses. In addition, Trend Micro periodically updates the scanning engine, which is the component that compares a file s binary structure with the virus-pattern file, detects suspicious virus-like behavior, and cleans viruses. The heuristic spam rules are also updated periodically in order to improve the accuracy with which SPS identifies spam. Updates to the heuristic spam rules are included in virus pattern file updates Trend Micro Incorporated 47

48 Trend Micro InterScan Messaging Security Suite Student Textbook When you install InterScan MSS, you should immediately update both the scan engine and the virus pattern file to ensure that you are using the most recent versions of both components. Outdated pattern files and scan engines cannot protect against newly developed viruses. You should normally update the components from the Trend Micro ActiveUpdate server and use the default URL for which the product is configured. However, because the source of the update files is configurable, you can specify another Internet location. For example, you may need to change the update path if a technical support engineer has directed you to install a special build of the virus pattern file or scanning engine or if you set up your own update server locally on your intranet. You can use the one of the following update methods when updating InterScan MSS components: On-Demand Update (Update Now) Scheduled Update On-Demand Update (Update Now) You can use the Update Now feature to update the InterScan MSS components at any time. For example, if you receive notification from Trend Micro that a new virus has been discovered, you should use the Update Now feature to make sure that you have the latest versions of the virus pattern file, scan engine, spam database, and SPS heuristic scan engine. To ensure that all components are current, Update Now should be used immediately after installing InterScan MSS. To update the InterScan MSS components using the Update Now feature, click Configuration Update Update Now from the left-hand frame of the InterScan MSS Management Console. The Update Now screen appears (see Figure 2-11) Trend Micro Incorporated

49 Chapter 2: Setup, Installation, and Registration Figure 2-11: Components that should be updated are denoted with a red Update Now! Message. The Update Now screen shows the version of each component that you are using as well as the most up-to-date version available for each component. Newer components, when available, are denoted with a red Update Now! Message, as shown in Figure In this example, both the scan engine and the spam database are current, but the virus pattern file needs to be updated. Scheduled Update InterScan MSS can automatically download updates hourly, daily, or weekly. If your network has limited Internet bandwidth, you can configure InterScan MSS to update the virus pattern file and scan engine after business hours or at other times when network traffic is low. Trend Micro recommends that you schedule regular updates of all InterScan MSS components. To configure a scheduled update, click Configuration Update Scheduled Update from the left-hand column of the InterScan MSS Web console. The Scheduled Update screen appears (see Figure 2-12). Select the components that you want to update and configure an update schedule in the fields provided Trend Micro Incorporated 49

50 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 2-12: The Scheduled Update screen. Note: The new scheduled update settings are immediately applied to the InterScan MSS scheduler after clicking Save. Rolling Back an Update After updating to a new virus pattern file, InterScan MSS keeps the old virus pattern files on the server. You can use the roll back feature to revert to a previous virus pattern file. If you receive a virus pattern file that is corrupt, you can roll back the update and continue to use the previous version of the virus pattern file until Trend Micro releases a new virus pattern file. Each virus pattern file has a file extension, or a three-digit number attached to it. The virus filter always uses the virus pattern file with the highest-numbered file extension. For example, if InterScan MSS has stored virus pattern files lpt$vpn.001, lpt$vpn.002, and lpt$vpn.003, it uses the virus pattern file with the 003 extension Trend Micro Incorporated

51 Chapter 2: Setup, Installation, and Registration When rolling back to a previous virus pattern file, you need to ensure that an older pattern file is located in the C:\Program Files\Trend\IMSS\ISNTSmtp folder. If only the current pattern file is located in the folder, you cannot roll back the update. If an older pattern file is available, you can remove the new pattern file from the directory and then restart the InterScan MSS service (see Figure 2-13). Note: InterScan MSS will store old virus pattern files indefinitely. You must manually delete old virus pattern files. There is no reason to keep more than one or two out-of-date virus pattern files. Figure 2-13: Ensure that an older version of the virus pattern file is available before rolling back the update. Lab Exercise 1: Installing InterScan MSS Lab Exercise 2: Updating the InterScan MSS Components 2003 Trend Micro Incorporated 51

52 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 2 Summary and Review Questions Summary You can install InterScan MSS behind your existing firewall or in your DMZ. You also have two options for choosing an installation server. You can install InterScan MSS on your existing SMTP server or on a dedicated (separate server). Trend Micro recommends that you install InterScan MSS on a dedicated server. Regardless of where you install InterScan MSS, you must make sure that incoming passes through the InterScan MSS server first. The InterScan MSS server scans the and delivers it to the server, which then passes the to the receiving clients. All outgoing should pass through the server and then through the InterScan MSS server. You use the InterScan MSS installation program to install the software, upgrade previous versions of the software, and uninstall the software. You can run the installation program from the target server or any other Windows NT or 2003 server or workstation on your network. After you install InterScan MSS, you must register your copy of the software before you can configure it and receive updates for the virus pattern file and scan engine. After registering, you receive one year of program and virus-pattern file updates and current product information. Trend Micro regularly updates the virus-pattern file and periodically updates the scanning engine and heuristic spam rules. You can obtain these updates from the Trend Micro ActiveUpdate server. Review Questions 1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ Trend Micro Incorporated

53 Chapter 2: Setup, Installation, and Registration 2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the server? (Choose two.) a. Additional servers are not required b. Overhead on the server does not increase c. Requires less network bandwidth d. Greater efficiency 4. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter 2003 Trend Micro Incorporated 53

54 Trend Micro InterScan Messaging Security Suite Student Textbook Trend Micro Incorporated

55 Chapter 3: Configuring SMTP Routing Settings Chapter 3: Configuring SMTP Routing Settings Chapter Objective After completing this chapter, you should be able to Configure Simple Mail Transfer Protocol (SMTP) routing settings 2003 Trend Micro Incorporated 55

57 Chapter 3: Configuring SMTP Routing Settings Notes 2003 Trend Micro Incorporated 57

59 Chapter 3: Configuring SMTP Routing Settings Notes 2003 Trend Micro Incorporated 59

60 Trend Micro InterScan Messaging Security Suite Student Textbook SMTP Routing Before InterScan Messaging Security Suite (InterScan MSS) can scan messages sent to and from your network, you must configure its built-in SMTP server. InterScan MSS includes its own SMTP server. You can configure its IP address, SMTP greeting, and connection time-out settings. You can also control from which servers InterScan MSS receives messages and which servers are allowed to relay messages through it. Server Identity Settings InterScan MSS binds to an IP address and port. In addition to configuring these settings, you can configure the greeting message that other SMTP servers receive after connecting to InterScan MSS. To configure the InterScan MSS IP address and SMTP greeting, click Configuration SMTP Routing Receiver Settings. The Settings screen appears (see Figure 3-1). Enter the requested information in the fields provided, click Save, and click Apply Now. Figure 3-1: The SMTP Routing Receiver Settings screen Trend Micro Incorporated

61 Chapter 3: Configuring SMTP Routing Settings Note: If the server on which you installed IMSS for SMTP has multiple network interface cards, InterScan MSS will bind to all available IP addresses. If you want InterScan MSS to bind to a specific IP address, you must select a specific IP address from the pull-down menu. Note: To apply the new settings to your current session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Connections The InterScan MSS built-in SMTP server accepts from other SMTP servers and passes the on after processing is completed. You can configure how these connections are handled. Timeout Idle SMTP servers that stay connected to the InterScan MSS server can consume network bandwidth and other resources, placing a strain on your network. To prevent servers from connecting to the InterScan MSS server indefinitely, you can set a timeout value. For example, if you set the timeout value at 10 minutes, InterScan MSS will break its connection with servers that sit idle for more than 10 minutes. Simultaneous Connections Simultaneous connections can also place a heavy strain on your network. You can limit the number of servers that connect to the InterScan MSS server and reduce the amount of resources used at once. If you set the simultaneous connections limit to five, then InterScan MSS will only allow five servers to connect at the same time. Additional servers must wait for an available connection. Reverse-Lookups A reverse-lookup confirms the identity of the connecting host. After receiving a TCP connection request, InterScan MSS can get the source IP address of the remote computer. When a TCP connection is established, the remote computer sends a HELO(EHLO) domain-name SMTP command to InterScan MSS. InterScan MSS uses the domain-name to query the DNS server(s) in order to get the IP address of that domain. If the IP address matches the remote computer s IP address, the reverse lookup is successful. Note: Performing reverse-lookup on received messages can prevent spoofing if you do not have a firewall or mail sever between the Internet and the InterScan MSS server. However, installing InterScan MSS in front of the firewall is NOT recommended. Note: Because of the added query, enabling reverse-lookup affects the performance of InterScan MSS Trend Micro Incorporated 61

62 Trend Micro InterScan Messaging Security Suite Student Textbook To configure connection settings for InterScan MSS, click Configuration SMTP Routing Receiver Connections. The Connections screen appears (see Figure 3-2). Enter your desired values in the fields provided. Figure 3-2: The SMTP routing-receiver connections screen. Note: To apply the new connection settings to your current session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Connection Control You can limit which SMTP hosts are permitted to connect to the InterScan MSS server. For example, you can block the IP address of an organization that has previously sent spam messages to you. Or, you can block an IP address if you suspect the host is an open relay used by spam senders. You can configure which servers can connect to InterScan MSS server in one of two ways: You explicitly state which servers cannot connect (deny access list) and allow all others. You explicitly state which servers can connect (allow access list) and block all others. To set connection privileges, click Configuration SMTP Routing Receiver Connection Control. The Connection Control screen appears (see Figure 3-3). Click the Edit button next to the list that you want to configure and enter the information requested on the resulting screen (see Figure 3-4) Trend Micro Incorporated

63 Chapter 3: Configuring SMTP Routing Settings Figure 3-3: The SMTP Routing Receiver Connection Control screen. Figure 3-4: The Connection Control screen used to configure lists of servers that cannot connect to the InterScan MSS server. Note: To apply the new connection control settings to your current session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service Trend Micro Incorporated 63

64 Trend Micro InterScan Messaging Security Suite Student Textbook Relay Control You can deny or allow other computers to relay messages through your InterScan MSS server. Unauthorized users who attempt to relay messages through SMTP servers are a common problem for administrators. Spammers send spam through company servers to hide their own identity and to use the company s identity. For example, a spammer might relay spam through ABC Company. When users receive the spam, the source appears to be ABC Company, rather than the spammer. In addition to stealing the company s identity, spammers use the company s bandwidth resources. InterScan MSS handles relay control in the following manner: Restrict Relay to specific Local Domains Allow Exceptions Based on Host IP or IP Range All hosts are allowed to relay messages to a specific list of destinations (Allowed Relay Destinations). Normally, you enter the domain names of hosts used by your organization. Only hosts that you specify (Permitted Senders of Relayed ) are allowed to relay messages to hosts not in the Allowed Relay Destinations list. Hosts in the Permitted Senders of Relayed list can relay messages through the InterScan MSS server to any domain or use InterScan MSS as an open relay. Enter only hosts that you trust to use the relay according to your company s guidelines. In most cases, you enter only your own servers. Note: A blank Permitted Senders of Relay list means no servers can relay messages through InterScan MSS to the Internet. To permit a host to relay messages, click Configuration SMTP Routing Receiver Relay Control. The Relay Control screen appears (see Figure 3-5). Type the domain of the host in the field provided and click the plus (+) button to add it to the Allowed Relay Destinations list. Note: When configuring relay control, you can use a wildcard (*) Trend Micro Incorporated

65 Chapter 3: Configuring SMTP Routing Settings Figure 3-5: The SMTP Routing Receiver Relay Control screen. Note: To apply the relay control settings to your current session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Delivery Settings As an SMTP gateway, InterScan MSS passes to another SMTP server or Message Transfer Agent (MTA) that resolves the final destination. You can configure the routing method either DNS or smarthost based on the recipient s domain name. Domain-Based Delivery You can use the domain-based delivery settings to specify a delivery method for that is addressed to specific domains. For example, if your company has two separate domain names, you might want to use smarthost to route between the two domains Trend Micro Incorporated 65

66 Trend Micro InterScan Messaging Security Suite Student Textbook To specify the routing method, click Configuration SMTP Routing Delivery Domain-Based Delivery. The Domain-Based Delivery screen appears (see Figure 3-6). The screen displays configurations for processing destined for specified domains. To edit the settings, click the view link in the Details column. To add another domain to the list, click Add and enter the requested information in the fields provided (see Figure 3-7). Figure 3-6: The SMTP Domain-Based Delivery screen Trend Micro Incorporated

67 Chapter 3: Configuring SMTP Routing Settings Figure 3-7: The SMTP Domain-Based Delivery Add screen. Note: If you do not enter the IP address of the DNS server here, InterScan MSS uses the DNS server that is listed in the TCP/IP configuration settings. Note: To apply the new domain-based delivery settings to your current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied when you restart the InterScan MSS service. Advanced Delivery InterScan MSS includes optional delivery settings that you can use to customize how the built-in SMTP server processes messages. You can configure how often InterScan MSS tries to deliver a message, the number of times a message can be sent from server to server, and whether you want people to know you are using InterScan MSS Trend Micro Incorporated 67

68 Trend Micro InterScan Messaging Security Suite Student Textbook Deferrals When InterScan MSS cannot deliver an , it temporarily stores the in the retry queue and tries sending it again later. To prevent InterScan MSS from continually attempting to deliver an undeliverable , you can configure the Retry interval. The retry interval is the frequency with which InterScan MSS attempts to deliver in the retry queue. You can also configure the Maximum retry period, or the time frame during which InterScan MSS can attempt to deliver the . If InterScan MSS cannot deliver the during the retry period, it deletes the and sends a non-delivery receipt (NDR) to the sender. Hop Count and Masquerade Domains Configuring the hop count prevents messages from indefinitely looping. For example, if Server A routes a message to Server B and Server B sends it back to Server A, the message may loop between these servers indefinitely if you do not configure a hop count (see Figure 3-9). Server A Internet Firewall Server B Receiving Client Figure 3-9: A hop count prevents messages from looping indefinitely, as shown in this figure. Configuring a masquerade domain changes the domain name listed in the From lines in the SMTP protocol. For example, if your company has two unique domain names and you want all messages to use the same domain name, you can configure a masquerade domain. Received Header Information If you do not want other users to know that you are using InterScan MSS, you can disable the Received header setting. To customize your SMTP delivery settings, click Configuration SMTP Routing Delivery Advanced. The Advanced screen appears (see Figure 3-10). In the fields provided, enter the information requested and click Save Trend Micro Incorporated

69 Chapter 3: Configuring SMTP Routing Settings Figure 3-10: The SMTP Routing Delivery Advanced screen. Note: To apply the new delivery settings to your current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Message Settings You can use the InterScan MSS Message set limits on the following items: Message size Data size per session Number of messages per connection Number of recipients per message The limitations that you set are the first rules that InterScan MSS applies when it receives and . is not accepted if it exceeds these limits, which provides extra security against Denial of Service attacks Trend Micro Incorporated 69

70 Trend Micro InterScan Messaging Security Suite Student Textbook To set message limits, click Configuration SMTP Routing Message. The Message screen appears (see Figure 3-11). Select the check box next to each restriction that you want to enable and type a size or quantity in the fields provided. Figure 3-11: The SMTP Routing-Message screen. Note: If you do not want to set a limit, leave the item s option button unselected. Entering 0 into any of the fields on the Message screen is equivalent to not selecting the option button. Note: To apply the new message settings, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Retry Queue Viewer You can view messages in the retry queue and view the first 1 KB of data in a message. InterScan MSS automatically tries to deliver messages in the retry queue. However, depending on the values you entered in the SMTP Routing settings, InterScan MSS might not try to deliver messages in the retry queue for several hours. If needed, you can forcedeliver messages in the retry queue without waiting for the retry interval to elapse. To manage your delivery queue, click Configuration System Monitor Retry Queue Viewer. The Retry Queue Viewer screen appears, displaying the in the retry queue (see Figure 3-12). Select the (s) that you want to force-deliver and click Deliver Now Trend Micro Incorporated

71 Chapter 3: Configuring SMTP Routing Settings Figure 3-12: The Retry Queue Viewer screen. Note: For more information about a message, click the View link next to the message. Undeliverable Messages (Badmail Directory) To prevent InterScan MSS from deleting undeliverable after the retry period expires, you can move the to the badmail directory. To move undeliverable message to the badmail directory, use a text editor to edit the IsntSmtp.ini file. Search for the words QueueBadmail=no and change them to read QueueBadmail=yes. The IsntSmtp.ini file is located in the C: Program Files\Trend\IMSS folder. Note: The badmail directory is \Trend\IMSS\isntsmtp\badmail. Its path cannot be modified Trend Micro Incorporated 71

72 Trend Micro InterScan Messaging Security Suite Student Textbook Testing the InterScan MSS Installation The European Institute of Computer Anti-Virus Research (EICAR), along with antivirus vendors, has developed a test file that can be used to check if your system can detect viruses. The test file is not an actual virus and can neither harm your system nor replicate. It is a file whose signature has been included in the Trend Micro virus-pattern file. As a result, the Trend Micro scan engine can detect this file. You can download EICAR test file from the following web site: You may need to disable HTTP scanning, if any, before downloading the file. Include the test virus as an attachment to test Simple Message Transfer Protocol (SMTP) scanning. Alternatively, copy the following text into a text file and then save the file with a.com extension (for example, virus.com): X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTI-VIRUS-TEST -FILE!$H+H* Trend Micro Incorporated

73 Chapter 3: Configuring SMTP Routing Settings Chapter 3 Summary and Review Questions Summary InterScan MSS has its own built-in SMTP server. You can configure routing settings for this SMTP server, such as the IP address, SMTP greeting, and connection time-out. You can also configure the SMTP server to perform reverse-lookups, limit which SMTP hosts are permitted to connect to the SMTP server, and control which hosts can use the SMTP server as a relay. Furthermore, you can configure delivery settings such as domain-based delivery, hop counts, masquerade domains, and message limits. Review Questions 1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an can be forwarded b. The number of times InterScan MSS can retry delivering an c. The number of times an is scanned d. The number of times an can loop between the InterScan MSS and servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all from specified domains c. To change the domain name in the From: field d. All of the above 2003 Trend Micro Incorporated 73

75 Chapter 4: Configuring POP3 Scanning Settings Chapter 4: Configuring POP3 Scanning Settings Chapter Objective After completing this chapter, you should be able to Configure and edit POP3 scanning settings 2003 Trend Micro Incorporated 75

77 Chapter 4: Configuring POP3 Scanning Settings Notes 2003 Trend Micro Incorporated 77

79 Chapter 4: Configuring POP3 Scanning Settings POP3 Scanning In addition to Simple Mail Transfer Protocol (SMTP) traffic, InterScan Messaging Security Suite (InterScan MSS) can scan POP3 messages at the gateway. Even if your company does not use Post Office Protocol 3 (POP3) , employees might want to access personal POP3 accounts using clients on their computers. If this POP3 traffic is not scanned, your network is vulnerable to virus attacks. How It Works The InterScan MSS POP3 scanner acts as a proxy, sitting between clients and POP3 servers (see Figure 4-1). POP3 Server A InterScan MSS for SMTP POP3 Scanner POP3 Client POP3 Scanner POP3 Client POP3 Server B Internet Firewall POP3 Client Figure 4-1: How POP3 scanning works To scan POP3 traffic, configure your clients to connect to the InterScan MSS server POP3 proxy. You can set up the following connection types: Generic Access different POP3 servers using the default port for POP3 traffic (typically 110). Dedicated Access the POP3 server using a specified port, when the POP3 server requires authentication using the Advanced Post Office Protocol (APOP) command or requires a port other than 110. Requirements For InterScan MSS to scan POP3 traffic, a firewall must be installed on the network and configured to block POP3 requests from all computers except the InterScan MSS server. In addition, configuration changes must be made to every client so that messages are retrieved only through the InterScan MSS server. InterScan MSS includes the POP3 Client Tool to help users make configuration changes on the Eudora, Microsoft Outlook /Outlook Express, Netscape Messenger, and Pegasus clients. The POP Trend Micro Incorporated 79

80 Trend Micro InterScan Messaging Security Suite Student Textbook Client Tool is packaged as an ActiveX control so that users can run it from the following Web page: /InterScanPOP3ClientTool.html Replace InterScanMSS_server with the name of your InterScan MSS server. Note: The POP3 Client Tool only works using Internet Explorer on a Windows platform. If users need to connect to a POP3 server that requires an APOP or a Windows NT LAN Manager (NTLM) authentication, or if you need to manually configure a client that is not supported by the POP3 Client Tool ActiveX control, see the Manually Configuring Clients section in this chapter. Settings If you enable POP3 scanning, you can customize the following settings: Inbound POP3 IP address Simultaneous User Connections Status Message Tool Select the IP address over which InterScan MSS will receive POP3 traffic. Specify the number of simultaneous connections that you want InterScan MSS to allow. The number of connections can affect the performance of your InterScan MSS server. The default value is five. If you installed InterScan MSS on a server with multiple CPUs, you can increase this number to take advantage of the increased processing power. Type the message that you want InterScan MSS to send to users when addressed to them triggers a filter. If InterScan MSS deletes an because of content that violated the company s policies, the message sent to the recipient might be similar to the following example: InterScan Messaging Security Suite cannot retrieve this message due to the administrator s policy. To enable POP3 message scanning, click Configuration POP3 Settings. The Settings screen appears (see Figure 4-2). Select the Enable POP3 Scanning check box and enter the requested information in the fields provided and click Save Trend Micro Incorporated

81 Chapter 4: Configuring POP3 Scanning Settings Figure 4-2: The POP3 Settings screen. Note: To apply the new POP3 scanning settings to your current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. You must run the POP3 Client Tool to reconfigure your clients to retrieve through the InterScan MSS POP3 proxy with the updated settings. To use the POP3 Client Tool without running the ActiveX control, unzip the tmp3proa.cab file from the C:\Program Files\Trend\IMSS\UI\xhtml\en\ folder and send tmp3cmd.exe and pop3.ini files to your client users. The pop3.ini file is located in the C:\Program Files \Trend\IMSS\ folder. Connections You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. However, if your users need to access a POP3 server through an authenticated connection (using the APOP command or NTLM), you may also set up a dedicated connection with a customized port assignment Trend Micro Incorporated 81

82 Trend Micro InterScan Messaging Security Suite Student Textbook Viewing and Editing Connections To view and edit the POP3 connections currently set up on your server, click Configuration POP3 Connections from the left-hand column of the InterScan MSS Web console. The Connections screen appears (see Figure 4-3). Click the view link to edit the POP 3 server and port connections that appear in the table. The Edit screen appears (see Figure 4-4). Enter the requested port numbers and IP address in the fields provided and click Save. To add a new POP3 connection, click the Add button and enter the requested port numbers and IP address in the fields provided. To delete a POP3 connection, select the check box next to the respective connection and click Delete. Figure 4-3: The POP3 Connections screen Trend Micro Incorporated

83 Chapter 4: Configuring POP3 Scanning Settings Figure 4-4: The POP3 Connections Edit screen. Note: To apply the new POP3 connection settings to your current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service. Note: You must run the POP3 Client Tool to reconfigure your clients to retrieve through the InterScan MSS POP3 proxy with the updated settings. The POP3 Client Tool The POP3 Client Tool modifies Eudora, Microsoft Outlook/Outlook Express, Netscape Messenger, and Pegasus clients to enable POP3- access through the InterScan MSS POP3 proxy. The POP3 Client Tool Configures any available POP3 accounts when executed Replaces the client POP3 server address with the InterScan MSS proxy IP address Appends the client pre-existing POP3 server address to the account name, separating them by a # delimiter Note: The POP3 Client Tool uses settings that you enter in the InterScan MSS Management Console. If you change these settings, you must run the POP3 Client Tool to reconfigure your clients with the new settings Trend Micro Incorporated 83

84 Trend Micro InterScan Messaging Security Suite Student Textbook Running From a Web Page To reconfigure clients using the POP3 Client Tool, users can run an Active X control from the following Web site: Manually Configuring Clients You can also use the POP3 Client Tool to manually configure your client POP connection settings. Manual configuration is useful when the client requires a specific, dedicated connection to its POP3 server through the InterScan MSS proxy. Generic Connections For generic connections that support most POP3 servers, assume the following account information is provided as the current client POP3 configuration: Incoming (POP3) server: pop.domain.com Account name: John_Smith In addition, assume the inbound POP3 IP address used by InterScan MSS is To enable POP3 retrieval and scanning, change the client settings to the following: Incoming (POP3) server: Account name: John_Smith#pop.domain.com Dedicated Connections Note: When accessing a POP3 server that uses a port other than that specified in the InterScan MSS generic connection port setting, append an extra # separator and add the port. For example, if the POP3 server uses port 120 when InterScan MSS is set to use 110, the account name is John_Smith#pop.domain.com#120. To use a dedicated connection, modify your client in the following ways: Change the POP3 server port in your -client settings to the port used by InterScan MSS as the Inbound POP3 Port. Modify the incoming POP3 server to use the InterScan MSS proxy IP address. The account name does not change because the actual POP3 server is referenced in the dedicated-connection settings of InterScan MSS. Include the # separator and port number only if the client requires the InterScan MSS proxy to retrieve using a port that differs from the one specified in the POP3 Server settings Trend Micro Incorporated

85 Chapter 4: Configuring POP3 Scanning Settings Chapter 4 Summary and Review Questions Summary To scan POP3 traffic, you can set up generic or dedicated connections to the InterScan MSS server POP3 proxy, which sits between clients and POP3 servers. You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. You can also set the number of clients that can retrieve POP3 messages simultaneously (which affects performance), and you can customize the status message users receive if POP3 messages sent to them trigger a filter that prevents delivery. The POP3 Client Tool modifies Eudora, Outlook/Outlook Express, Netscape Messenger, and Pegasus clients to enable POP3- access through the InterScan MSS POP3 proxy. The POP3 Client Tool is packaged as an ActiveX control so that users can run it from a browser. Review Questions 1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager 2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure a client that is not supported by the POP3 Client Tool ActiveX control Trend Micro Incorporated 85

87 Chapter 5: Configuring General and Security Settings Chapter 5: Configuring General and Security Settings Chapter Objectives After completing this chapter, you should be able to Change the InterScan Messaging Security Suite (InterScan MSS) Management Console password Enable notification by , Simple Network Management Protocol (SNMP) trap, or pager Learn and change (if permitted) the default locations of message-processing directories Configure InterScan MSS security settings 2003 Trend Micro Incorporated 87

89 Chapter 5: Configuring General and Security Settings Notes 2003 Trend Micro Incorporated 89

94 Trend Micro InterScan Messaging Security Suite Student Textbook General Settings The InterScan MSS Web console password, notifications, and queue directories can all be configured in the General Settings. InterScan MSS Web Console Password After installing InterScan MSS, you should set a password for the InterScan MSS Management Console. Requiring a password prevents unauthorized users from making changes to the InterScan MSS settings. Trend Micro recommends that you change your password frequently to ensure security. To change the InterScan MSS Web console password, click Configuration General Password from the left-hand column of the InterScan MSS Web console. The Password screen appears (see Figure 5-1). Enter your old and new passwords in the field provided and click Save. Figure 5-1: The Password screen. Note: When setting the password for the first time, the Current password field will be blank Trend Micro Incorporated

95 Chapter 5: Configuring General and Security Settings Notification Settings You and other network administrators can be notified by or SNMP Trap when any of the following events occur: A virus is detected. A policy is updated. The system requires attention. Notifications When configuring notifications, you must supply the following information: SMTP server SMTP port Administrator From address Preferred charset Message header Message footer Notify Mail Limit in one hour This setting is configured during installation. If you want InterScan MSS to use an SMTP server, you must supply the IP address of the server that InterScan MSS should use. The default setting for the SMTP port is 25. If you need to use a different port number to send notification messages, you must change this setting. This setting determines to whom notifications are sent. You can enter a single address, or you can enter multiple addresses and use a semi-colon (;) to separate each address. When InterScan MSS sends a notification to a user, the address that you enter for this setting appears in the From: field. You can make it appear as though the message is coming from the administrator and not from InterScan MSS. If you want non-english characters to appear in notification messages, you should change this setting to the appropriate option from the Preferred charset dropdown menu. The message header is a user-defined message that appears at the front of the Non Delivery Receipt. For example, you might create a message to show that InterScan MSS sent the notification. The message footer is another user-defined message that that appears at the end of the Non Delivery Receipt. By default, InterScan MSS will not send out more than 1,500 notifications in one hour. You can raise or lower this limit by entering a different value in the field provided. If you enter a zero, InterScan MSS can send an unlimited amount of messages Trend Micro Incorporated 95

96 Trend Micro InterScan Messaging Security Suite Student Textbook When configuring SNMP Trap notifications, you must supply the following information: Server name (IP or FQDN) Community InterScan MSS uses the IP address or Fully Qualified Domain Name in this setting to determine which server to use when sending SMTP notifications InterScan MSS uses the community name that you enter in this field to determine to whom notifications should be sent. If the community name that you enter is not listed in the SNMP management console, or it is entered incorrectly, the notifications InterScan MSS sends are not received. To configure the settings for both and SNMP Trap notifications, click Configuration General Notification Settings from left-hand column of the InterScan MSS management console. The Notification Settings screen appears (see Figure 5-2 and Figure 5-3). Enter the requested information in the fields provided and then click Save. You only have to configure the settings for the notification method(s) that you want to use. Figure 5-2: The section of the Notification Settings screen Trend Micro Incorporated

97 Chapter 5: Configuring General and Security Settings Figure 5-3: The SNMP Trap section of the Notification Settings screen. Queue Locations InterScan MSS uses several queues to process messages, store log files, and quarantine messages. If you change the location of the queue to a folder that does not exist, InterScan MSS will create a new folder in the specified location. Processing, Retry, and Postpone Queues The processing queue is where messages are temporarily stored pending scanning and final delivery to their destination. The following directory path shows the default location of the processing queue: C:\Program Files\Trend\IMSS\ISNTSMTP\mqueue\ The retry queue is where undeliverable messages are temporarily stored pending additional attempts at delivery. The following directory path shows the default location of the retry queue: C:\Program Files\Trend\IMSS\ISNTSMTP\bmqueue\ The postpone queue is where messages are temporarily stored as a result of a postpone filter action. The following directory path shows the default location of the postpone queue: C:\Program Files\Trend\IMSS\ISNTSMTP\postpone\ During normal operation, most of the waiting to be scanned and delivered is temporarily stored in the processing folder. However, if the connection to the downstream server is lost or if a Domain Name System (DNS) lookup failure occurs, is temporarily stored in the retry queue for later delivery. Log Queue Many modules within InterScan MSS write log information for troubleshooting purposes. The logs record information such as the number of times the virus-pattern file was updated, when it was updated, how many viruses were found (if any), and which viruses were found Trend Micro Incorporated 97

98 Trend Micro InterScan Messaging Security Suite Student Textbook The following directory path shows the default location of the queue in which these logs are stored: C:\Program Files\Trend\IMSS\ISNTSMTP\logs\ Quarantine Queue After InterScan MSS is installed, one default quarantine area is created. However, you can define multiple quarantine directories in different locations. The following directory path shows the default location of the quarantine area created during installation: C:\Program Files\Trend\IMSS\IsntSmtp\quarantine Badmail Folder You can configure InterScan MSS to save undeliverable messages in the badmail folder after the retry period has elapsed. When a message is delivered to the badmail folder, a non-delivery receipt (NDR) is forwarded to the sender. The location of this folder is not configurable. The following directory path shows the default location of the badmail folder: C:\Program Files\Trend\IMSS\isntsmtp\badmail Temporary Folder All application-generated temporary files are stored in the temporary folder. This location of this folder is not configurable. The following directory path shows the location of the temporary folder: C:\Program Files\Trend\IMSS\isntsmtp\temp\ Delivery Pickup The quarantine manager and the retry queue viewer include a feature called Deliver Now. Messages selected for Deliver Now are moved to the Delivery Pickup folder. The InterScan MSS service has dedicated threads that deliver messages in this folder immediately. The location of this folder is not configurable. The following directory path shows the location of the Delivery Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_deliver When the quarantine manager selects an to be reprocessed, it puts the in the Pickup Scan folder. The InterScan MSS service has dedicated threads that pick up messages in this folder and put them into the scan queue. The location of this folder is not configurable. The following directory path shows the location of the Pickup Scan folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_scan Trend Micro Incorporated

99 Chapter 5: Configuring General and Security Settings All notification messages are put in the Notification Pickup folder. InterScan MSS has dedicated threads to pick up and deliver messages in this folder to a specified SMTP notification server. You can configure this server on the Configuration General Notification screen, but location is not configurable. The following directory path shows the location of the Notification Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_notify Changing Directory Paths You can change the following directory paths: Processing queue Retry queue Postpone queue When changing directory paths, you should remember the following guidelines: The path must be to a local folder (such as d:\foldername) or a mapped drive. You must save the new settings and click Apply Now, which restarts the service. Messages in the previous processing, postpone, and retry queues are not processed automatically. Before defining a new queue location, you should make a note of the old location. You should also use Windows Explorer to manually copy all of the old queue s contents to the new queue. To change the directory path of the Processing, Retry, or Postpone queues, click General Directories from the left-hand column of the InterScan MSS Web console. The Directories screen appears (see Figure 5-4). Find the name of the queue that you want to modify, change the directory path accordingly, click Save, and then click Apply Now Trend Micro Incorporated 99

100 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 5-4: The Directories screen. Security InterScan MSS has several security settings that control the maximum size of messages and their attachments. These security settings also determine how messages are processed upon program failure. Security Settings All security settings run as part of the virus filter in Policy Manager. If any of these values are met or exceeded, IMSS will take the filter action specified in the Virus Scanning Aborted message may contain viruses section of the virus filter. You can configure the following security settings to prevent messages from consuming excessive storage space or CPU time: Compressed file-scanning limits Attachment and message virus-scanning limits Multiple virus-infected message limits emanager filter size limit Exception handling Trend Micro Incorporated

101 Chapter 5: Configuring General and Security Settings You can also use these security settings to block DoS attacks that result from malicious people sending large or multiple attachments. Compressed File-Scanning Limits Recursively compressed files are compressed files, such as ZIP or LZH files, that contain other compressed files. Scan engines must decompress these files before they can be opened and scanned. As a result, scanning recursively compressed files that contain multiple compressed layers can be resource intensive. Most scan engines have a maximum number of compressed layers that they can scan. InterScan MSS can scan a maximum of 20 layers. Some virus writers use these limitations to smuggle malicious code or inappropriate content past antivirus and content-management software. Virus writers hide their content deeply inside a recursively-compressed file where the scan engines cannot find it. Recursively-compressed files are often used to create a zip of death, which launches a DoS attack. As the file is unzipped, its size continues to grow until it overloads the system. To prevent zip of death and other DoS attacks, you can specify the maximum allowable size of a file after decompression. When the file reaches the maximum allowable size, InterScan MSS aborts decompression and takes the action specified for the Virus scanning aborted message may contain virus filter result. When a compressed file contains other separately compressed files, the scanning process can take a long time. For example, you might receive a file from a customer called customer_info.zip. If the file contains additional zipped files, such as financial_info.zip, sales_records.zip, and projected_earnings.zip, InterScan has to decompress each file to complete the scanning process. You can limit the number of files inside a compressed file that InterScan MSS decompresses. If the number of files exceeds the limit that you set, InterScan MSS aborts decompression and takes the action specified for the Virus scanning aborted message may contain virus filer result. Attachment and Message Virus-Scanning Limits When and with a large attachment arrives at the InterScan MSS server, flow stops while the scan engine checks the attachment for viruses. Malicious people sometimes use an with multiple large attachments to disrupt flow. Other cannot be processed until all the attachments are scanned. To decrease your vulnerability to such an attack, you can configure two options: Attachment + message size Number of attachments This option controls the maximum size of an message and its attachments. This option controls the maximum number of attachments that an message can have. Note: Some users have legitimate reasons for sending large attachments. Being overly protective against DoS attacks might disrupt necessary information flow Trend Micro Incorporated 101

102 Trend Micro InterScan Messaging Security Suite Student Textbook Multiple Virus-Infected Message Limits Virus writers sometimes send messages that have multiple viruses to disrupt the delivery of . For example, an message might contain 20 attachments, and each attachment might contain a virus. No other can be delivered while the system cleans the attachments. You can configure the following settings to protect your company from such an attack: Number of cleaning attempts Number of viruses reported This option controls the number of times InterScan MSS tries to clean the message. This option controls the number of notification messages you receive per . emanager Filter Message Size Limit The emanager filter group manages spam, message content, and delivery. You can use the emanager Filter Message Size option to limit the size of messages that emanager filters handle. Size restrictions decrease system vulnerability against large messages that virus writers send to disrupt your processing. To configure security settings, click Configuration Security Security Settings from the left-hand column of the InterScan MSS Web console. The Security Settings screen appears (see Figure 5-5). Enter values in the fields provided for message size limits and click Save Trend Micro Incorporated

103 Chapter 5: Configuring General and Security Settings Figure 5-5: The Security Settings screen. Exception Handling When InterScan MSS cannot process an , the event is known as a processing failure. Processing failures might be caused by insufficient system memory or invalid IP addresses or domain names. Encrypted can cause processing failures because the Antivirus filter and the emanager filters cannot scan them. If InterScan MSS fails to process a message, you can choose one of the following default actions: Deliver Delete Delete and Notify Deliver and Notify Delivers the message normally Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator 2003 Trend Micro Incorporated 103

104 Trend Micro InterScan Messaging Security Suite Student Textbook Postpone and Notify Quarantine Quarantine and Notify Postpones delivery of the message until after midnight and notifies the administrator Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator You can create your own filter actions that you can use in addition to the default filter actions (for more information on creating filter actions, see the Creating New Filter Actions section in Chapter 6: Understanding and Creating Policies). To choose an action for that cannot be processed, click Configuration Security Exception Handling from the left-hand frame of the InterScan MSS Web console. The Exception Handling screen appears (see Figure 5-6). Use the pulldown menus to select the filter action for both types of processing failures and then click Save. Figure 5-6: The Exception Handling screen. Note: To apply updated exception handling settings to your current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the program s SMTP scanning service. Lab Exercise 3: Configuring InterScan MSS Trend Micro Incorporated

105 Chapter 5: Configuring General and Security Settings Chapter 5 Summary and Review Questions Summary You can use the InterScan MSS Web console to set the console password, configure notification settings and locate or change queue directories. You can also block DoS attacks by configuring security settings such as the number of layers of recursively compressed archives, the maximum attachment and file size, and the maximum number of viruses that can be cleaned from a single attachment. In addition, you can configure the action InterScan MSS takes if it cannot successfully process a message. Review Questions 1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively-compressed layers c. Reject all compressed files such as ZIP and LZH files e. Block all large attachments 2003 Trend Micro Incorporated 105

107 Chapter 6: Understanding and Configuring Policies Chapter 6: Understanding and Configuring Policies Chapter Objectives After completing this chapter, you should be able to Identify the main features of Policy Manager Define the global policy Create a sub-policy Set up policies for different individuals and groups within your organization Define address groups Define and use filter actions 2003 Trend Micro Incorporated 107

109 Chapter 6: Understanding and Configuring Policies Notes 2003 Trend Micro Incorporated 109

117 Chapter 6: Understanding and Configuring Policies Policy Overview A policy is a set of rules. An policy is a set of rules that a business creates to govern use. For example, in order to reduce the amount of offensive material circulating in the office, a business might decide that employees cannot use the company for personal use. This rule is policy. InterScan MSS has policies of its own that you can configure and use to enforce your company s rules. You can use these policies to determine which file types are scanned for viruses and the action InterScan MSS takes if a virus is detected. You can also use the policies to determine how InterScan MSS filters content and what action it takes if an contains forbidden content. For example, your company may establish the following rules: Users cannot exchange that contain sexual or racial terms. Users cannot forward chain . Users cannot send attachments that are larger than 4 MB. To enforce these rules, you might create a policy that Blocks containing sexual or racial content Blocks chain Postpones the delivery of with large attachments until after business hours There are three parts to every InterScan MSS policy and sub-policy: Route Filter Filter Action Route A route is a set of sender and recipient addresses to which a policy is applied. To define a route, you must decide to whom you are directing your policy. Address groups and wildcard expressions are normally used to simplify the route configuration. Filter To create a filter, you must know what you are trying to find. Filters are used to check both for viruses and for prohibited content. Policies can contain more than one filter. InterScan MSS contains predefined filters that you can use to combat common virus and content threats. You can also create your own filters Trend Micro Incorporated 117

118 Trend Micro InterScan Messaging Security Suite Student Textbook Filter Action The filter action that you specify determines how InterScan MSS deals with that triggers the filters. For example, if you set the filter action on your virus filter to Delete, then InterScan MSS will delete all files in which it detects a viruses. The filter action determines how the is finally processed. Note: You can dynamically apply all policy-related settings by clicking Apply Now in the upper left-corner of the console. Changes do not take effect until you click Apply Now. When you create a policy, and want to use an existing filter action, you configure the components in the following order: 1. Define the route. 2. Configure the filter. 3. Select the filter action. If you want to create a new filter action when you create a policy, you configure the components in the following order: 1. Create a new filter action. 2. Define the route. 3. Configure the filter. 4. Select the filter action. Two Types of Policies You might not want a policy to apply to every user in your company. For example, if your company has a graphics department, the users in that department might need to exchange files that are larger than 4 MB. If you configure InterScan MSS to postpone or deny delivery of with attachments larger than 4 MB, with no exceptions, it would hinder the graphic department s ability to send legitimate files. To help you create policies that meet the needs of all the users in your company, InterScan MSS includes two types of policies: Global Policy applies to all flowing through the InterScan MSS server. Sub-policies apply only to the messages or the users that you specify. When InterScan MSS receives an , it evaluates the against sub-policies and then against the global policy. If there is a filter in the global policy that matches, it takes precedence over a sub-policy filter. Note: You can allow the Global Policy to be overwritten by a subpolicy Trend Micro Incorporated

119 Chapter 6: Understanding and Configuring Policies The Global Policy The global policy is created when you install InterScan MSS (see Figure 6-1). By default, the global policy contains the following filters: Antivirus Heuristic Spam Filter (SPS) Anti-Spam Profanity Racial Discrimination Sexual Discrimination Hoaxes Chain Love Bug Block HTML Script Messages compares all and attachments against the virus-pattern file compares content with common spam characteristics to detect spam compares content with a database of expressions commonly found in spam scans for obscenities scans for racial slurs scans for sexually offensive language scans for expressions found in common hoaxes that circulate through Internet scans for chain messages that encourage users to forward the to everyone they know scans for expressions that appear in messages that harbor the auto-spamming ILOVEYOU virus scans for HTML with embedded scripts (such as JavaScript or VBScript) By default, only the Virus filter and Heuristic Spam filter are active after installation. You can enable the other filters, and you can create additional filters in the global policy. Note: The Heuristic Spam filter will not be active after installation if you do not enter a valid activation code. The Spam Prevention Service (SPS) must be activated separately from InterScan MSS Trend Micro Incorporated 119

120 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 6-1: The Filters List on the Global Policy screen. Sub-policies When you create a sub-policy, it inherits the active filters contained in the parent policy. For example, if you create a sub-policy directly under the global policy, that sub-policy inherits the active filters contained in the global policy. Filters that are inactive in the parent policy will remain inactive in the sub-policy. If you do not want the sub-policy to use a filter that is inherited from the global policy, you can disable that filter at the sub-policy level. You can also add filters to the sub-policy as needed. You can create a maximum of 10 sub-policies within a single policy. However, each subpolicy can have an unlimited number of filters. By default, the InterScan MSS installation program creates the following sub-policies, based on the domain name that you entered in the installation wizard: Incoming Outgoing POP Trend Micro Incorporated

121 Chapter 6: Understanding and Configuring Policies In order for a sub-policy to take precedence over the global policy, you must enable the Allow filter to be overwritten by a sub-site feature before creating the sub-policy. To prevent a policy from applying to a specified sub-policy, you must make that policy available in the global policy. Once the policy is available in the global policy, it will be active in all sub-policies too. To disable the policy, change the status to Inactive in both the global policy and the sub-policies in which you want to enable it. Incoming and Outgoing Policies The incoming policy has the following route: from * going to *@domain The outgoing policy has the following route: from *@domain going to * Both of these policies contain an active antivirus filter, which has the following default configuration: All attachments are scanned, including compressed files. Viruses are cleaned, and uncleanable viruses are deleted. When a virus is cleaned, a disclaimer is added to the message before it is delivered. If a virus cannot be cleaned or virus scanning is aborted, the message is quarantined, and a notification is sent. Any mass- ing virus is deleted. The incoming policy also contains some content-management filters, such as a filter that restricts message size. These filters are disabled, but you can enable and customize them. The outgoing policy contains an inactive message size filter that you can enable and customize. POP3 Policy The route for the POP3 policy is configured as follows in the isntsmtp.ini file: POP3From=POP3FromLabel POP3To=POP3ToLabel To define the route information with the default setting, enter POP3FromLabel@* in the From field and POP3ToLabel@* in the To field. Note: The domain must be the asterisk (*) wildcard for the To and From fields Trend Micro Incorporated 121

122 Trend Micro InterScan Messaging Security Suite Student Textbook If you modify the route information of the POP3 policy, you must make the same modifications to the isntsmtp.ini file. If the modifications do not match, POP3 will not be detected by the POP3 policy, and they will be subject to the global policy only. You can modify only the name part of the route (before in the InterScan MSS Management Console. If these conditions are not met, the policy will not work. InterScan MSS matches all POP3 messages to the POP3 messages policy. If you delete this POP3-only policy, POP3 messages are matched to the global policy. The Order of Sub-Policies When InterScan MSS receives a message for processing, it analyzes the sender and recipient addresses to determine which policy should be applied. By default, InterScan MSS uses the best match method to select the policy that is executed. The Best Match Method InterScan MSS searches the policy tree level-by-level, starting with the global policy. InterScan MSS first chooses the best match on the top level and then continues searching its child level (if any) until no route is matched or until another match is found. Once InterScan MSS finds an exact match, it stops searching the policies. If the addresses of an match more than one route, InterScan MSS uses the weight of the routes to determine which policy to apply to the message. The route with the greatest weight is applied. If two routes have the same weight, InterScan MSS uses the route that appears first in the policy order. First Match Method When InterScan MSS uses the first match method, it matches the address with the first route on the list that does not have a weight of 0. If there is a route further down on the policy list that matches better, it will not be applied. You can change the matching method from best match to first match. Open the registry editor and change the HKEY\Local Machine\Software\Trend Micro\ISNT5\registry\config\MatchMethod key value from 1 to 0. Priority Rules (Best Match Method) InterScan MSS uses the following rules to analyze routes: 1. A fully qualified address has the highest priority, and an address that consists only of wildcards has the lowest priority. 2. The number of qualified terms that an address contains increases the priority. In addition, InterScan MSS evaluates the route as follows: 1.1. The domain in an address is more significant than the name Both sender and receiver addresses are of equal importance When InterScan MSS analyzes messages, it assigns every address a weight. InterScan MSS also adds the weights of the sender and receiver addresses and assigns the pair a weight. The overall possible priority could be anywhere between 0 and 10,000 (see Table 6-1) Trend Micro Incorporated

123 Chapter 6: Understanding and Configuring Policies Name Domain Weight Example 1 Only Wildcards Only Wildcards 0 *@*, * 2 Qualified Only Wildcards 1000 user@* 3 Only Wildcards Only Wildcards #Q: The number of terms in the domain part *@*.uk *@*.co.uk *@*.domain.co.uk 4 Qualified Only Wildcards #Q joy@*.uk joy@*.co.uk joy@*.domain.co.uk 5 Only Wildcards Fully Qualified 4000 *@domain.co.uk 6 Fully Qualified Fully Qualified 5000 [email protected] Table 6-1: The six types of addresses and their corresponding weights A message with more than one recipient may be split and have different filters applied to it based on the different recipient addresses listed. For example, if Tyra sends the same message to Bob, Maria, Shayla, Jose, and Carl, each message might be evaluated against a different filter, depending on how you have configured your sub-policies. Consider the following examples: 1. The route (From: *@trendmicro.com, To: *@*) has precedence over (From: joy@*.com, To: *@*). When the recipient is the same, the weight of *@trendmicro.com is higher than joy@*.com because the domain is more significant than the name. 2. The incoming route (From: *@*, To: *@trendmicro.com) has the same precedence as outgoing route (From: *@trendmicro.com, To: *@*) because the sender and receiver addresses are of equal importance. 3. The route (From: *@trendmicro.com, To: *@*.com) has precedence over (From: [email protected], To: joy@*). This is because the weight of the sender and receiver pair of the former route is (4000, 2001), but the latter is (5000, 1000). 4. The route (From: *@*.co.uk, To: *@*.co.uk) has precedence over (From: *@*.domain.co.uk, To: *@*). This is because the weight of the sender and receiver pair of the former route is (2002, 2002), but the latter s is (2003, 0). To specify the order of sub-policies, select Policy Manager Global Policy Manage Sub Policies from the left-hand frame of the InterScan MSS Management Console. You can adjust the order of execution in the Manage Sub Policy page Trend Micro Incorporated 123

124 Trend Micro InterScan Messaging Security Suite Student Textbook Note: In general, you should have InterScan MSS execute the most specific sub-policies first. Editing Global Policy Filters You can enable, disable, and modify the Global Policy s nine filters to fit your scanning needs. Each filter has the three edit buttons (see Figure 6-2). The edit buttons can be used to configure the search criteria a filter uses, the location or types of documents the filters scans, and the action the filter takes when it finds an that violates the policy. Figure 6-2: Using the three edit buttons available on the Global Policy screen. Filter Type The edit button in the Filter Type column can be used to change a filter s properties. You can select or enter specific words, phrases, and expressions for which InterScan MSS searches. You can determine whether InterScan MSS applies the filters to the header, body, or attachment. The Filter Type edit button can also be used to specify what size the messages need to be in order to scan them. The filter will not be applied to messages that exceed the size restrictions. Note: The configurable options for the Filter Type vary with each filter. Warning: When you click the Filter Type Edit button for the profanity, racial discrimination, and sexual discrimination filters, the resulting screen displays the words against which InterScan MSS filters. Most people find these keywords offensive. These words are shown so that you know the content of the filter Trend Micro Incorporated

125 Chapter 6: Understanding and Configuring Policies Filter Availability and Status The edit button in the Filter Availability and Status column can be used to specify whether the filter is available for a policy s definition, whether the filter is active, and whether the filter can be overridden by another filter in a sub-policy. To use a filter in your policy definitions, its availability status must be set to available. If the Filter Availability is set to disabled, no policy can use it. The availability setting determines whether the filter could be used in the policy. If you decide to use the filter, you must ensure that the filter status is set to Active. If you do not want the filter to apply to a particular policy, you must ensure that the filter status is Inactive. Note: For a sub-policy to inherit filters from a parent policy, the filter availability in the parent policy must be Available. If you do not want the filter to apply to the parent policy, you can set the filter status to Inactive. When you create a sub-policy, if you want one of the filters in that sub-policy to override the settings in the parent policy, you must enable the override feature. For example, in an attempt to eliminate spam from your network, you activate the Heuristic Spam Filter (SPS) in the global policy. However, you know that the sales department travels a lot and might benefit from receiving special offers on airfare and hotel rates. You create a sub-policy targeted at addressed to anyone in the sales department. This time, however, you configure the Heuristic Spam Filter to allow commercial offers about airfare and hotel rates. In order for this sub-policy to take precedence, you must set the override property in the global policy to Allow filter to be overwritten by a sub-site. Note: The override property applies only to the emanager filters. When the global policy and a sub-policy both contain an antivirus filter, the filter in the sub-policy is always the one executed. In other words, enabling Do not allow filter to be overwritten for the global policy s antivirus filter has no effect. Filter Action The filter action is the action that InterScan MSS takes against that triggers policy filters. When configuring the filter action, you can create a new filter action (see the Creating New Filter Actions section in this chapter), or you can choose from the following default actions (see Figure 6-3): Delete Delete and Notify Deliver and Notify Postpone and Notify Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator Postpones delivery of the message until after midnight and notifies the administrator 2003 Trend Micro Incorporated 125

126 Trend Micro InterScan Messaging Security Suite Student Textbook Quarantine Quarantine and Notify Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator You may want to quarantine messages for any of the following reasons: To review messages that trigger content filters and determine the severity of policy infractions To keep a record of oversized messages in case they contain important information that the recipient needs To reduce the chance of deleting important messages, in case they are mistakenly detected by the Antivirus or emanager filters To collect evidence, for disciplinary purposes, of an employee s misuse of your organization s messaging system Figure 6-3: The Filter Action screen. You configure filter actions for each possible filter result. For filters that use the antivirus filter, the following results are possible: No virus detected Virus(es) detected and successfully cleaned Virus(es) detected but some/all were not cleaned Mass ing virus detected Virus scanning aborted message may contain viruses Trend Micro Incorporated

127 Chapter 6: Understanding and Configuring Policies For filters the use the emanager filters, only two results are possible: Triggered Not triggered Filter actions are stored in the following registry: C:\HKLM\Software\TrendMicro\ISNTS\registry\policy\classification Filter Order Note: For filter actions that notify the administrator, the notification is sent to the address that was entered during installation. The order of filter execution within a sub-policy is significant. For example, if the first filter triggers a delete action, execution stops after the first filter. If a filter triggers other filter actions, processing continues. Filter actions are executed as outlined below. The following actions are taken immediately, and the next filter is not processed: Quarantine Forward original message Delete The following actions are taken after the policy has processed all the filters: Postpone Forward modified message The following actions are taken after the corresponding filter runs: Notification Archive The message is delivered if the user has not selected one of the following actions: Quarantine Forward original message Delete The Quarantine, Forward original message, and Delete actions are given priority over Postpone and Forward modified message actions. If your sub-policy contains an antivirus filter, Trend Micro recommends that you place the antivirus filter at the top of the Filter Order list so it will be executed first. Executing the antivirus filter first ensures that all messages are checked for virus infection. If another filter executes first, a virus-infected message could be quarantined and later delivered without being scanned for viruses. To order the filters in a sub-policy, click Policy Manager Global Policy from the lefthand frame of the InterScan MSS Web Console. The Global Policy screen appears. Click the Order filters link near the top of the screen. The Filter Order screen appears (see Figure 6-4). Highlight the filter that you want to move and click the up or down arrow to change its location on the list. When you finish reordering the filters, click Save Trend Micro Incorporated 127

128 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 6-4: The Filter Order screen. Creating a Sub-Policy Before you create a sub-policy, you must define the following policy components: Filter action Route Type of filter Decide what you want InterScan MSS to do with messages that trigger the filters. If you do not want to use one of the default filter actions, you must first create a new filter action. All filters must have a filter action. Decide to whom the sub-policy will apply. Use addresses and domain names to specify the routes. You can use an address book to create the route, but you must create the address book before you create the sub-policy. Determine the type of filter that is best suited for finding the items you want to filter. For example, if you want to filter for sexual content, you would choose the Sexual Discrimination filter. Name the Policy When creating a sub-policy, the first step is to give it a name. The name you choose should reflect the purpose of the sub-policy, so that it can be easily identified. For example, if you create a sub-policy to filter that contains sensitive company financial information, you might give it a name like Financial Trend Micro Incorporated

129 Chapter 6: Understanding and Configuring Policies To create a sub-policy, complete the following steps: 1. In the left-hand column of the InterScan MSS Web console, click Policy Manager Global Policy. The Global Policy screen appears. 2. Click the Sub-policies link near the top of the Global Policy screen. The Manage Sub Policy screen appears. 3. Click the Create new sub-policy link near the top of the screen. The Create Sub Policy screen appears (see Figure 6-5). Type a name for the new sub-policy in the Name: field, and type a brief description of the policy in the Description: field. Figure 6-5: The Create Sub Policy screen. 4. Click Next. The Create Sub Policy screen appears. Define the Route Defining the route is the second step to creating a sub-policy. To define a route, you must know to whom the sub-policy will apply. Routes are a list of sender and receiver addresses. The list of addresses that you define in the route will determine to which messages InterScan MSS applies the new sub-policy. Use the Create Sub Policy screen to define the sub-policy route (see Figure 6-6). Enter the address of the users to whom you want InterScan MSS to apply the sub-policy. Enter the sender s address in the From column, and the recipient s address in the To column. Click Finish when the lists are complete Trend Micro Incorporated 129

130 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 6-6: The Create Sub Policy screen used to create the route of the sub-policy. Using the Asterisk (*) Wildcard Note: Click the Select link if you want to add an entire address list to the sub-policy. A single asterisk (*) matches everything, including nothing. For example, when you enter a single asterisk, it matches the following: Any address Empty From field Spam messages sometimes have an empty From field because the sender does not want to disclose his or her identity. The behavior of the asterisk wildcard depends on whether it appears before or after in an address. Text that comes before is treated as the name. Text that comes after is treated as the domain. If exists, the entire string is considered invalid. To match the name part of an address, you can use a single wildcard asterisk or the exact name. Partial matches are not allowed. The asterisk wildcard matches everything except no entry in the field, as illustrated below: *@trendmicro.com matches [email protected]. *@trendmicro.com does not Stanley*@trendmicro.com or *[email protected] is invalid Trend Micro Incorporated

131 Chapter 6: Understanding and Configuring Policies To match the domain part of an address, you can use the asterisk wildcard only at the beginning of the domain. The asterisk wildcard can match one or more subdomains, as illustrated below: matches matches does not match Partial matching of subdomains is not allowed. For example, is an invalid format. Other invalid patterns are listed below: Wildcard occurs in the middle of domain name. Wildcard occurs at the end of domain name. Second wildcard occurs in the middle of domain name. After you create a sub-policy, it appears in the left-hand column of the InterScan MSS Web console, directly the Global Policy branch of the directory tree. The filters that the subpolicy inherits from its parent policy, along with the status of those filters, appear in the main screen. Address Groups Address groups allow you to organize addresses into groups. You can define address groups for people to whom you want to apply the same policy. Frequently, members of the same address group belong to the same department. For example, suppose that you have identified three types of content that you want to block from being transmitted through your company s system. You want to define three policies (which are shown in parentheses below) to detect that content: Sensitive company financial data (FINANCIAL) Job search messages (JOBSEARCH) VBScripts (VBSCRIPT) Now consider the following address groups within your company: All executives All Human Resources (HR) department All IT development staff 2003 Trend Micro Incorporated 131

132 Trend Micro InterScan Messaging Security Suite Student Textbook When you define the route for the policies, you would use the address books as shown below: Address Groups FINANCIAL JOBSEARCH VBSCRIPT all executives not included in route included in route included in route all HR department included in route not included in route included in route all IT development staff included in route included in route not included in route Executives, HR staff, and IT developers have legitimate business reasons for sending financial information, job search-related correspondence, and VBS files, respectively. Because those legitimate reasons exist, you exclude these groups from the policies. To create an address group, click Policy Manager Address Group from the left-hand frame of the InterScan MSS Management Console. The Address Group screen appears (see Figure 6-7). Enter the requested information in the fields provided on the screen and use the prompts to complete the process. Figure 6-7: The Address Group screen. Note: You cannot use the asterisk wildcard in address groups. To modify an existing address group, access the Address Group screen again and click the Details link next to the group that you want to modify (see Figure 6-6). To delete an address group, click the option button next to the group you want to remove and then click Delete Trend Micro Incorporated

133 Chapter 6: Understanding and Configuring Policies Note: If an address group has in use instead of an option button in the right-hand column, this address group is currently being used within a route and cannot be deleted while the route exists. To delete the address group, you must deactivate the route. Importing an Address Group from a File InterScan MSS supports address imports from Comma Separated Value (CSV) files. The file must reside on a drive that is local to the InterScan MSS server. You can then type the directory path to the file that contains the address information. If you are using a browser to view the InterScan MSS Web console from a remote computer, you should copy the text file into a shared directory on the InterScan MSS server. Note: When importing an address group from a CSV and merging it with an existing address group, duplicate addresses will be overwritten. Note: You cannot import address list information from a remote computer, either by an HTTP upload or by typing a Universal Naming Convention (UNC) path. The file must be either on a drive that is local to the InterScan MSS server, or on a mapped drive. When you import an address group from a text file, make sure that each line contains only one address. For the file to work correctly, each address must have its own line. An example text file is shown below: [email protected] [email protected] [email protected] Add a Filter and Choose the Action Adding a filter is the third step to creating a sub-policy. When you create a sub-policy, it automatically inherits the filters that were available in the parent policy. The inherited filters can be activated and used in the sub-policy. However, if you want the sub-policy to filter for material that is not included in the inherited filters, you must make a new filter for the sub-policy to use. Note: A policy can contain only one antivirus filter. If both a parent policy and a sub-policy contain an antivirus filter, only the one in the sub-policy is executed. To create a sub-policy filter, click the Create new filter link near the top of the Manage Filters screen. The New Filter screen appears. 1. Enter a name for the filter you are creating, specify whether it can be overwritten by another filter in a sub-policy, and choose the type of filter that you want to use. Click Next after you finish configuring the options. The screen that appears varies depending on the filter type that you chose Trend Micro Incorporated 133

134 Trend Micro InterScan Messaging Security Suite Student Textbook 2. Configure the options on the screen and click Next. Another screen appears, confirming the settings you made (see Figure 6-8). Figure 6-8: The New Filter Settings verification screen that appears when creating a content filter. If you need to change some of the settings, click Back. If the settings are correct, click Next. The New Filter screen appears. Note: If you click Next, you cannot go back and alter the settings. Any modifications to the settings must be made before continuing on from this screen. However, once you have created the filter, you can edit it. 3. Choose the filter action that InterScan MSS should take when an triggers the filter (see Figure 6-9). Click Save. Your new filter appears in the filters list on the Manager Filters screen Trend Micro Incorporated

135 Chapter 6: Understanding and Configuring Policies Figure 6-9: The New Filter Screen. Creating New Filter Actions If the default filter actions do not meet your requirements, you can create a new filter action. For example, your company might be negotiating a contract with another company and you might want to archive all messages exchanged with the other company. In this case, you create filter action that delivers the message, archives the message, and notifies you that these actions have been taken. Filter Action Components Filter actions specify the action InterScan MSS takes against that triggers a filter and to whom notifications are sent. A filter action is comprised of one or more of the following components: Processing action Archive Notification Processing Action The processing action is the action that you configure InterScan MSS to take with an that triggers a filter. You can quarantine, delete, or forward the message, or you can postpone and deliver. A filter can have just one processing action. Archive InterScan MSS can archive messages either in a local directory or in an account. You can either archive the message in its original form, or you can archive the message with the filter changes, such as viruses cleaned from the attachment or a disclaimer appended to the message body. While a filter can have only one processing action, it can have an unlimited amount of archive and notification actions Trend Micro Incorporated 135

136 Trend Micro InterScan Messaging Security Suite Student Textbook Notification InterScan MSS can send or Simple Network Management Protocol (SNMP) Trap notifications when an triggers a filter. These notifications can be sent to the original sender, recipient, administrator, or any other address that you choose. You cannot use address groups to send notifications, but you can use exchange distribution lists. InterScan MSS can either attach the message in its original form or send the message that was modified by the filter. Configuring Notification Messages When you configure notifications, you can use the following tokens to provide more information about the event that triggered the filter: %SENDER% %RCPTS% %SUBJECT% %DATE&TIME% % ID% %RULENAME% %FILTERNAME% %TASKNAME% %GLOBALACTION% %DETECTED% Message sender Message recipients Message subject Date and time of incident ID Name of the policy that contained the triggered filter Type of filter such as antivirus filter, Advanced Content Filter, Message Size Filter, and so on Name of the filter that user entered during filter creation Current action to be taken What triggered the filter, which filter was triggered, and details from the filter %QUARANTINE_PATH% Quarantine path (if quarantine action is performed) %QUARANTINE_NAME% Quarantine name (if quarantine action is performed) %QUARANTINE_AREA% Quarantine area (if quarantine action is performed) %ADDINFO% %CLSNAME% %DEF_CHARSET% Additional information from filter (currently used when the result of the antivirus filter is uncertain) Name of current filter action Default character set of the notification message Note: Tokens are case-sensitive Trend Micro Incorporated

137 Chapter 6: Understanding and Configuring Policies For example, you might want the notification message that InterScan MSS sends to include the following information: Name of the filter that took action against the Name of the policy that contained the filter Identification number of the User who sent the message User (s) who received the message Subject of the message Time and date the incident occurred Current location of message The notification that you configure might look similar to the following example: The %FILTERNAME% filter defined in InterScan MSS has detected the following message using its %RULENAME% rule. The message s ID is % ID%. The following information describes the message that may breach your company s policy: Message sender: %SENDER% Message recipients: %RCPTS% Message subject: %SUBJECT% Incident time: %DATE&TIME% Per the configuration of your filter s action, this message can be reviewed in the %QUARANTINE_AREA% quarantine folder. The notification message that InterScan MSS would send in response to virus event would look like the following example: The Detect Script Viruses filter defined in InterScan MSS has detected the following message using its Catch LOVELETTER rule. The message s ID is The following information describes the message that may breach your company s policy: Message sender: [email protected] Message recipients: [email protected] Message subject: Check out the attached Loveletter coming from me Incident time: , 6:15 PM Per the configuration of your filter s action, this message can be reviewed in the VirusArea1 quarantine folder Trend Micro Incorporated 137

138 Trend Micro InterScan Messaging Security Suite Student Textbook Note: If you want a filter action to have more than one option for the Archive or Notification features, you must click New Item in the Filter Action screen to add each one separately. To create a new filter action, click Policy Manager Filter Action from the left-hand frame of the InterScan MSS Management Console. The Filter Action screen appears. Click the New Filter Action link. The New Filter Action screen appears (see Figure 6-10). In the Name: field, enter a name for the new filter and then click New Item. Follow the prompts to finish creating the filter action. Figure 6-10: The New Filter Action screen. Modifying and Deleting Filter Actions After you implement a policy, you may need to modify the filter action that you created. For example, when you implement a filter, you may create a filter action that forwards the message, archives the message, and notifies you. You may decide later that the filter and the filter action are working correctly, and you no longer need to be notified. You could then modify the filter action and remove the notification. To modify an existing filter action, click Policy Manager Filter Action from the left-hand frame of the InterScan MSS Management Console. The Filter Action screen appears (see Figure 6-11). Click the filter action that you want to modify, then click Edit and modify the filter action Trend Micro Incorporated

139 Chapter 6: Understanding and Configuring Policies Figure 6-11: The Filter Action screen. To delete a filter action, access the Filter Action screen again, click the option button next to the filter that you want to remove, and then click Delete. Note: If a filter action has in use instead of an option button in the right-hand column, the filter action is being used by a filter and cannot be deleted while the filter exists. To delete the filter action, you must deactivate the filter. Lab Exercise 4: Configuring Policies 2003 Trend Micro Incorporated 139

140 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 6 Summary and Review Questions Summary Use the Policy Manager to create and modify policies that enforce your company s usage rules. By default, InterScan MSS includes a global policy that affects all messages flowing through the InterScan MSS server. Other policies you create affect only the messages that you specify. Each policy has three components: route, filters, and filter action. To create a policy, you configure these three components. Each policy can contain a maximum of 10 sub-policies, but each sub-policy can contain an unlimited number of filters. To create effective subpolicies, you must understand the order in which filters are executed. If a message triggers a filter, the filter takes the action that you specified. For example, a message may be quarantined if the attachment exceeds the limits you specified, if the attachment appears to contain a virus, or if the content violates your company s policies. Review Questions 1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which emanager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which emanager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter Trend Micro Incorporated

141 Chapter 6: Understanding and Configuring Policies 4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last 2003 Trend Micro Incorporated 141

143 Chapter 7: Understanding Filters Chapter 7: Understanding Filters Chapter Objectives After completing this chapter, you should be able to Explain the InterScan Messaging Security Suite (InterScan MSS) built-in filter groups Antivirus and emanager Explain how the antivirus filter works Configure which message attachments are scanned Explain how InterScan Messaging Security Suite (InterScan MSS) reports an infected file that is sent to multiple recipients Write keyword expressions that the InterScan emanager filter can use to block content at your Simple Mail Transfer Protocol (SMTP) gateway Write file extensions in expressions Explain how the emanager filter handles Multipurpose Internet Mail Extensions (MIME) subtypes Add and delete quarantine areas 2003 Trend Micro Incorporated 143

145 Chapter 7: Understanding Filters Notes 2003 Trend Micro Incorporated 145

159 Chapter 7: Understanding Filters Filters InterScan MSS includes seven types of filters. These filters are divided into two groups the Antivirus filter group and the emanager filter group. The Antivirus filter group consists of only the antivirus filter. The antivirus filter uses pattern-matching technology to scan messages and their attachments for viruses. You can configure the file types the filter scans, compressed file-scanning behavior, the filter action, and notifications that InterScan MSS inserts into the body. The emanager filter group manages spam, message content, and delivery. emanager filters compare message content to keyword expressions and other criteria that you configure. Messages are processed filter actions that you configure. emanager also compares to a spam signature file to identify spam and stop it at the gateway. There are six types of emanager filters: Advanced Content Message Attachment General Content Message Size Disclaimer Manager Anti-Spam filter In addition to the Antivirus and emanager filter groups, InterScan MSS has a heuristic spam filter called Spam Prevention Service (SPS). The heuristic scanning technology is used to detect first-time spam, or spam that the emanager signature file might not detect. When used with the emanager filter group, this heuristic spam filter provides an additional layer of protection against unwanted junk . The Antivirus Filter Although the antivirus filter is enabled by default, you should modify the filter to meet the needs of your company and its messaging environment. For example, by default InterScan MSS scans all attachments. If your server hardware does not have the resources to scan every message, you can modify the antivirus filter to scan only the file types that are vulnerable to viruses. To modify the antivirus filter in the global policy, select Policy Manager Global Policy from the left-hand frame of the InterScan MSS Management Console. By default, the antivirus filter is the first filter listed in the global policy. To edit the file types the antivirus filter scans, the action taken when viruses are detected, and the notification messages that are sent, click Edit button in the Filter Type column. The Virus screen appears (see Figure 7-1). Configure the settings you see on the screen Trend Micro Incorporated 159

160 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 7-1: The Virus screen. Selecting the File Types to Scan When configuring which file types InterScan MSS will scan, you can choose from the following options: Scan all file types IntelliScan Scan specified file types by extension The Scan all file types option is the safest setting because InterScan MSS scan every file for viruses. However, this option is also the most resource intensive. If you have a network with limited resources, scanning all file types might put too much strain on your network Trend Micro Incorporated

161 Chapter 7: Understanding Filters When you use the IntelliScan option, InterScan MSS uses a Trend Micro method of determining the true type of a file. Virus writers can rename file extensions to make an executable file look like a different file type. IntelliScan performs an internal analysis of the file rather than relying on a file s extension to determine the true file type. InterScan MSS scans only the files that exhibit a true file type that has been known to harbor viruses. The IntelliScan option is a compromise between maximum security and maximum efficiency. It is better suited for networks with limited resources because not all files are scanned. When you choose the Scan specified file types by extension option, you can either create your own list of file types to scan, or you can use a list of file types that Trend Micro recommends scanning. This scan option scans files based on the file extension and does not consider the true file type. Using Wildcards to Specify File Types You can use the asterisk (*) and question mark (?) wildcards when configuring the file types to scan and the file types to exclude. The asterisk can stand for any number of characters, whereas the question mark stands for a single character. Table 7-1 shows examples of files that would be scanned under different wildcard scenarios. Wildcard File Types Scanned.* All files, regardless of extension.do?.e* DOC, DOT All file types starting with the letter e Table 7-1: Depending on how they are used, wildcards can tell InterScan MSS to scan any combination of file types. When configuring file types to exclude from scanning, the wildcards can be used in the same way. However, if you use a standalone asterisks, only files without extensions are scanned. Selecting the Antivirus Filter Action You can configure the following actions for the antivirus filter if a virus is detected. Clean removes virus from infected file Delete removes infected file Pass records virus infection in the log but takes no action on the file You can also specify whether you want InterScan MSS to delete uncleanable files or pass them to the next filter Trend Micro Incorporated 161

162 Trend Micro InterScan Messaging Security Suite Student Textbook Configuring Notification Messages The notifications that InterScan MSS sends when messages trigger the Antivirus filter are different from the notifications sent when emanager filters are triggered. The emanager notifications are optional, whereas InterScan MSS automatically sends a notification if the Antivirus filter is triggered. Notifications are sent for the following actions: The antivirus filter detects a virus The antivirus filter removes an attachment You can also configure InterScan MSS to attach safe stamps to messages that are clean. The safe stamps can be sent as an attachment or entered directly into the body. The Antivirus filter inserts only one safe stamp per message. You can use the following tokens to create messages that are inserted into the body of infected messages: %FILENAME% %VIRUSNAME% %ACTION% Filename of the attached file ( noname when file name cannot be determined) List that shows all viruses found Either pass or clean or remove, or else defined by the process %MAXENTITYCOUNT% String that shows the maximum number of entities that can be scanned, such as 20, for example. This string is configurable on the Security Settings page. For example, suppose you configured the following message to insert inside an infected message: A file that was attached to this message, %FILENAME%, was found to be infected with the %VIRUSNAME% computer virus. InterScan MSS has taken the following action against the message: %ACTION%. If InterScan MSS detected the W97M-MARKER virus in a file called resume.doc, it would insert the following text into the body of the message: A file that was attached to this message, resume.doc, was found to be infected with the W97M_MARKER computer virus. InterScan MSS has taken the following action against the message: CLEAN Trend Micro Incorporated

163 Chapter 7: Understanding Filters To prevent messages from appearing in the recipient s , edit the following registry key: HKEY\Local Machine\Software\TrendMicro\ISNTS\Registry\Config\FilterManager\0001\ Find the following line: Add a DWORD key: 2. Type the following text and then restart InterScan MSS: AddAlert = 0 Infected Messages to Multiple Clients If a virus-infected message is sent to multiple recipients in different domains, InterScan MSS may show a record of processing just one message, but virus detection is shown for each recipient. For example, suppose a message containing one virus is sent to three recipients at trend.com, trendmicro.com, and trendmicrosales.com. The System Monitor shows that one message was processed, and three viruses were detected. Virus Filter Results To configure the action InterScan MSS takes with password protected files, click Policy Manager Global Policy from the left-hand column in the InterScan MSS Web console. The Global Policy screen appears. Click Edit in the Filter Action column, and then configure the settings on the Virus screen that appears (see Figure 7-2). Figure 7-2: The Virus screen used to configure the filter action for the Antivirus filter Trend Micro Incorporated 163

164 Trend Micro InterScan Messaging Security Suite Student Textbook From the virus screen, you can also configure the following seven antivirus filter actions: Mass ing virus detected Virus(es) detected but some/all were not cleaned Joke program attachment detected Virus scanning aborted message may contain viruses Password protected file detected (not scanned) Virus(es) detected and successfully cleaned No virus detected For each filter result, you can select one of the pre-defined filter actions or a filter action that you configured. The default filter actions for each of these possible results are shown in Figure 7-2. Note: Before editing the registry, ensure that you understand how to restore it if a problem occurs. For more information, view the Restoring the Registry Help topic in Regedit.exe or the Restoring 4a Registry Key Help topic in Regedt32.exe. Configuring the Advanced Content Filter InterScan MSS uses the advanced content filter to check the header, body, and attachments for simple or complex expressions. You can configure InterScan MSS to use the built-in synonym list to check for keyword synonyms. Features The Profanity, Racial Discrimination, and Sexual Discrimination filters are examples of an advanced content filter. The advanced content filter provides the following functionality: Contains a configurable severity index, which you can use to configure a filter s sensitivity to keyword matches Supports case sensitivity for keyword matches Supports complex expressions that use the emanager built-in operators Evaluates keyword frequency and proximity to other terms when deciding to trigger the filter Writing Expressions InterScan MSS uses the advanced content filter to search for keyword expressions that you define. For example, if you wanted to block messages that contain the words you are a jerk, you might create the following expression. you.near. jerk Trend Micro Incorporated

165 Chapter 7: Understanding Filters You can also specify the proximity of the words so that the filter catches the following phrases: You are a big jerk. You are a big fat jerk. Expressions consist of operands and operators. Operands are words for which you want to search. Operators define the relationship between the operands in the expression. Consider the expression in the previous example. The words you and jerk are operands. The word.near. is an operator. Operators Note: The space between the operand and the operator is significant to how the expression is parsed. For example, the expression High.AND. Low is parsed as two operands (High, Low) and one operator (.AND.). The expression High.AND.Low is parsed as one operand (High.AND.Low). The emanager operators can be divided into five groups: Grouping operators Decorating operators Logical operators Limiting operators Relational operators Grouping Operators The grouping operators are listed below:.(..). The grouping operators are used to change the order in which operators are evaluated. The operators between the grouping operators are evaluated first. For example, the following two expressions are evaluated differently because the second expression contains grouping operators: better.and. faster.or. cheaper better.and..(. faster.or. cheaper.). The first expression matches content that contains both keywords better and faster. It also matches content that contains the keyword cheaper (see Table 7-2). The second expression matches content that contains better and either faster or cheaper (see Table 7-3) Trend Micro Incorporated 165

166 Trend Micro InterScan Messaging Security Suite Student Textbook Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper than living in the peninsula communities broadband Internet access can be up to 50 times faster than dial-up connections, and rates are expected to Result Match Match No Match Table 7-2: Matching the first expression with content. Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper and offers a better quality of life broadband Internet access can be up to 50 times faster than dial-up connections, and cheaper rates Result Match Match No Match Table 7-3: Matching the second expression with content. Decorating Operator The decorating operator is.wild. When you use the.wild. operator, content is evaluated against the operand. The asterisk (*) wildcard character is often used with the.wild. operator, as shown in the following example:.wild. This * message This expression matches content when the word message follows the word This. The word This and the word message can be separated by any number of words (see Table 7-4). The.WILD. operator can also be used in place of letters in a word, as shown in the following example:.wild. *ed This expression matches any content that ends with ed (see Table 7-5) Trend Micro Incorporated

167 Chapter 7: Understanding Filters Content This message is being sent to you because you signed up for our free newsletter This is to inform you that I will be on holidays until 10/12. You can leave a message at This is arguably the most exciting software that I have Result Match Match No Match Table 7-4: Matching expressions using the.wild. operator. Content that movie has been edited for TV broadcast this program is followed by an infomercial The editor sent the manuscript for final proofreading Result Match Match No Match Table 7-5: Using the.wild. operator in place of partial words. Logical Operators The logical operators are used to perform logical operations on operands. You can use the following three operators when creating expressions:.and..or..not. The following expression contains a logical operator: High.AND. Low This expression matches content when both the word High and the word Low are present (see Table 7-6). Now evaluate a similar expression, this time using the logical operator.or.: High.OR. Low This expression matches content when either the word High or the word Low is present. This expression also matches content when both words are present (see Table 7-7) Trend Micro Incorporated 167

168 Trend Micro InterScan Messaging Security Suite Student Textbook Content High today in the interior is 87. Low tonight will be 53 near the coast His favorite movies are High Noon an Eject at Low Level and Live she plans to attend Central High next fall Result Match Match No Match Table 7-6: Using the logical operator.and. to write expressions. Content High tide will be at 9:00 PM. Low tide will be at 7:00 AM the box was too High for her to reach please turn the heater to low I m sweating Result Match Match Match Table 7-7: Using the logical operator.or. to write expressions. The.NOT. logical operator functions a little differently than the other two logical operators. Expressions that use the.and. and.or. operators are used to search for combinations of operands. Expressions that use the.not. operator are used to search for one operand and not another. For example, if you wanted to create a filter that finds about pets, but you want to allow content about dogs, you might create the following expression (see Table 7-8): Pets.NOT. Dog Content the sign at the beach said that pets are not allowed I do not like visiting people who own 100 pets pets are an enormous pain to care for, but my dog is worth it Result Match Match No Match Table 7-8: Using the logical operator.not. to write expressions. Limiting Operator You can use the limiting operator.occur. to create an expression that a filter can use to search for multiple occurrences of a word or phrase used in an . If the appearances of the word or phrase exceed the Frequency setting, the will trigger the filter Trend Micro Incorporated

169 Chapter 7: Understanding Filters Relational Operator Note: If you write an expression that uses the.occur. operator, you should configure the Frequency setting under Advanced Settings (see the Advanced Settings section in this chapter). You can use the relational operator.near. to create an expression that a filter can use to search for words that are close to each other. If the words appear close enough together, the triggers the filter. Regular Expressions Note: If you write an expression that uses the.near. operator, you should configure the Proximity setting under Advanced Settings (see the Advanced Settings section in this chapter). InterScan MSS supports the use of regular expressions. Regular expressions are not as limited as the expressions you create using Boolean terms. When using only Boolean terms to create expressions, the search is limited to the words or phrases specified, and variants within the words themselves are not found. However, when you use regular expressions, the filter you create can catch variants of the word(s) for which you are searching. For example, evaluate the following expression that uses only Boolean terms: sex.or. sexual Filters that use the expression in this example catch that contain the words sex or sexual. However, variants of these words, such as s3x and sexual are not caught. Now evaluate the following expression that uses a regular expression:.reg. s[ee3]x Filters that use the expression in this example catch the word sex, as well as any variants of the word, such as s3x and sex. Note: When creating regular expressions, do not use \n, \r, or \t as regular expressions because they are InterScan emanager separators. Table 7-10 contains descriptions of the characters that you can use when creating regular expressions. Each description is accompanied by an example of how the expression is used. Characters Descriptions Examples. This character matches any single character. * This character matches any number and combination of letters between the characters specified in the expression (0 The expression r.t catches rat, rut, rot, and r t, but not root. The expression b.*t catches the words breast and butt, but also catches the word best Trend Micro Incorporated 169

170 Trend Micro InterScan Messaging Security Suite Student Textbook Characters Descriptions Examples to infinite occurrences).? This character matches 0 or 1 occurrence of the preceding character, forcing minimal matching when an expression might match several strings within a search string. + This character matches one or more of the preceding characters. The expression suc?k catches the word suck and the variant suk. The expression Ri+ch catches the word Rich and variants such as Riich, Riiich, and so on. $ This character matches the end of a line. The expression off$ catches the string tell him to back off, but not the string Get off my back. [abc] [a-c] [^a-b] {n, m} This syntax matches any one of the characters between the brackets. This syntax specifies a range of characters. The characters can only be letters or numbers. This syntax matches all characters except those between the brackets. This syntax matches a specific number of instances or instances within a range of the preceding character. The expression s[ee3]x catches the word sex and variants such as sex and s3x. The expression p[0-9]rn catches p0rn, p1rn, p2rn, p3rn, and so on. The expression sh[^ou]t catches every four-letter word beginning with sh and ending with t, except shut and shot. The expression x\{3,\} catches xxx, xxxx, and xxxxx, but does not catch x or xx. \< This syntax matches the beginning of a word. The expression \<out catches the string out to the ballpark, but does not catch strikeout. \> This syntax matches the end of a word. The expression \>out catches strikeout, but does not catch outfield. Table 7-10: Writing regular expressions Trend Micro Incorporated

171 Chapter 7: Understanding Filters Priority of Operators When expressions are evaluated, certain operators are given priority over others (see Table 7-11). Operator Priority.(. *.). *.WILD. 1.OCCUR. 2.NOT. 2.NEAR. 3.AND. 4.OR. 5 Table 7-11: Priority 1 is the highest, and Priority 5 is the lowest. Advanced Settings Each emanager filter has advanced settings that you can configure to compliment some of the keyword expressions that you write (see Figure 7-4). InterScan MSS uses the Proximity setting to determine how far apart keywords can be when using the relational operator (.NEAR.). The Frequency setting defines how many times a keyword can appear in an when using the limiting operator (.OCCUR.) Trend Micro Incorporated 171

172 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 7-4: The emanager filters have advanced settings. Proximity When configuring expressions, you can create intelligent filters, or filters that allow you to take the proximity of keywords into consideration. For example, use the expression punch.near. face to evaluate the following message from an upset colleague:...be forewarned: if your bill collectors persist in calling me, I will come down to your office and punch your face into oblivion... If the proximity value is set at two, the expression punch.near. face causes the filter to trigger on the colleague s message. When InterScan MSS detects the first word, it assigns that word the number 1, and then it counts each word until it detects the second word (see Table 7-12). punch your face Table 7-12: Calculating the proximity setting. After detecting the second word, InterScan MSS subtracts the number assigned to the first word from the number assigned to the second word. If the value is equal to or less than the proximity setting, the filter triggers Trend Micro Incorporated

173 Chapter 7: Understanding Filters Now use the same expression to evaluate the following message taken from a newsletter:...the party was a tremendous success. The children had fruit punch and cookies. A clown showed up after snack time to distribute presents, and the children laughed at his painted face and colorful clothes... The expression will not cause the filter to trigger on the newsletter because the word punch is not close enough to the word face. Frequency Setting When you write a keyword expression using the limiting operator, you may want your filter to trigger only when that expression appears several times. Being lenient with the frequency setting gives your users a few chances when using prohibited keywords. The filter is triggered, however, when the keywords are used excessively. For example, suppose you wanted to search for messages that contain more than five occurrences of the word free. You would create the following expression:.occur. free After creating the expression, you can set the frequency value five. Select Policy Manager Global Policy from the left-hand column of the InterScan MSS Web console. Click Filter Type Edit button for the filter you want to configure, and then click the Advanced Setting link on the screen that appears (see Figure 7-5). Set the value of the Frequency: field to five. Separating Characters By default, the emanager filter divides message content into words when it encounters the space, tab, line feed, and carriage return characters. If you want to use other characters to divide keywords, enter them in the Separators: field Trend Micro Incorporated 173

174 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 7-5: The emanager filters all have advanced settings that you can configure by clicking the Advanced Settings link shown here. This link is available only after the filter has been created. These settings cannot be modified while creating the filter. Intelligent Keyword Matching You can assign a severity value to advanced content filter expressions. If the value exceeds the threshold that you set, then the filter takes the filter action that you have configured. For example, you give the word jerk a severity rating of three, and then set your threshold at 10. An that contains three instances of the word jerk would not trigger the filter because the severity total (9) is lower than the threshold. However, if the contains a fourth instance of the word jerk, the severity total (12) would be higher than the threshold, triggering the filter (see Figure 7-6). Note: If the severity-index result of scanning the attachment surpasses a threshold, you can automatically delete the attachment before sending the message to the recipient Trend Micro Incorporated

175 Chapter 7: Understanding Filters Figure 7-6: Setting severity values for keywords and expressions. Combinations of words can cause the total to exceed the threshold as well. For example, you give the word jerk a severity rating of three, the word punk a severity rating of five, and you set your threshold at seven. If an contains two instances of the word jerk, the filter will not trigger. However, if the contains the words jerk and punk, then the filters will trigger because the total value (eight) exceeds the threshold. Severity values can only be positive. If, however, you want to ignore a keyword when it occurs in conjunction with another term, you can configure this kind of filter behavior by using the.and.,.or., and.not. operators. Calculating Severity When calculating severity, the emanager filters consider each message component separately, such as the header, body, and attachment. For example, suppose you set the severity threshold at 10 and give keywords jerk and punk a severity value of five. A message with a subject containing jerk and body containing punk will not trigger the filter, even though the words matched. Because the words are found in different entities, the message is permissible. Writing Complex Expressions Sometimes you want the emanager filter to detect tokens except when they appear in conjunction with other words. For example, as part of a policy designed to detect sexually harassing content, you want to filter for the keyword buns. However, you want to exclude legitimate occurrences of this keyword, such as hamburger buns and hotdog buns. The requirements of this expression are summarized below: Detect buns but ignore when part of the expression hamburger buns. Detect buns but ignore when part of the expression hotdog buns Trend Micro Incorporated 175

176 Trend Micro InterScan Messaging Security Suite Student Textbook You can create several expressions that will block messages with sexual usage of the word buns, but permit legitimate about hamburger and hotdog buns. The following four examples show how to write such an expression. Requirement 1: buns.and..not. hamburger buns Requirement 2: buns.and..not. hotdog buns Note: You do not have to use parentheses in the first two expressions because the.not. operator is evaluated before the.and. operator. You can combine the expressions for both requirements by using the.or. operator. The final expression is as follows:.(.buns.and..not. hamburger buns.)..or..(.buns.and..not. hotdog buns.). Evaluation Rules Note: The.(. and.). operators are required in the final expression because the.or. operator has the lowest priority of operation. The evaluation order would not be correct if the.(. or.). operators were omitted. The way an expression is written is vital to the functionality of the expression. To ensure that the expression filters the correct material, you should remember the following guidelines when creating expressions: The expression must be valid. Contents within parentheses are evaluated first. Contents are evaluated from left to right. Contents are evaluated according to the priority of the operators. Seven Types of Valid Expressions There are seven types of valid expressions: Type 1 Type 1 is an operand-only expression, or an expression that does not have an operator. An example is shown below: keyword Trend Micro Incorporated

177 Chapter 7: Understanding Filters Type 2.WILD. <Type (1) expression> Type 3 Note: Due to performance issues, the first token and the last token following the operator.wild. cannot consist of a single asterisk. For example,.wild. *,.WILD. * Birthday and.wild. Happy * are all invalid expressions..not. <Type (1) expression>.not. <Type (2) expression>.not. <Type (3) expression>.not. <Type (4) expression>.not. <Type (5) expression>.not. <Type (7) expression> Type 4.OCCUR. <Type (1) expression>.occur. <Type (2) expression> Type 5 <Any Type (1 to 7)>.AND. <Any Type (1 to 7)> <Any Type (1 to 7)>.OR. <Any Type (1 to 7)> Type 6 Type 7 <Any Type (1 to 2)>.NEAR. <Any Type (1 to 2)>.(. <Type (1 to 7) expression>.). Note: Expressions that do not comply with one of the above seven forms are treated as invalid (see Table 7-13). Expression Validity Explanation.OCCUR..(. High.AND. LOW.)..NOT. High.NEAR. Low Invalid Invalid.OCCUR. cannot appear before Type 7 expression..near. can apply only to Type 1 and Type 2..NOT. is Type 3..NOT..(. High.NEAR. Low.). Valid Complies with Type Trend Micro Incorporated 177

178 Trend Micro InterScan Messaging Security Suite Student Textbook Expression Validity Explanation.WILD. better * faster.near. coming soon.wild. * Valid Complies with Type 6. Invalid The first token that follows.wild. is the asterisk..wild. Hello, every **** Invalid The last token, which follows.wild. is all asterisks. Table 7-13: Examples of valid and invalid expressions. Using Reserved Words as Operators If you want to match some reserved keywords, or text that resembles an operator within an operand, you have to add an escape character (\) to it. For example, if you want to match keywords cats and dogs you might write the following expression: cats \.AND. dogs. However, if you want to match the escape character as part of the keywords cats\dogs and pets, you have to use two escape characters when writing the expression, as shown in the following example: cats\dogs \\.AND. pets. Note: The escape character is not character-based but token-based. The escape character covers the whole token instead of the character. Also, it does not escape the special character asterisk (*) in the expression that follows the.wild. operator. Creating an Advanced Content Filter To create an advanced content filter, click Policy Manager Global Policy from the lefthand menu of the InterScan MSS Web console. The Global Policy screen appears. Click the Create new filter link at the top of the screen. Follow the step-by-step instructions on the New Filter screen that appears (see Figure 7-7) Trend Micro Incorporated

179 Chapter 7: Understanding Filters Figure 7-7: The New Filter screen. Configuring a Message-Attachment Filter The message-attachment filter is used to block message attachments or MIME content-types at the SMTP gateway. For example, your company might prohibit users from exchanging MP3 files and WAV files because these files might distract users. Your company may also prohibit users from exchanging EXE and COM files because these files are vulnerable to viruses. You can use a message-attachment filter to prevent these types of files from entering your system. Features The message-attachment filter checks messages according to the following criteria: Attachment name (supports wildcards) Attachment types from MIME content-type field in the message header Attachment file type from a binary analysis of the attachment 2003 Trend Micro Incorporated 179

180 Trend Micro InterScan Messaging Security Suite Student Textbook Creating a Message-Attachment Filter To create a message-attachment filter, click Policy Manager Global Policy and click the Create new filter link. The New Filter screen appears (see Figure 7-7). Follow the step-bystep instructions to create a message-attachment filter. To modify an existing message-attachment filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-8). Figure 7-8: The attachment filter modification screen. Message MIME Content Type messages with MIME content contain a content type field in their headers. The following is an example of an message header: Mime-Version: 1.0 Content-Type: multipart/mixed; This is a multi-part message in MIME format. Content-Type: text/plain; format=flowed Content-Type: application/msword;... The message-attachment filter detects the MIME types you select and then performs the action you configure (see Figure 7-9) Trend Micro Incorporated

181 Chapter 7: Understanding Filters Figure 7-9: The MIME content types. Table 7-14 shows how the emanager filter blocks certain MIME content-type attachments. You can use this table to determine which MIME content type is blocked (right column) by enabling the corresponding item (left column) in the program s user interface. emanager Options MIME Content Type(s) Image File Formats JPEG GIF TIF/TIFF BMP image/jpeg, image/pjpeg image/gif image/tiff image/x-ms-bmp, image/bmp Audio File Formats WAV MP3 MIDI audio/x-wav, audio/wav, audio/microsoft-wav audio/x-mpeg, audio/mpeg x-music/x-midi, audio/mid 2003 Trend Micro Incorporated 181

182 Trend Micro InterScan Messaging Security Suite Student Textbook emanager Options MIME Content Type(s) Video File Formats MPEG QUICKTIME MSVIDEO video/mpeg video/quicktime video/x-msvideo, video/avi, video/x-ms-asf, video/xms-wmv Application File Formats PDF ZIP msword/rtf mspowerpoint msexcel application/pdf application/zip, application/x-zip-compressed application/msword, application/rtf, text/richtext application/vnd.ms-powerpoint, application/mspowerpoint application/vnd.ms-excel, application/x-msexcel, application/ms-excel Table 7-14: The MIME content types. Note: clients may list MIME content type differently. The exact wording in the message s Content-Type field may vary slightly depending on which client was used to send the message. Attachment File Type You can filter a number of attachment file types at the SMTP gateway. For example, you can filter the following executable files: EXEs All DOS, Windows 3.1, 32-bit Windows and OS/2 executable files are filtered. DLLs Windows 3.1 and 32-bit Windows DLLs are filtered. Java byte code In addition, you can filter compressed files with the following extensions: ZIP, RAR, ARJ, TAR, and G.Z: If you check the Others option, you can also filter the LZW, CAB, LHA, ARC, AR, PKLITE, DIET, LZH, and LZ compressed file formats Trend Micro Incorporated

183 Chapter 7: Understanding Filters Analyzing True File Type The emanager filter does not rely on a file s extension to determine the file type. Instead, the emanager filter performs an internal analysis of the file. The following list shows the file types that are most likely to be attacked by viruses. If you want to filter for any of these filter types, you can enter them in the Other field. Use a semi-colon (;) to separate multiple entries. BAS Microsoft Visual Basic class module MSC Microsoft Common Console document BAT batch file MSI Microsoft Windows installer program CHM compiled HTML help file MSP Windows installer patch CMD Microsoft Windows NT command script MST Visual Test source files COM Microsoft MS-DOS program PCD photo CD image or Microsoft Visual Test compiled script CPL control panel extension PIF shortcut to MS-DOS program CRT security certificate REG registration entries EXE program SCR screen saver HLP help file SCT Windows script component HTA HTML program SHS shell scrap object INF setup information URL Internet shortcut INS Internet naming service VB VBScript file ISP Internet communication settings VBE VBScript encoded script file JS JScript file VBS VBScript file JSE JScript Encoded Script file WSC Windows script component LNK shortcut WSF Windows script file MDA Microsoft Access add-in program MDB Microsoft Access program WSH Windows script host settings file 2003 Trend Micro Incorporated 183

184 Trend Micro InterScan Messaging Security Suite Student Textbook Configuring General Content Filter The general content filter is a simple content and attachment filter. You can use this filter to scan subject line, keyword(s) in the message body, attachment file size, and attachment file extension. Features The general content filter provides the following functionality: Filters content in the following: Message subject field (permits multiple subjects) Keywords in message body Message size Attachment file name (supports wildcard) Supports case sensitivity Note: The general content filter cannot use complex expressions that include the built-in operators.not.,.occur., and so on. When these terms are entered, they are treated as part of the keyword expression and not as operators. Modifying the General Content Filter When modifying the General Content filter, you must choose which parts of the the filter will scan. You can select any combination of the following elements: Subject line body Message size Attachment file name You can search for keywords, such as ILOVEYOU, in the subject line. This option supports the asterisk (*) wildcard within an expression, but the asterisk must be accompanied by at least one character. The asterisk cannot stand alone. You can search for keywords in the body. This option supports the asterisk (*) wildcard within an expression. You can filter attachments that match the parameters you specify. For example, you can filter attachments that are larger than 2 MB. You can enter the file names to detect. This option supports the asterisk (*) wildcard within an expression. If you select multiple filtering criteria for the same general content filter, all the criteria must be found in an in order to trigger the filter. For example, if you specify that the must contain ILOVEYOU in the subject line, and the document attachment must have a DOC extension, then both attributes must be found in the in order to trigger the filter. An with ILOVEYOU in the subject line and no attachment will not trigger such a filter Trend Micro Incorporated

185 Chapter 7: Understanding Filters To create a general content filter, click Policy Manager Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-attachment filter. To modify a general content filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-10): Figure 7-10: The general content filter modification screen. Configuring Message-Size Filters The message-size filter allows precise control over the sizes of messages that can be processed throughout the day. InterScan MSS checks for postponed messages every five minutes. You can use this filter to postpone processing large messages until after peak hours, reducing the amount of resources you use during business hours. Features The message-size filter provides the following functionality: Supports message filtering based on message size (body + attachments), an attachment s size, and/or the number of attachments Enforces message-size restrictions during time periods selected from a weekly calendar 2003 Trend Micro Incorporated 185

186 Trend Micro InterScan Messaging Security Suite Student Textbook Creating a Message-Size Filter When creating or modifying a message-size filter, you can set the following size limitations: Body + attachments Size of any single attachment Number of attachments To create message-size filter, click Policy Manager Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-size filter. To modify a message-size filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-11): Figure 7-11: the message-size filter modification screen. Configuring Disclaimer Manager Filter You can use the disclaimer manager filter to append standard text to specified messages. For example, your company may want to configure disclaimer manager filters to append the following information: A standardized statement about the company A confidentiality statement A statement that explains the views of the sender do not necessarily reflect the views of the company Trend Micro Incorporated

187 Chapter 7: Understanding Filters Features The disclaimer manager filter provides the following functionality: Appends user-configurable disclaimer text at the beginning or end of messages Supports complex expressions using the emanager filters Alternatively appends disclaimer to all messages Creating a Disclaimer Manager Filter The disclaimer can be a maximum of 1,024 characters long. To create or modify a disclaimer manager filter, click Policy Manager Global Policy from the left-hand menu of the InterScan MSS Web console, and then click the Create new filter link on the Global Policy screen that appears. Supply the information requested on the screen and follow the prompts to finish creating the filter (see Figure 7-12). When creating new expressions, you can use Boolean terms to define when the disclaimer will be added to a message. Figure 7-12: Creating a disclaimer manager filter Trend Micro Incorporated 187

188 Trend Micro InterScan Messaging Security Suite Student Textbook Configuring the emanager Anti-Spam Filter Trend Micro has a team of spam collectors who add identifying characteristics of spam to the spam databases. Because spam senders frequently change their addresses, identifying characteristics such as Web sites or telephone numbers are used to detect them. The anti-spam filter detects spam messages by comparing message content with the Trend Micro spam database. The filter updates the following two files from the spam database and uses the files to block spam: TM_Trend$SE.### contains message header characteristics such as the Subject, From, and To fields of known spam messages (### represents database version). TM_AntiSpam.### contains typical keyword expressions such as phone number, URL, that appear in spam messages. Keywords might be a phone number, URL, or expressions such as Get rich in 30 days. If you receive a suspected spam message that the Trend Micro spam database fails to detect, forward it (including all headers) to [email protected]. If Trend Micro confirms that it is a spam message, it will be added to the spam database. To create a spam filter, click Policy Manager Global Policy from the left-hand column of the InterScan MSS Web console. On the Global Policy screen that appears, click the Create new filter link and follow the instructions provided on the screens. When creating a spam filter, you must choose one of the following scanning options: Enable for Message Subject Enable for Both Message Subject and Body Scans the headers and compares them with the Trend Micro spam database Scans both the subject line and the body (higher spam detection rate and strain on the processing system) Spam Prevention Service (SPS) Spam Prevention Service (SPS) uses a heuristic scan engine to detect spam. As the passes through InterScan MSS, the SPS heuristic filter compares the characteristics of the against predefined rules and assigns a numbered score to each characteristic. The scores are processed through a mathematical formula that is based on the weighted significance of each characteristic and the combination of characteristics observed in the message. The result of this equation is the spam score (see Figure 7-17). SPS measures the spam score against the desired level of spam sensitivity to determine whether the message is spam. If the spam score for a given message exceeds the sensitivity level of your policy, the message is considered spam. This process can only be overridden in the following scenarios: If the sender appears on the Approved Senders list, the message is not considered to be spam, regardless of the score Trend Micro Incorporated

189 Chapter 7: Understanding Filters If the sender appears on the Blocked Senders list, the message is considered to be spam, regardless of the score. If text in the message triggers a Text exemption filter, the message is not considered spam. SPS compares heuristic expressions in a message to known heuristic expressions (rules) of spam. IMSS Rule 1 X Match Rule 2 Match Rule 3 Rule 4 X X Match Match Rule 5 Match Internet Firewall Rule 6 Rule 7 Rule 8 Rule 9 X X X X Match Match Match Match Infer. Engine Spam Prevention Service Client The Inference Engine computes the statistical probability that the message is spam. Figure 7-17: The SPS filter uses heuristic scanning technology to calculate the probability that an is spam. Detecting first-time spam is the primary advantage to heuristic scanning. Most spam scan engines compare incoming to a database of known spam, or spam that has been circulating for weeks, months, or even years. Because the heuristic scan engine does not rely on a database of known spam, it can detect first-time spam, or spam that no one has ever seen before. Features The heuristic scan engine provides the following features that you can use to control the flow of spam entering your network: Text exemption rules Approved senders and blocked senders lists A baseline detection rate applied to all Additional sensitivity settings by category To view and configure the heuristic scan engine features, select Policy Manager Global Policy and click the Heuristic Spam Filter (SPS) Edit button in the Filter Type column. The Heuristics Spam Filter (SPS) screen appears (see Figure 7-13) Trend Micro Incorporated 189

190 Trend Micro InterScan Messaging Security Suite Student Textbook Figure 7-13: The SPS Baseline Detection Rate has six settings. Text Exemption Rules You can create text exemption rules to prevent SPS from scanning with specified content. For example, if you work for a sales company, you might decide that the salespeople need to receive about special airfare rates because they travel so often. You can create an exemption rule that scans the subject line for the word airfare. SPS forwards that matches the exemption rule to the next filter in the global policy. The is never analyzed by the SPS filters. Approved Senders and Blocked Senders Lists You can accept or deny all coming from specified domains, regardless of the content. For example, if you suspect that all from the is spam, you can add that domain to the Blocked Senders list. Once you add the domain, SPS blocks all from that specific domain, regardless of whether it is spam. If you want to accept all from a specific domain, you can add the domain to the Approved Senders list. Once you add the domain to the list, SPS accepts all from that specific domain, regardless of whether it is spam Trend Micro Incorporated

191 Chapter 7: Understanding Filters When you add a domain to either list, you must add it to either the modifiable or the unmodifiable section of the list. If you add the domain to the modifiable section, you can add a subset of the domain to the other list. However, if you add the domain to the unmodifiable section, you cannot add a subset of the domain to the other list. For example, if you add *@trendmicro.com to the modifiable section of the Approved Senders list, then you can add [email protected] to the Blocked Senders list. Using the Asterisks Wildcard You can use the asterisks wildcard (*) to compose entries on the Approved Senders and Blocked Senders lists. The asterisks can be used in place of either the name or the address in the domain. For example, if you want to accept all from Trend Micro, you might enter the following address in the window (see Figure 7-16): *@trendmicro.com Figure 7-15: Using the asterisks wildcard when configuring the Approved and Blocked senders list. To match the name portion of an address, you can only use a single wildcard * or the exact name. Partial matches, like the one in the following example, are not allowed: bobby*@trendmicro.com 2003 Trend Micro Incorporated 191

192 Trend Micro InterScan Messaging Security Suite Student Textbook When using wildcards for the domain part of an address, the asterisks must appear at the beginning of the pattern. The wildcard can match one or more subdomains, and you can use multiple wildcards to match subdomains (see Table 7-15): Wildcard Entry Possible Matches Non-Matches Table 7-15: Wildcards must appear at the beginning of the domain in an address. Partial matching of subdomains is not allowed. You must enter wildcards from the most significant portion of the address to the least significant. For example, is an invalid format, but is valid. All address that you enter must contain symbol. If exists, then the entire string is considered invalid. Valid addresses are approved as they are entered. A dialog box appears when you enter an invalid address (see Figure 7-16). Figure 7-16: InterScan MSS will not accept invalid addresses. To modify the Approved Senders or Blocked Senders list, click the appropriate Edit link under Filter Settings section of the screen (see Figure 7-11). On the screen that appears, enter the information requested. Baseline Detection Rate The heuristic scan engine analyzes all with a uniform level of aggression. You can adjust this level of aggression by setting the baseline detection rate at one of the six following options: Most conservative Conservative Moderately conservative Moderately aggressive Aggressive Most aggressive Trend Micro Incorporated

193 Chapter 7: Understanding Filters When you use conservative setting, SPS allows some spam to enter your network. However, if you choose the most aggressive setting, SPS might falsely identify legitimate messages as spam. Trend Micro recommends that you select a setting in the middle and then gradually adjust the setting as needed. Additional Sensitivity Settings SPS sorts spam into four categories: Sexual content, Make Money Fast content, Racist content, and Commercial offers. Each of these four categories can be set to one of the following sensitivity levels: Lowest Low Moderate High If you want to adjust the level of aggression with which SPS analyzes all , you should change the baseline detection rate. However, if you only want to adjust the level of aggression for a specific category of spam, you should use the additional sensitivity settings. By adjusting individual sensitivity settings, you can configure SPS to be more aggressive as it searches for some types of spam and less aggressive when it searches for other types. For example, if your company has a legitimate use for with commercial content, you might set the Commercial offer setting at Lowest. If your company has no tolerance for sexual and racist content, you might set the Sexual content and Racial content settings at High. When SPS analyzes with these settings, most commercial offers are accepted as legitimate . Anything moderately sexual or racial is blocked at the gateway. SPS uses the baseline detection rate and the additional sensitivity settings to determine whether an is spam. For more information on how SPS determines if an is spam, see the Calculating the Spam Probability section in this chapter. Configuring Sensitivity Settings The Baseline Detection Rate and the Additional Sensitivity Settings should be used together. When fine-tuning the SPS filters, remember the following tips: It is best to adjust the heuristic spam filter in small increments rather than making large changes. If too many junk messages are getting through the heuristic spam filter, increase the Baseline Detection Rate sensitivity. If the Baseline Detection Rate is set too low, the individual category filters must be set very high in order to have a noticeable effect on the amount of spam being delivered. When you increase the Baseline Detection Rate sensitivity, reduce the category filter sensitivities to the lowest setting. Monitor your message flow and then increase the category sensitivities as necessary. Setting the individual category filters too high can result in valid messages being falsely identified as spam (false positives). While a high Baseline Detection Rate sensitivity can also result in false positives, it generally produces fewer false positives than setting an individual category filter too high Trend Micro Incorporated 193

194 Trend Micro InterScan Messaging Security Suite Student Textbook Filter Actions The filter actions SPS takes on messages that are identified as spam can vary depending on the confidence assigned to the . When SPS determines that an is spam, it assigns one of the four confidence levels shown in Table You can configure a different filter action for each level of confidence (see Table 7-17). For example, you might choose to delete if SPS is Most confident that the is sexually explicit spam. However, you might choose to quarantine to which SPS assigns a level of Least confident. Confidence Rating Most confident Very confident Confident Least Confident Rough Percentage of Confidence that the Message Is Spam percent percent percent 69 percent and below Table 7-16: The confidence ratings SPS assigns to spam and the rough percentage of confidence for each rating. Note: The percentages shown in Table 7-16 are not exact for every . Remember, the definition of spam varies from one company to another. What one person considers spam might be another person s most important . Trend Micro recommends that you use these percentages as guidelines, but as absolute rules. Filter Actions Tag and Deliver Delete Delete and Notify Deliver Deliver and Notify Postpone and Notify Description Puts Spam in the subject line and delivers the Deletes the Deletes the and notifies the administrator or user Sends the to the recipient without a Spam tag in the subject line Delivers the without a Spam tag in the subject line and notifies the administrator Postpones delivery of the and notifies the administrator Trend Micro Incorporated

195 Chapter 7: Understanding Filters Filter Actions Quarantine Quarantine and Notify Description Quarantines the Quarantines the and notifies the administrator Table 7-17: The default filter actions for the SPS heuristic filter. To set actions according to specific confidence levels, click Policy Manager Global Policy. The Global Policy screen appears. Click Edit in the Filter Action column. Click the Advanced link next to the individual category that you want to configure. Use the menu options w to set a specific action for each level of confidence for that type of spam (see Figure 7-17). Figure 7-17: Configuring SPS sexual content filter actions for various levels of confidence. Interpreting Message Header Information All messages include a header section that contains address information. This information helps Internet servers route the message to the proper destination. SPS writes additional information into these headers. SPS and other programs use this information, known as X-headers, to determine what should be done with the Trend Micro Incorporated 195

196 Trend Micro InterScan Messaging Security Suite Student Textbook The following sections describe typical headers and the how SPS incorporates X- headers into normal headers. Basic Message Headers Most is handled by at least four computers from the time it is composed until the recipient receives the message. When a user sends an , the message is sent from that user s workstation to the organization s mail server. The organization s server then forwards the to the recipient s server. The recipient s server receives the incoming message and stores it until the recipient s computer retrieves the message and the recipient opens the . During this process, message headers are added three times (see Figure 7-18): When the message is composed by whatever program the sender uses When the program forwards the to the sender s server When the sender s server forwards the to the recipient s server Sender's Server Recipient's Server Sending Client Internet Receiving Client Figure 7-18: Headers are added to the message 1) when the message is composed, 2) when the program forwards the to the sender s server, and 3) when the sender s server forwards the the recipient s server. For example, if Joe at mydomain.com sends a message to his friend Amy at herdomain.com, the first header, generated by Joe s program before forwarding the message to Joe s mail server, would look like the following example: From: [email protected] (Joe Smith) To: [email protected] Date: Fri, June :36:14 PST X-Mailer: Groovymail v2.01 Subject: Lunch today? When Joe s server transmits the message to Amy s server, it adds more information to the header: Received: from alpha.mydomain.com (alpha.mydomain.com [ ]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun :36: (PST) From: [email protected] (Joe Smith) To: [email protected] Date: Fri, June :36:14 PST Message-Id: <Joe @mail.mydomain.com> Trend Micro Incorporated

197 Chapter 7: Understanding Filters X-Mailer: Groovymail v2.01 Subject: Lunch today? Amy s mail server adds more information to the header when it receives the message, then stores the message until Amy retrieves it. The final header looks like this: Received: from mail.mydomain.com (mail.mydomain.com [ ]) by mailhost. herdomain.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <[email protected]>; Fri, 20 Jun :39: (PST) Received: from alpha.mydomain.com (alpha.mydomain.com [ ]) by mail.mydomain.com (8.8.5) id 004A21; Fri, June :36: (PST) From: [email protected] (Joe Smith) To: [email protected] Date: Fri, June :36:14 PST Message-Id: <Joe @mail.mydomain.com> X-Mailer: Groovymail v2.01 Subject: Lunch today? The table in Appendix E contains explanations of the information shown in the example header. X-Headers Generated by SPS SPS adds X-header tags to header section of every processed by the heuristic filter. Programs that are downstream from SPS use the contents of these X-headers to decide how to process messages that have been identified as spam. SPS generates the following X-headers: X-imss-version X-imss-result X-imss-scores: X-imss-settings X-imss-approveListMatch X-imss-blockedListMatch indicates the version of the SPS scan engine that examined a particular message indicates which category of spam most describes the message, the level of confidence SPS has that the is spam and the action taken as a result of the confidence level indicates the numerical value assigned to the for each filter category indicates the SPS sensitivity levels that were used to evaluate an indicates that the sender of the appears on the Approved Senders list indicates that the sender of the appears on the Blocked Senders list 2003 Trend Micro Incorporated 197

198 Trend Micro InterScan Messaging Security Suite Student Textbook X-imss-sender X-imss-exclusionListMatch indicates the address that triggered the match; added to messages that also receive the approvelistmatch or blocklistmatch header indicates that the contains keywords or combinations of keywords that appear on the exclusion list Note: X-header tags are not unique to SPS. You may see other tags in an header that begin with the letter X. SPS generates only the tags in the above table, all of which contain the imss marker. Calculating the Spam Probability SPS uses a mathematical equation to determine whether an is spam. Figure 7-19 shows the details of an that SPS analyzed. The X-imss-scores: line shows the baseline score that the heuristic filter assigned to the message (1.1800). The letters in this line represent each of the four spam categories (see Table 7-18). The value for each category can range between 0 and 100, with 0 indicating that the message possesses none of the characteristics attributed to that particular category of spam. A value of 100 indicates that the message perfectly matches that particular category. Figure 7-19: Viewing details Trend Micro Incorporated

199 Chapter 7: Understanding Filters Letter C M P R Category of Spam Represented Commercial spam (Sale notices, coupons, special offers) Make Money Fast spam (Get-rich-quick type material) Pornographic spam (Sexually explicit material) Racist spam (Racially insensitive material) Table 7-18: X-header abbreviations. The X-imss-settings: line shows the baseline detection rate when SPS analyzed the (Clean: 3). In this line, the numbers next to each letter represent the sensitivity setting for each category of spam when SPS analyzed the . In Figure 7-19, the Commercial and Racist content filters were set at the lowest settings, while the Make Money Fast and Sexual content filters were set at the highest and second highest settings respectfully. SPS uses the baseline score and the sensitivity setting of the filter that best matches the to calculate whether an is spam. Both the baseline score and the sensitivity setting have corresponding multipliers. The multipliers are inserted into the following equation, which SPS uses to calculate the probability that an is spam: BM times SM equals SPAM SCORE In the equation, BM represents the Baseline Multiplier and SM represents the Sensitivity Multiplier (see Table 7-19 and Table 7-20). Setting Commercial offer Make Money Fast Sexual Content Racist Content Table 7-19: The sensitivity multipliers for the four different sensitivity settings for the individual content filters Trend Micro Incorporated 199

200 Trend Micro InterScan Messaging Security Suite Student Textbook Setting Baseline Multiplier Table 7-20: The baseline multipliers for the six different baseline settings. For example, the X-imss-result: line in Figure 7-19 shows that SPS was very confident the was pornography. The baseline detection rate was set at three, so SPS used.0500 as the multiplier for the baseline detection filter. The sensitivity level of the Sexual content filter was also set at three, and SPS used the corresponding multiplier value of 50. The spam score, or the value produced when these two numbers were multiplied together, was 2.500, as shown in the following equation:.0500 times 50 equals The spam score is last number shown in the X-imss-settings: line. In this example, the is spam because the spam score is greater than the baseline score displayed in the X-imssscores: line. If the two scores had been the same, or the spam score had been less than the baseline score, the would not have been spam. Managing the Quarantine Area The directory for the default location of the quarantine area is C:\Program Files\Trend\IMSS\IsntSmtp\quarantine. You can add or delete quarantine areas as needed. However, all quarantine areas must be local directories. You can view, reprocess, deliver, or delete the messages and attachments that are quarantined, and you can search the quarantine area to find a particular message. Adding Quarantine Areas To add a quarantine area, click Policy Manager Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, click Add. Enter the requested information and click Save (see Figure 7-20) Trend Micro Incorporated

201 Chapter 7: Understanding Filters Figure 7-20: The New Quarantine Area screen. Note: Quarantined items can be saved for a maximum of 99 days. Deleting Quarantine Areas To delete a quarantine area, click Policy Manager Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, select the check box next to the quarantine area that you want to eliminate and click Delete. Note: Deleting the quarantine area in the InterScan MSS console makes it unavailable to the program as a quarantine area. If you want to delete the folder, you must do so manually. All quarantined messages remain in the folder. If a quarantine area has in use instead of a check box in the right-hand column, this quarantine area is currently being used within a filter action and cannot be deleted. Changing a Quarantine Area To change the location of a quarantine area, click Policy Manager Quarantine Area from the left-hand frame of the InterScan MSS Management Console. In the Quarantine Area screen that appears, click Edit next to the quarantine area that you want to relocate and change the directory in the field provided. You can also change the name of the quarantine area and the number of days that quarantine items are saved. Note: Changing the quarantine location affects only items quarantined after the change. Any messages in the old quarantine directory must be deleted or manually copied to the new directory Trend Micro Incorporated 201

202 Trend Micro InterScan Messaging Security Suite Student Textbook Managing Quarantined Messages To manage the contents of a quarantine area, click Policy Manager Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, click View next to the quarantine area that you want to manage. A new screen appears, showing the in the quarantine area (see Figure 7-21). Figure 7-21: The Default Area screen. When managing the Quarantine area, you have three options that you can apply either to selected messages or to all the messages in the folder. Reprocess Deliver Delete Reprocess messages to apply the policies configured for the message s route. Sometimes content filters mistakenly quarantine that do not contain viruses. You can change the content filter s properties and reprocess the quarantined . Reprocessing allows virus-free messages to pass through the content filters. Infected messages are still quarantined by the updated virus-pattern file. Deliver the message without further processing. Delete the message Trend Micro Incorporated

203 Chapter 7: Understanding Filters Querying Quarantine Areas InterScan MSS includes a search function to query a quarantine area for messages that fit your criteria. To query the contents of a quarantine area, click Policy Manager Query from the left-hand frame of the InterScan MSS Web Console. In fields provided on the Query screen that appears, enter the information for which you want to query and click Query (see Figure 7-22). Figure 7-22: The Query screen. Lab Exercise 5: Configuring the Spam Prevention Service 2003 Trend Micro Incorporated 203

204 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 7 Summary and Review Questions Summary InterScan MSS includes eight default filters the Antivirus filter, Heuristics Scanning Filter (Spam Prevention Service), and six filters in the emanager filter group. The Antivirus filter group, which contains only the antivirus filter, scans for viruses. The SPS and emanager filters scan for spam, specified content, and message size. When you configure the antivirus filter, you can determine which messages are scanned and which messages are not scanned. You can also configure the action that is taken if a virus is found and the notification messages that are sent. You can configure emanager filters to block content at your SMTP gateway. You can specify keywords, select message parts for filtering, and use operators to create expressions that define how the keywords should be used by the filter. With the operators, you can create expressions that check how near one keyword is to another or how often a keyword occurs in a message. You can also configure filters that look for specific attachment file types, message size, and spam. Review Questions 1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them Trend Micro Incorporated

205 Chapter 7: Understanding Filters 3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats. 5. How does the SPS heuristic scan engine detect spam? a. Compares to a spam database b. Compares characteristics of the against predefined rules or common characteristics of spam c. Compares to the search criteria that you define, based on Trend Micro recommendations d. Compares to previous spam that you have saved in the SPS SpamBank 2003 Trend Micro Incorporated 205

207 Chapter 8: Configuring System Monitor and Log Maintenance Settings Chapter 8: Configuring System Monitor and Log Maintenance Settings Chapter Objectives After completing this chapter, you should be able to View real-time status-performance data Specify the fault conditions under which InterScan Messaging Security Suite (InterScan MSS) should notify you View and maintain log files 2003 Trend Micro Incorporated 207

209 Chapter 8: Configuring System Monitor and Log Maintenance Settings Notes 2003 Trend Micro Incorporated 209

211 Chapter 8: Configuring System Monitor and Log Maintenance Settings Notes 2003 Trend Micro Incorporated 211

212 Trend Micro InterScan Messaging Security Suite Student Textbook System Monitor Settings By keeping track of the InterScan MSS server s status, you can identify potential problems before they affect the flow. System Status The System Status window in the InterScan MSS Web console provides real-time system-performance data (see Figure 8-1). You can check the volume of messages in the processing and retry queues, the number of messages processed since the service was started (including undeliverable messages), and the number of viruses detected. Figure 8-1: System Status screen To view the system status, select Configuration System Monitor System Status from the left-hand frame of the InterScan MSS Management Console. When the System Status screen appears, click Refresh to update the view. Event Monitoring InterScan MSS can notify you if a potential fault condition threatens to disrupt processing or constitutes a security risk. You can be notified of the following conditions: Excessive messages in the delivery queue Results of scheduled update attempts (either successful or unsuccessful) Stopped scanning service Lack of disk space in the processing queue folder a condition that might disrupt processing Trend Micro Incorporated

213 Chapter 8: Configuring System Monitor and Log Maintenance Settings To configure the events for which you want to be notified, select Configuration System Monitor Event Monitoring from the left-hand frame of the InterScan MSS Management Console. The Event Monitoring screen will appear (see Figure 8-2). Figure 8-2: The Event Monitoring screen. Select the appropriate check boxes for the fault conditions about which you want to be notified and enter values in the required fields. Also select the notification methods you desire. If you wish to configure a customized notification message for different events, click the Edit message link next to the notification method(s) that you want to use. Note: Immediately after you save event monitor settings, the updated settings are applied to the InterScan MSS System Monitor. Excessive Messages in the Delivery Queue When cannot be delivered, the delivery queue becomes larger than usual. When you have excessive messages in the delivery queue, check your network settings and SMTP routing delivery settings to verify that all connections are working. You should also check to see if the messages have something in common, such as an IP address Trend Micro Incorporated 213

214 Trend Micro InterScan Messaging Security Suite Student Textbook Log Maintenance Settings InterScan MSS records information about all the messages it handles and the program modules that are used. For example, InterScan MSS records the following: Services starting and stopping Program modules loaded and unloaded Threads, sockets, and program update status (failed or successful) Date and time that a message was received Message ID Process IDs Final action taken on the message InterScan MSS records this information in the ISNT5.yyyy.mm.dd.xxxx log file. Viewing Logs To view logs, select Configuration Logs and choose from Virus Logs, emanager, or Program Logs. Enter the log parameters for which you want to search and click View Logs (see Figure 8-3): Figure 8-3: The Program Logs viewing parameters screen. Note: When your InterScan MSS server processes a high volume of messages and you do not regularly remove old log files from your log directory, the log file may consume excessive disk space Trend Micro Incorporated

215 Chapter 8: Configuring System Monitor and Log Maintenance Settings Log Maintenance You can configure the program s logging behavior, including the level of detail logged, the location of the log database, the maximum size of log files, and the amount of time that log entries are retained. When you set the level of detail logged, you control the amount of information recorded about the processing of messages, the message transfer agent (MTA), and the delivery agent (MDA). You can select Normal, Detailed, or Diagnostic. Normal When log settings are set to Normal, InterScan MSS records a minimal amount of information in the logs. This setting is optimal when the amount of available disk space is limited. The following information is included in Normal logs: Service start/stops Program module load/unloads Program update status Date/time the message was received Message ID Process ID Action InterScan MSS took with the message Detailed When the log settings are set to Detailed, InterScan MSS increases the amount of information recorded in the logs. This setting is optimal when you need more information about system events, and the amount of disk space available is not limited. The following information is included in Detailed logs: All information recorded in Normal logs Filter results for each filter used to evaluate the message Diagnostic The Diagnostic setting is typically used to gather information for troubleshooting purposes. InterScan MSS records in-depth information about a system event. This setting should only be used when available disk space is unlimited. The following information is included in Diagnostic logs: All information recorded in Normal logs and Detailed logs Telnet sessions to/from MIME type Policy name and the message processed Outcome of each filter in the policy Action taken by each filter Final action taken by InterScan MSS 2003 Trend Micro Incorporated 215

216 Trend Micro InterScan Messaging Security Suite Student Textbook Message routing used to deliver message Outcome of message delivery For examples of information displayed in each type of log, see Appendix D: Example Logs. Configuring Log Behavior To configure the logging behavior, complete the following steps: From the InterScan MSS Management Console, select Configuration Logs Log Maintenance from the left-hand menu. The Log Maintenance screen appears (see Figure 8-3). You can configure the following parameters: The level of detail that you want saved to the log file The directory where you want the logs kept The number of days you want to keep logs The maximum amount of memory space all of the log files can consume Figure 8-3: The Log Maintenance screen. Note: You must restart the InterScan MSS service to apply your new log settings. Lab Exercise 6: Monitoring InterScan MSS Trend Micro Incorporated

217 Chapter 8: Configuring System Monitor and Log Maintenance Settings Chapter 8 Summary and Review Questions Summary The System Monitor provides real-time system performance data and event monitoring. You can configure the System Monitor to notify you if a fault condition threatens to disrupt processing or if the fault signals a security risk. In addition, you can use the InterScan MSS Web console to configure log files. You can determine the location and maximum size of log files, you can configure logs to show more or less detail, and you can specify the amount of time that log entries are stored. Review Questions 1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. d. InterScan MSS sends a notification Trend Micro Incorporated 217

219 Chapter 9: Troubleshooting Chapter 9: Troubleshooting Chapter Objectives After completing this chapter, you should be able to Troubleshoot common problems Use SolutionBank to find answers to frequently asked questions 2003 Trend Micro Incorporated 219

221 Chapter 9: Troubleshooting Notes 2003 Trend Micro Incorporated 221

223 Chapter 9: Troubleshooting Notes 2003 Trend Micro Incorporated 223

225 Chapter 9: Troubleshooting Troubleshooting Common Problems Web Console Cannot Be Viewed after Microsoft Proxy 2.0 Is Installed Installing Microsoft Proxy 2.0 prevents the default Web site from functioning correctly. A workaround is to create a second Web site and install the CGI filter on this Web site. Message Looping If a content-management filter sends an notification with the original message attached and InterScan Messaging Security Suite (InterScan MSS) is used as the notification server, an infinite loop occurs. This problem occurs because the original message is attached to the notification message and is tested by all filters when processed by InterScan MSS, which triggers the same filter again. Another notification is sent, attaching the original, and filter is triggered. Trend Micro recommends that you do not use the InterScan MSS server as your notification server. Troubleshooting the Installation Process A log file is created while InterScan MSS is being installed. This log file lists all the steps taken in the installation process. You can use the information in the log to see where and why the installation failed. To view the log file, open the Isnt_Setup.txt file in the C:\IMSS_RILOG directory. Install on the local server fails If you are unable to install InterScan MSS on a local server, you can try two different techniques that might make the installation successful. First technique Second technique If you receive an error message that says unable to logon, try using a local administrator account instead of a domain administrator account. If asked to specify on which server InterScan MSS will be installed, manually type in the loopback address ( ) and click Add Trend Micro Incorporated 225

226 Trend Micro InterScan Messaging Security Suite Student Textbook Getting Support from Trend Micro If you have inquiries or suggestions, you can submit a problem report to the Trend Micro technical support center, or you can submit a case to the Trend Micro Web site. If you are a Trend Micro customer, please send the problem to the support team of your local branch or distributor. If you are a Trend Micro Business Unit (BU)/distributor, please send the problem to [email protected] SolutionBank Trend Micro provides SolutionBank, an online knowledge database filled with answers to common questions. Use SolutionBank, for example, if you are having trouble receiving program file updates and want to find out what you can do to solve the problem. Or, if you are receiving an error message, search SolutionBank using the text of message to find out what is causing the error and how to fix it. The contents of SolutionBank are continuously updated. New solutions are added daily. If you are unable to find an answer, however, you can describe the problem in an message and send it directly to a Trend Micro support engineer. The support engineer investigates such issues and responds as soon as possible. To access the Trend Micro support database, open a Web browser and enter the following URL: The following is an example of an error message and the possible solutions: Can perform neither manual update through the console nor scheduled update. Description Solution The manual update through the console fails. The scheduled update also does not work. When a manual update is performed through the console, the checkmarks (update options) disappear after the console page refreshes. Ensure that Scheduler.exe is running and its corresponding window is on the desktop. Changes to the ISNTSmtp.ini File ISNTSmtp.ini is one of the main configuration files for InterScan MSS. The majority of all the interface settings are stored in this file. Several configuration parameters are not available through the interface. These parameters must be configured in the ISNTSmtp.ini file. Some of the major configuration parameters from the ISNTSmtp.ini file are outlined in the following tables Trend Micro Incorporated

227 Chapter 9: Troubleshooting [General-Performance] ISNTPerformance=low ISNTServiceMaxShutdownSeconds=60 FileEnumerateLimit= Specifies the multiplier for the number of threads specified in the [ -Scan] section of this file. Setting to med will double the number of threads or setting to high will quadruple all threads If the ISNTSMTP process doesn not close down its threads within this number of seconds, the ISNTSysMonitor forces the process to close. This number should be lower than RecycleProcessMaxWaitSeconds Specifies many AF, DF & BF files are checked at start-up for orphan messages files Table 9-1: General Performance [Receiver-Connection] IdleWaitingMin=10 Specifies how many minutes an idle SMTP connection will be held open for incoming EnableMaxIncomingConnectionLimit=yes Enables/disables a limit on incoming connections. The maximum number of connections is specified in the next parameter. The setting can be modified to have no connection limit MaxIncomingConnectionLimit=250 PerformReverseDNSLookup=no Specifies how many SMTP connections are permitted at once Corresponds with the setting in the interface. Determines whether InterScan MSS will perform the Reverse DNS validation check on incoming Trend Micro Incorporated 227

228 Trend Micro InterScan Messaging Security Suite Student Textbook [Receiver-Connection] NumberOfQueueSizeSteps: NumberOfQueueSizeSteps=5 QueueSize_0=0;250 QueueSize_1=250;100 QueueSize_2=1000;20 Specifies the number of queue size steps where the maximum number of receiving threads will be recalculated. Each QueueSize_ key, has two values. The 1st value determines the queue size, and the 2nd value determines the number of receiving threads. The actual queue size and number of receiving threads are determined by multiplying the values by the number of CPUs (this is the same calculation done to determine the number of scanning threads from the ScanningThread key). The values are separated by a semicolin (;) Specifies the number of steps or QuesSize settings that may be specified Determines that when there are zero messages in the queue, 250 threads are utilized for receiving (times the number of processors). Determines that when there are 250 messages in the queue, 100 threads are utilized for receiving (times the number of processors). Determines that when there are 1000 messages in the queue, 20 threads are utilized for receiving (times the number of processors). QueueSize_3=10000;5 Determines that when there are 10,000 messages in the queue, 5 threads are utilized for receiving (times the number of processors). QueueSize_4=25000;1 Determines that when there are 25,000 messages in the queue, one thread is utilized for receiving (times the number of processors). SupportDSN= RejectRDNSFailedConnection= RejectRDNSUnverifiedConnection= default: no Specifies that InterScan MSS should reject the SMTP connection if the sender does not supply DNS information when asked Compare domain name in helo domainname with domain given by sender as its domain give 550 SMTP error if no match Trend Micro Incorporated

229 Chapter 9: Troubleshooting [Receiver-Connection] CommandCheckingOption= RejectIncomingMailWithEmptyMailFromP arameter= RDNSSuccessCacheTimeInSeconds= RDNSFailCacheTimeInSeconds= AcceptDotInAtom= 0 compatible with main-stream SMTP servers, 1=strict RFC 2821, 2=1+block mail from: <> 1=reject if mail from: <> Specifies how many seconds to cache a RDNS approved connection as good Specifies how many seconds to cache a RDNS failed connection as bad Allows mail from: and rcpt to: to provide domains [email protected], g..e..o..r..g..e@georgesdomain & [email protected] Table 9-2: Receiver Connection [ -Scan] ScanningThread PickupDeliverThread PickupScanThread MailQueueThread Bounc QueueThread InboundMailScan=yes OutboundMailScan=yes BypassMessageModule=no PostponeDeliverThread= Number of threads used to scan s Number of threads used to check the pickup_deliver directory Number of threads used to check the Pickup_scan directory Number of threads used to check the mqueue directory Number of threads used to check the BouncedMailQueue directory Generally used for troubleshooting only; yes=scan inbound , no=do not scan inbound Generally used for troubleshooting only; yes=scan outbound , no=do not scan outbound Generally used for troubleshooting only; yes=bypass message module completely, no=do not bypass message Number of threads used to deliver the postponed Trend Micro Incorporated 229

230 Trend Micro InterScan Messaging Security Suite Student Textbook [ -Scan] BypassMessagePartial= MessagePartialAction= LaunchDrWatson= The Yes setting delivers a message that is deemed as being partially formed If the value for this setting is NO, then InterScan MSS will quarantine the message =1 will launch DrWatson if the process crashes Table 9-3: -Scan [ -Other] RestrictInDomain=yes When the RCPT TO: field contains the percent symbol (%), InterScan Mss accepts the message and relays it from yourdomain.com to spamdomain.com Example: user%[email protected] Setting this parameter to yes allows you to specify illegal characters in the RCPT TO: field RestrictInDomainMeta=!#$% Strange/illegal characters to check for in the domain specification DNSDirectConnectToDomain= If IMSS cannot connect to any of the MX records queued from DNS server, it tries to connect to the domain after directly. By default (according to RFC standard), it will not. Table 9-4: -Other Trend Micro Incorporated

231 Appendix A: Using Trend Micro Online Resources Appendix A: Using Trend Micro Online Resources Contacting Trend Micro You can contact Trend Micro by telephone, fax, BBS, , regular , and the Internet. Complete support, sales, and product information for Trend Micro offices worldwide is available at Comprehensive antivirus information is available over the Internet at the Trend Micro free antivirus center ( From there, you can take advantage of the following resources: Access the online Trend Micro Virus Encyclopedia, which contains detailed information about 1,000 viruses Download 30-day trial versions of other server-based Trend Micro antivirus products Get advice on what to do if you think your network has a virus Read white papers pertaining to viruses in the enterprise Perform a quick cost analysis of the financial impact of virus infections Trend Micro Virus Doctors If you believe that you have an infected file but the InterScan Messaging Security Suite (InterScan MSS) scan engine does not detect or clean it, Trend Micro encourages you to send the file to the following address: [email protected]. Please include in the message text a brief description of the symptoms you are experiencing. The Trend Micro team of engineers will dissect the file to identify and characterize any virus(es) it may contain and return the cleaned file to you. Send the suspected file in a password-protected zipped file. Use virus as its password. Client Scans with HouseCall HouseCall is free virus-scanning service available from Trend Micro. In 1997, Trend Micro pioneered the concept of online scanning. Anyone can use HouseCall. You do not need to install any software. You simply follow the on-screen instructions to begin Trend Micro Incorporated 231

232 Trend Micro InterScan Messaging Security Suite Student Textbook Note: Although HouseCall detects and cleans any viruses found on the user s hard drive, it does not provide real-time protection. HouseCall requires Internet Explorer 3.x or above or Netscape s Navigator 3.01 or above. Links to either browser are provided. 1. Open a Web browser and enter the following URL: 2. Select Products Free Tools HouseCall. After a few seconds, a directory tree of your hard drive is created, and the offer to perform a free scan is presented. Trend Micro Security Information Center Comprehensive security information is available over the Internet at the Trend Micro free antivirus center: Use the Security Information Center to find out about the following: Computer virus hoaxes Weekly virus alerts, listing the viruses that may trigger during the current week Virus false alarms and how to identify them The Trend Micro Virus Encyclopedia, which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code Basic guides to computer viruses The Trend Micro virus reading room, with dozens of articles about the latest issues in computer viruses, including the threat posed by Java applets and ActiveX controls Product details and white papers You can access the Trend Micro Security Information Center at the following URL: Trend Micro Incorporated

233 Appendix B: Adding Entries to DNS and Excluding Files From Scanning Appendix B: Adding Entries to DNS and Excluding Files From Scanning This appendix includes the following instructions: Adding entries to Domain Name System (DNS) Excluding certain types of ASCII text files from scanning Adding Entries to DNS To use the DNS Service Manager in Windows NT 4.0 to add an A and MX record, follow the instructions outlined below: 1. Launch DNS Manager by selecting Start Programs Administrative Tools DNS Manager. In this example, er1 is the only SMTP server defined. Corresponding A and MX records are as shown. 2. To add another exchanger, create a new host (A record) by clicking on [DNS New Host] menu. You will automatically be prompted for a host name and an IP address for that corresponding host. 3. After creating a new host, click on the [DNS New Record] menu to create an MX record that defines the InterScan Messaging Security Suite (InterScan MSS) server as the primary exchanger. 4. The New Resource Record window appears. Under record type, select MX Record. Enter the exchange server DNS name (FQDN). Next, enter a preference value for the new record. Make sure you enter a lower numerical value than that of your original SMTP server. The lower numerical value sets the InterScan MSS server as the primary exchanger for the entire domain. Lower numerical values mean higher preference values. All is routed to the exchanger with the highest preference value. 5. Use the nslookup utility to test for a successful record definition. Set type to MX and perform a query for the specified domain. 6. If you are using another DNS service, such as the DNS service in Windows 2000, the steps for adding entries to DNS will be different Trend Micro Incorporated 233

234 Trend Micro InterScan Messaging Security Suite Student Textbook Adding Entries to DNS Service in Windows 2000 To use the DNS service in Windows 2000 to add an A and MX record, complete the following steps: 1. Launch DNS Manager by selecting Start Programs Administrative Tools DNS. 2. Double-click the DNS server name. 3. Double-click on Forward Lookup Zone. 4. Select the domain. 5. In the menu that appears, click Action and select New Exchanger. 6. Type in the domain. 7. Specify the server. 8. Specify the server priority. Excluding Certain Types of Text Files from Scanning By default, InterScan MSS does not allow you to exclude text files from scanning. To exclude certain types of text files from scanning, you must modify the TMeMgr.ini file. For example, to exclude data exchange files (DXF) from scanning, complete the following steps: 1. Locate the TMeMgr.ini file in the [drive]\program files\trend\imss\isntsmtp directory. 2. Modify the following settings: [em_core] EnableSkipASCIIFile=yes SkippedASCIIFileList=dxf 3. Save the TMeMgr.ini file. Note: You must enter yes and no in lowercase letters. If you want to skip other types of text files, use the semicolon (;) to separate each extension. 4. Restart InterScan MSS from Windows 2000/NT Service Manager. 5. The new setting takes effect after you click Apply Now. When InterScan MSS scans the header (from, to, and cc) and the body of the , separators, quotation marks ("), a comma (,), brackets (<>), and a semicolon (;) are added. These separators are not removed when you deselect the filter s header check box Trend Micro Incorporated

235 Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite When uninstalling or reinstalling InterScan Messaging Security Suite (InterScan MSS) you must use the installation program, setup.exe. You should not use Add/Remove Programs in the Windows Control Panel to uninstall InterScan MSS. Likewise, you should not attempt to remove the program by manually deleting the InterScan folder and registry keys. The order used to uninstall the InterScan MSS components is critical, and only the InterScan MSS installation program uninstalls these components in the correct order. If you want to preserve your customized settings on InterScan MSS, you should save the INI files and registry entries before uninstalling the program. You can use these files and entries to later recreate your previous configuration and settings. You can run setup.exe either from the server on which you have installed the components or from a remote Windows NT or 2000 computer Trend Micro Incorporated 235

237 Appendix D: Example Logs Appendix D: Example Logs The following logs are examples of information recorded in Normal, Detailed, and Diagnostic logs if a policy is triggered and a message is quarantined: Normal Log 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [270] Received from gwsvr ([ ]) by gw-svr 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [270] Message from: <[email protected]> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [270] Message map <c:\program files\trend\imss\isntsmtp\mqueue\de6dd418-baca-4f9f-9f8f- F5A876D33AA8.DF>, Subject=<normal logging with attachment policy triggered>, TID=<624> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [270] Message to: <[email protected]> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [270] MTA finish, spend <60> ms, size=(0, 71681) bytes 2003/04/03 21:38:48 GMT-08:00 de6dd418-baca-4f9f-9f8ff5a876d33aa8 [4c4] has been quarantined 2003/04/03 21:38:48 GMT-08:00 subject [normal logging with attachment policy triggered], sender [[email protected]], recipient[<[email protected]>], entity [NOTEPAD.EXE] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [stri /04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 Final action is Quarantine. 2003/04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8F- F5A876D33AA8 [4c4] Scan finish, spend <381> ms Detailed Log 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [208] Received from gwsvr ([ ]) by gw-svr 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [208] Message from: <[email protected]> 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [208] Message map <c:\program files\trend\imss\isntsmtp\mqueue\83198c17-750d-43c8-a Trend Micro Incorporated 237

238 Trend Micro InterScan Messaging Security Suite Student Textbook DA61B7E4226C.DF>, Subject=<detailed logging with policy triggered>, TID=<520> 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [208] Message to: 2003/04/03 21:44:10 GMT-08: c17-750d-43c8-a070- da61b7e4226c [208] Push into <scanning queue> OK 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [208] MTA finish, spend <110> ms, size=(0, ) bytes 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C To do action: Quarantine 2003/04/03 21:44:10 GMT-08: c17-750d-43c8-a070- da61b7e4226c [3f8] has been quarantined 2003/04/03 21:44:10 GMT-08:00 subject [detailed logging with policy triggered], sender recipient["raffy Rivero" entity [poledit.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action /04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C Final action is Quarantine. 2003/04/03 21:44:10 GMT-08: C17-750D-43C8-A070- DA61B7E4226C [3f8] Scan finish, spend <70> ms Diagnostic Log 2003/04/03 21:47:07 GMT-08:00 [71c] << HELO gwsvr 2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 gw-svr Hello [ ] 2003/04/03 21:47:07 GMT-08:00 [71c] << FROM: 2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 Sender Ok 2003/04/03 21:47:07 GMT-08:00 [71c] << RCPT TO: 2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 Recipient Ok 2003/04/03 21:47:07 GMT-08:00 [71c] << DATA Trend Micro Incorporated

239 Appendix D: Example Logs 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] Received from gwsvr ([ ]) by gw-svr 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] >> 354 gw-svr: Send data now. Terminate with "." 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] DOT command received 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] >> 250 gw-svr: Message accepted for delivery 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] Message from: 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] Message map <c:\program files\trend\imss\isntsmtp\mqueue\2565ee87-62e ac5c E2F4625.DF>, Subject=<Diagnostic Logging policy triggered>, TID=<1820> 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] Message to: 2003/04/03 21:47:07 GMT-08: ee87-62e ac5c e2f4625 [71c] Push into <scanning queue> OK 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] << QUIT 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] >> 221 gw-svr closing connection. Goodbye! 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 [71c] MTA finish, spend <191> ms, size=(0, ) bytes 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 parsing message. 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 entity [content-type: multipart/mixed, encoding: (none)]. 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 entity [content-type: multipart/alternative, encoding: (none)]. 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 entity [content-type: text/plain, encoding: quoted-printable]. 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 entity [content-type: text/html, encoding: quoted-printable] Trend Micro Incorporated 239

240 Trend Micro InterScan Messaging Security Suite Student Textbook 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 entity [content-type: application/xmsdownload, encoding: base64]. 2003/04/03 21:47:07 GMT-08: EE87-62E AC5C E2F4625 finished parsing message. 2003/04/03 21:47:07 GMT-08:00 Matched rule : Global Policy\Incoming Policy 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 splitting message. 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 finished splitting message. 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 To do action: Quarantine 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 writing back message. 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 finished writing message. 2003/04/03 21:47:08 GMT-08: ee87-62e ac5c e2f4625 [320] has been quarantined 2003/04/03 21:47:08 GMT-08:00 subject [Diagnostic Logging policy triggered], sender [[email protected]], recipient["raffy Rivero" <[email protected]>], entity [explorer.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [ /04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 Final action is Quarantine. 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 [320] Scan result < >, return code < > 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 [320] Scan finish, spend <140> ms 2003/04/03 21:47:08 GMT-08: EE87-62E AC5C E2F4625 [320] Delete Message file<c:\program files\trend\imss\isntsmtp\mqueue\2565ee87-62e ac5c E2F4625.DF> success Trend Micro Incorporated

241 Appendix D: Example Logs Understanding Information in the Logs To troubleshoot what happens when InterScan MSS processes a message, locate the message ID next to the following entries: Message from:<[email protected]> and the Message to:<[email protected]>. The message ID contains all the processing information for a message. The information will not always be in sequence as shown in the examples above. For example, the log may list information about message 1, information about message 4, and then more information about message 1. To discover what happened to a message, locate the message ID and then locate the last entry in the log file with that message ID. The log file format is ISNT5.yyyymmdd.xxxx. The extension (xxxx) represents a number starting from When the log file grows to approximately 10 MB, it will be incremented to Some messages may be logged in more than one log file Trend Micro Incorporated 241

243 Appendix E: Interpreting Header Information Appendix E: Interpreting Header Information The table in this appendix contains headers. The headers are added to an as it travels from the sender s computer and server, through the Internet, and to the recipient s server and computer. Line From Header Received: from mail.mydomain.com (mail.mydomain.com [ ]) by mailhost.anotherdomain.com (8.8.5/8.7.2) Explanation The name of the sending mail server The true name and IP address of the sending mail server The name of the receiving mail server Note: The numbers refer to the version of the mail program being used by the receiving server. with ESMTP id LAA20869 The ID number (LAA20869) assigned to this message by the receiving mail server Note: This ID number is for the server s own use. If necessary, an administrator can use the number to look up the message in the server s log files, but the number has no use for anyone else. for <[email protected]>; Fri, 20 Jun :39: (PST) The intended recipient of this message The date and time that this mail transfer took place Note: "-0800" PST indicates that the message originated in the Pacific Standard Time zone, which is 8 hours behind Greenwich Mean Time Trend Micro Incorporated 243

244 Trend Micro InterScan Messaging Security Suite Student Textbook Line From Header Received: from alpha.mydomain.com (alpha.mydomain.com [ ]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun :36: (PST) Explanation This line documents that alpha.mydomain.com (Joe s workstation) sent the message to mail.mydomain.com at 14:36:17 Pacific Standard Time. The sending machine called itself alpha.mydomain.com. The sending machine s true name and IP address are listed inside the parentheses. Mail.mydomain s mail server is running SendMail version 8.8.5, and it assigned the ID number 004A21 to this message for internal processing. From: [email protected] (Joe Smith) To: [email protected] Date: Fri, June :36:14 PST Message-Id: <rth @mail.mydomain.com> The sender of this message, whose real name is Joe Smith. The intended recipient of this message, as designated by the sender when the message was composed The data and time this message was composed The message ID assigned to this message by the sending mail server. Note: This ID is different from the SMTP and ESMTP ID numbers in the Received: headers above because it is permanently attached to this message; the other IDs are associated with specific mail transactions and are only meaningful to the machine that assigns them. Sometimes (as in this example) the Message-ID includes the sender's address. More frequently, it has no apparent meaning. X-Mailer: Groovymail v2.01 Subject: Lunch today? The message was sent using a (fictitious) program called Groovymail, version Self-explanatory Trend Micro Incorporated

245 Appendix F: Answers to Review Questions Appendix F: Answers to Review Questions Chapter 1 1. Which feature allows you to control the level of antivirus and content management that is applied to members of your organization? a. Domain-based message routing b. Quarantine manager c. Policy-based management d. Single-server, multiple policy support 2. Which feature can you use to filter unwanted , such as sexually or racially insensitive material? a. Domain-based message routing b. Content management c. Policy-based management d. Single-server, multiple policy support 3. Which feature notifies you when a fault condition threatens to disrupt flow? a. Content management b. Enhanced server access control c. Quarantine manager d. System Monitor 2003 Trend Micro Incorporated 245

246 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 2 1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ 2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the server? (Choose two.) a. Additional servers are not required b. Overhead on the server does not increase c. Requires less network bandwidth d. Greater efficiency 5. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter Trend Micro Incorporated

247 Appendix F: Answers to Review Questions Chapter 3 1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an can be forwarded b. The number of times InterScan MSS can retry delivering an c. The number of times an is scanned d. The number of times an can loop between the InterScan MSS and servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all from specified domains c. To change the domain name in the From: field d. All of the above Chapter 4 1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager 2003 Trend Micro Incorporated 247

248 Trend Micro InterScan Messaging Security Suite Student Textbook 2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure an client that is not supported by the POP3 Client Tool ActiveX control. Chapter 5 1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively compressed layers c. Reject all compressed files such as ZIP and LZH files d. Block all large attachments Trend Micro Incorporated

249 Appendix F: Answers to Review Questions Chapter 6 1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which emanager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which emanager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter 4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last 2003 Trend Micro Incorporated 249

250 Trend Micro InterScan Messaging Security Suite Student Textbook Chapter 7 1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them. 3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats Trend Micro Incorporated

251 Appendix F: Answers to Review Questions 5. How does the SPS heuristic scan engine detect spam? a. Compares to a spam database b. Compares to the search criteria that you define, based on Trend Micro recommendations c. Compares to previous spam that you have saved in the SPS SpamBank d. Compares characteristics of the against predefined rules or common characteristics of spam Chapter 8 1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. e. InterScan MSS sends a notification Trend Micro Incorporated 251