Kaspersky Security 8.0 for Microsoft Exchange Servers AD Administrator's Guide

Transcription

1 Kaspersky Security 8.0 for Microsoft Exchange Servers AD Administrator's Guide P R O G R A M V E R S I O N : 8. 0 M A I N T E N A N C E P A C K 1

2 Dear User! Thank you for choosing our product. We hope that this document will help you in your work and provide answers to the majority of your questions. Warning! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction and distribution of this document or parts thereof will result in civil, administrative or criminal liability in accordance with applicable law. Any type of reproduction or distribution of any materials, including in translated form, is allowed only with the written permission of Kaspersky Lab. This document and the graphic images it contains may be used exclusively for informational, non-commercial or personal purposes. This document may be amended without prior notification. For the latest version, please refer to Kaspersky Lab s web site at Kaspersky Lab assumes no liability for the content, quality, relevance or accuracy of any materials used in this document the rights to which are held by third parties, or for potential damages associated with using such materials. The document contains registered trademarks and service marks which are the property of their respective owners. Revision date: Kaspersky Lab ZAO. All Rights Reserved

3 TABLE OF CONTENTS ABOUT THIS GUIDE... 6 In this document... 6 Document conventions... 7 ADDITIONAL SOURCES OF INFORMATION... 9 Data sources for independent searching... 9 Discussing Kaspersky Lab applications on the web forum Contacting the Technical Documentation Development group KASPERSKY SECURITY 8.0 FOR MICROSOFT EXCHANGE SERVERS Basic functionality Distribution kit Services for registered users License agreement Hardware and software requirements APPLICATION ARCHITECTURE Application components and their purpose Security Server architecture TYPICAL DEPLOYMENT SCHEMES Microsoft Exchange Server roles and corresponding configurations Server protection deployment Application deployment on a server cluster Application deployment on a Microsoft Exchange DAG APPLICATION SETUP Preparing for installation Upgrading from an earlier version Application setup procedure Step 1. Installing the required components Step 2. Greeting and License Agreement Step 3. Selecting the installation type Step 4. Selecting the application components Step 5. Configuring the connection to the Microsoft SQL Server Step 6. Copying files Getting started. The Application Configuration Wizard Installing a license key Configuring server protection Enabling the KSN service Configuring the proxy server Notification settings Testing the application functionality Restoring the application Removing the application MANAGING KASPERSKY SECURITY LICENSES Viewing information about installed licenses Installing a license key

4 A D M I N I S T R A T O R ' S G U I D E Removing a license key Notification about license expiry Creating the list of protected mailboxes and storages APPLICATION INTERFACE Main window Context menu STARTING AND STOPPING THE APPLICATION DEFAULT MICROSOFT EXCHANGE SERVER PROTECTION STATUS GETTING STARTED Starting: Administration Console Creating the list of protected Microsoft Exchange servers Connecting the Administration Console to the Security Server UPDATING THE ANTI-VIRUS AND ANTI-SPAM DATABASES Manual update Automatic update Selecting the update source Editing the connection settings ANTI-VIRUS PROTECTION Enabling and disabling anti-virus server protection Creating rules for object processing Scanning attached archives and containers Configuring protection settings for mail accounts Creating scanning exclusions Background scan ANTI-SPAM PROTECTION Configuring anti-spam analysis Creating the black and white lists of senders Configuration of the parameters used to determine spam rating Using external services for spam processing Configuring additional settings BACKUP STORAGE Viewing the Backup contents Viewing properties of an object in Backup Configuring the Backup filters Restoring objects from Backup Sending an object from Backup to recipients Sending an object from Backup for analysis Deleting objects from Backup Configuring the Backup storage settings NOTIFICATIONS Configuring notification settings Configuring notification delivery settings REPORTS Creating a quick report Configuring an anti-virus report

5 T A B L E O F C O N T E N T S Configuring Anti-Spam reports settings Viewing Ready reports APPLICATION EVENT LOGS Configuring the diagnostics level Configuration of log settings MANAGING CONFIGURATION Exporting settings Importing settings FREQUENTLY ASKED QUESTIONS CONTACTING THE TECHNICAL SUPPORT SERVICE GLOSSARY KASPERSKY LAB ZAO ADDITIONAL INFORMATION ABOUT THIRD-PARTY CODE TRADEMARK NOTICE INDEX

6 ABOUT THIS GUIDE Greetings from the team of Kaspersky Lab ZAO (hereinafter referred to as Kaspersky Lab)! We hope that this Guide will help you understand the basic working principles of Kaspersky Security 8.0 for Microsoft Exchange Servers (hereinafter referred to as Kaspersky Security or the application). The document is intended for administrators of mail servers using Microsoft Exchange Server 2007 or 2010 (further - Microsoft Exchange Server) who have chosen Kaspersky Security as their mail server protection solution. The aim of the document: to assist Microsoft Exchange Server administrators in installing the application components on the server, activating server protection and ensuring optimal application configuration in light of the current tasks; to provide quickly searchable information about installation-related issues; to provide alternate sources of information about the application and ways to get technical support. IN THIS SECTION In this document... 6 Document conventions... 7 IN THIS DOCUMENT The Administrator's Guide for Kaspersky Security 8.0 for Microsoft Exchange Servers consists of the following chapters: About this Guide (see page 6). This Chapter describes the purpose and structure of this Administrator's Guide. Additional sources of information (see page 9). This section describes various sources of information pertaining to the purchase, installation and operation of Kaspersky Security. Kaspersky Security 8.0 for Microsoft Exchange Servers (see page 11). This chapter describes the main features of the application. Application architecture (see page 15). This chapter describes the application components and how they interact. Typical deployment schemes (see page 17). This chapter describes the roles of a Microsoft Exchange server and the schemes for deployment of server protection. Application architecture (see page 20). This chapter details the procedure of Kaspersky Security installation. License management (see page 31). This chapter describes the types of licenses and the procedure of license installation and removal. Application architecture (see page 36). This chapter describes the user interface of Kaspersky Security. Starting and stopping the application (see page 38). This chapter explains how to start and stop the application. Default Microsoft Exchange Server protection status (see page 40). This chapter describes the peculiarities of Kaspersky Security's operation using the default settings. Getting started (see page 41). This chapter explains how to begin using Kaspersky Security, enable mail server protection and create the list of protected servers. 6

7 A B O U T T H I S G U I D E Updating the Anti-Virus and Anti-Spam databases (see page 44). This chapter explains how to configure the update settings for the Kaspersky Security databases. Anti-Virus protection (see page 49). This chapter is devoted to the configuration of anti-virus protection of mail servers. Anti-Spam protection (see page 56). This chapter describes possible ways to protect mail servers from spam. Backup (see page 65). This chapter explains the Backup functionality and how to restore objects from Backup, as well as Backup configuration. Notifications (see page 73). This chapter describes ways to receive notifications about the events occurring in Kaspersky Security. Reports (see page 75). This chapter contains information on creation and viewing of reports and how to receive them via . Event logs (see page 82). This chapter describes logging configuration for the Anti-Virus and Anti-Spam activity and other Kaspersky Security events. Frequently asked questions (see page 86). This chapter is devoted to the questions that users ask most often. Contacting the Technical Support Service (see page 88). This chapter describes the available technical support options for the application users. Glossary (see page Error! Bookmark not defined.). This section contains a list of terms used in the program and their definitions. Kaspersky Lab ZAO (see page 93). The section contains brief information about the company. Information about third-party code (see page 94). This chapter contains information about software code and tools from other vendors used in application development. DOCUMENT CONVENTIONS The text in this document is accompanied by semantic elements - warnings, tips and examples that you are advised to read thoroughly. These elements are intentionally highlighted using graphics and typeface. Document conventions and examples of their use are described in the table below. Table 1. Document conventions SAMPLE TEXT Please note that... It is recommended that you use... Example:... DOCUMENT CONVENTIONS DESCRIPTION Warnings are highlighted in red and enclosed in frames. Warnings contain information about potential unwanted actions which may result in the loss of data or disrupt the operation of a mobile device. Notes are enclosed in frames. Notes may contain useful tips, advice, specific values or particular important cases of program operation. Examples are given in sections with a yellow background under the header "Example". 7

8 A D M I N I S T R A T O R ' S G U I D E SAMPLE TEXT An update is... The Databases are outdated event occurs. Press ENTER. Use the ALT+F4 keyboard shortcut. Click the Enable button. To configure a task schedule, perform the following steps: Enter help in the command line The following message will appear: Specify the date in DD:MM:YY format. <IP address of your mobile device> DOCUMENT CONVENTIONS DESCRIPTION the following items are highlighted using italics: new terms; status variations and application events. Names of keyboard keys are capitalized and printed in bold type. Names of keys linked with a + (plus) sign indicate key combinations. Such keys should be pressed simultaneously. UI elements, for example, names of entry fields, menu items, buttons are in bold. Introductory phrases of instructions are printed in italics and marked with an arrow sign. Special style is used to mark the following text types: command line text; text of program messages output on the screen; data that the user has to enter. Variables are enclosed in angle brackets. You should replace the variable with the corresponding value; angle brackets are to be omitted. 8

9 ADDITIONAL SOURCES OF INFORMATION If you have any questions regarding the selection, purchase, installation or use of Kaspersky Security, you can quickly find relevant answers. Kaspersky Lab provides various sources of information about the application. You can select the most convenient source, depending on the urgency or importance of your question. IN THIS SECTION Data sources for independent searching... 9 Discussing Kaspersky Lab applications on the web forum Contacting the Technical Documentation Development group DATA SOURCES FOR INDEPENDENT SEARCHING You may refer to the following sources of information about the application: the application page on Kaspersky Lab's web site; the application page on the Technical Support web site (in the Knowledge Base); the online help system; the documentation. The application page on Kaspersky Lab's web site On this page you can find general information about Kaspersky Security, its capabilities and the particulars of working with it. The application page on the Technical Support web site (in the Knowledge Base) This page contains articles published by the Technical Support experts. These articles contain useful information, guidelines, and answers to frequently asked questions pertaining to the operation of Kaspersky Security. The online help system The online help system contains information on setting up the application components, as well as directions and recommendations on application management. To access the online help system, select Help in the Actions menu of the Administration Console. If you have a question about a certain window or tab in Kaspersky Security, you can use contextual help. 9

10 A D M I N I S T R A T O R ' S G U I D E To open contextual help, open the window or the tab that interests you and press the F1 key. Documentation The Administrator's Guide for Kaspersky Security contains all information necessary for work with the application and is included in the application package. DISCUSSING KASPERSKY LAB APPLICATIONS ON THE WEB FORUM If your question does not require an urgent answer, you can discuss it with Kaspersky Lab's specialists and other users in our forum located at In this forum you can view existing topics, leave your comments, create new topics, and use the search engine. CONTACTING THE TECHNICAL DOCUMENTATION DEVELOPMENT GROUP If you have any questions regarding documentation, have found an error or would like to provide feedback, you can contact the Technical Documentation Development group. Click the Leave feedback link in the top right part of the Help window to open the default client on your computer. The displayed window will automatically show the address of the Documentation Development group (docfeedback@kaspersky.com) and the message subject "Kaspersky Help Feedback: Kaspersky Security". Write your feedback and send the without changing the subject. 10

11 KASPERSKY SECURITY 8.0 FOR MICROSOFT EXCHANGE SERVERS Kaspersky Security 8.0 for Microsoft Exchange Servers is an application designed for protection of mail servers based on Microsoft Exchange Server against viruses, Trojan software and other types of threats that may be transmitted via e- mail. Malware can cause serious damage; these programs are designed specifically to steal, block, modify or destroy data, disrupting the operation of computers and computer networks. Massive virus mailing can quickly spread infection in corporate networks, paralyzing both running servers and workstations and resulting in undesirable downtime and losses. Moreover, virus attacks may also cause data losses which can negatively affect your business and the business of your partners. Kaspersky Security offers anti-spam protection on the level of your corporate mail server, saving your employees the trouble of deleting unwanted mail manually. IN THIS SECTION Basic functionality Distribution kit Services for registered users License agreement Hardware and software requirements BASIC FUNCTIONALITY Kaspersky Security protects mailboxes, public folders and relayed mail traffic passing a Microsoft Exchange Server against malware and spam. The application scans all traffic passing through the protected Microsoft Exchange Server. Kaspersky Security can perform the following operations: Scan mail traffic, incoming and outgoing mail, as well as the messages stored on a Microsoft Exchange Server (including public folders), for malware presence. While scanning, the application processes the whole message and all its attached objects. Depending upon the selected settings, the application disinfects and removes detected harmful objects and provides users with complete information about them. Filter unsolicited mail (spam) from mail traffic. The Anti-Spam component scans mail traffic for spam content. In addition, Anti-Spam allows creation of white and black lists of sender addresses and supports flexible configuration of anti-spam analysis intensity. Save backup copies of objects (an object consists of message body and its attachments) and spam messages prior to their disinfection or deletion to enable subsequent restoration, if required, thus preventing the risk of data losses. Configurable filters allow the user to easily locate specific stored objects. Notify the sender, the recipient and the system administrator about messages that contain malicious objects. Maintain event logs, collect statistics and create regular reports on application activity. The application can create reports automatically according to a schedule or by request. 11

12 A D M I N I S T R A T O R ' S G U I D E Configure the application settings to match the volume and type of relayed mail traffic, in particular, define the connection timeout to optimize scanning. Update the Kaspersky Security databases automatically or in manual mode. Updates can be downloaded from the FTP or HTTP servers of Kaspersky Lab, from a local / network folder that contains the latest set of updates, or from user-defined FTP or HTTP servers. Re-scan messages for the presence of new viruses according to a schedule. This task is performed as a background scan and has little effect on the mail server s performance. Perform anti-virus protection on storage level based on the list of protected storages. DISTRIBUTION KIT You can purchase Kaspersky Security from our partners or online from Internet shops, such as the estore section of Kaspersky Security is supplied as a part of Kaspersky Security for Mail Servers or of the Kaspersky Open Space Security solution (Kaspersky Enterprise Space Security and Kaspersky Total Space Security). After purchasing a license for Kaspersky Security, you will receive either an containing a link to download the application from the Kaspersky Lab web site and a key file for license activation, or an installation CD containing the product distribution package. Before breaking the seal on the installation disk envelope, carefully read through the EULA. SERVICES FOR REGISTERED USERS Kaspersky Lab ZAO offers an extensive service package to all legally registered users of Kaspersky Security, enabling them to boost the application's performance. After purchasing a license, you become a registered user and, during your license period, you will be provided with the following services: regular application database updates and software package updates; support on issues related to the installation, configuration and use of the purchased software product by phone or via ; information about new Kaspersky Lab products and about new viruses appearing worldwide. This service is available to users who subscribe to Kaspersky Lab's newsletter on the Technical Support Service web site. Support on issues related to the performance and use of operating systems, third-party software or other non-kaspersky technologies is not provided. LICENSE AGREEMENT The End-User License Agreement is a legal agreement between you and Kaspersky Lab that specifies the terms on which you may use the software you have purchased. Read the EULA through carefully! If you do not accept the terms and conditions of the license agreement, you can decline the product offer and receive a refund. Please note that the envelope with the installation CD should remain sealed. By opening the sealed installation disk, you accept all the terms of the EULA. 12

13 K A S P E R S K Y S E C U R I T Y 8. 0 F O R M I C R O S O F T E X C H A N G E S E R V E R S HARDWARE AND SOFTWARE REQUIREMENTS Hardware requirements The hardware requirements of Kaspersky Security are identical to the requirements of Microsoft Exchange Server. Depending upon the application settings and mode of operation, considerable disk space may be required for Backup storage and other service folders (when using default settings,the Backup storage folder can occupy up to 5120 MB). Hardware requirements of the Administration Console installed with the application include: Intel Pentium 400 MHz or faster processor (1000 MHz recommended); 256 MB free RAM; 500 MB disk space for the application files. Software requirements Installation of Kaspersky Security requires one of the following operating systems: Microsoft Small Business Server 2011; Microsoft Small Business Server 2008 Standard x64; Microsoft Small Business Server 2008 Premium x64; Microsoft Essential Business Server 2008 Standard x64; Microsoft Essential Business Server 2008 Premium x64; Microsoft Windows Server 2008 x64 R2 Enterprise Edition Service Pack 1; Microsoft Windows Server 2008 x64 R2 Standard Edition Service Pack 1; Microsoft Windows Server 2008 x64 Enterprise Edition Service Pack 2; Microsoft Windows Server 2008 x64 Standard Edition Service Pack 2; Microsoft Windows Server 2003 x64 R2 Enterprise Edition Service Pack 2; Microsoft Windows Server 2003 x64 R2 Standard Edition Service Pack 2; Microsoft Windows Server 2003 x64 Enterprise Edition Service Pack 2; Microsoft Windows Server 2003 x64 Standard Edition Service Pack 2. Installation of Kaspersky Security requires the following software: Microsoft Exchange Server 2007 x64 Service Pack 3 or Microsoft Exchange Server 2010 Service Pack 1 deployed in at least one of the following roles: Hub Transport, Mailbox or Edge Transport; One of the following database management systems: Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2005 Enterprise Edition, Microsoft SQL Server 2008 Express Edition, Microsoft SQL Server 2008 Standard Edition, Microsoft SQL Server 2008 Enterprise Edition, Microsoft SQL Server 2008 R2 Express Edition, Microsoft SQL Server 2008 R2 Standard Edition, Microsoft SQL Server 2008 R2 Enterprise Edition; Microsoft.NET Framework 3.5 Service Pack 1. Installation of the Administration Console requires one of the following operating systems: Microsoft Small Business Server 2011; 13

14 A D M I N I S T R A T O R ' S G U I D E Microsoft Small Business Server 2008 Standard; Microsoft Small Business Server 2008 Premium; Microsoft Essential Business Server 2008 Standard; Microsoft Essential Business Server 2008 Premium; Microsoft Windows Server 2008 x64 R2 Enterprise Edition Service Pack 1; Microsoft Windows Server 2008 x64 R2 Standard Edition Service Pack 1; Microsoft Windows Server 2008 x64 Enterprise Edition Service Pack 2; Microsoft Windows Server 2008 x64 Standard Edition Service Pack 2; Microsoft Windows Server 2008 Enterprise Edition Service Pack 2; Microsoft Windows Server 2008 Standard Edition Service Pack 2; Microsoft Windows Server 2003 x64 Service Pack 2; Microsoft Windows Server 2003 x64 R2 Standard Edition; Microsoft Windows Server 2003 x64 R2 Enterprise Edition; Microsoft Windows XP x64 Service Pack 2; Microsoft Windows Vista х64; Microsoft Windows Server 2003 R2 Standard Edition; Microsoft Windows Server 2003 R2 Enterprise Edition; Microsoft Windows Vista; Microsoft Windows Server 2003 Service Pack 2; Microsoft Windows XP Service Pack 3; Microsoft Windows 7 Professional; Microsoft Windows 7 Professional x64; Microsoft Windows 7 Enterprise; Microsoft Windows 7 Enterprise x64; Microsoft Windows 7 Ultimate; Microsoft Windows 7 Ultimate x64. Installation of the Administration Console requires the following software: Microsoft Management Console 3.0; Microsoft.NET Framework 3.5 Service Pack 1. 14

15 APPLICATION ARCHITECTURE Kaspersky Security performs anti-virus scanning of all incoming and outgoing mail and messages stored on server, and also filters spam. The application analyzes the message body and attached files in any format. The detection of malicious programs is based on records contained in Kaspersky Security's databases. The databases are regularly updated by Kaspersky Lab and uploaded to Kaspersky Lab's update servers. In addition, the application uses a special analysis tool called a heuristic analyzer which can detect previously unknown viruses. Spam checks are performed by the Anti-Spam component, which employs a combination of several methods to fight spam. The application scans objects received by the server in real time. The user cannot open and view a new message before it is scanned. The application processes each object using the rules specified by the administrator for different types of object. You can create rules for processing of malicious objects (see the section "Creating rules for object processing" on page 51) and spam (see the section "Configuring anti-spam analysis" on page 58). Prior to modifying an object, the application can save a copy of it in a special Backup storage to allow subsequent restoration, or for forwarding to Kaspersky Lab for analysis. The application can send notifications about events as they occur to the anti-virus security administrator, the recipient, to the message sender and to other predefined addresses, and also add a record of the event in the appropriate application log file and in the Microsoft Windows event log. IN THIS SECTION Application components and their purpose Security Server architecture APPLICATION COMPONENTS AND THEIR PURPOSE The application consists of two basic components: Security Server. This component is installed on the protected Microsoft Exchange server and carries out antispam filtering of mail traffic and its anti-virus protection. The Security Server intercepts messages arriving on the Microsoft Exchange Server and uses its internal Anti-Virus and Anti-Spam modules to perform anti-virus scanning and anti-spam filtration of that traffic. If infection or spam is detected in a message, it can be saved in Backup or deleted, depending upon the Anti-Virus and Anti-Spam settings. The Administration Console is a dedicated isolated snap-in integrated into MMC 3.0. The Administration Console can be installed locally on a protected Microsoft Exchange server or on a different computer for remote management of Microsoft Exchange server protection. You can use the Administration Console to create and edit the list of protected Microsoft Exchange servers and manage the Security Server. SECURITY SERVER ARCHITECTURE The server component of the application, the Security Server, consists of the following main subsystems: The Interceptor intercepts objects arriving at the Microsoft Exchange Server and forwards them to the anti-virus scan subsystem. It is integrated into the Microsoft Exchange Server processes using either VSAPI 2.6 or Transport Agents, depending on the configuration selected during Microsoft Exchange Server deployment. The Anti-Virus component performs anti-virus scans of objects. The component is essentially an anti-virus engine running within the program process of Kaspersky Security 8.0 for Microsoft Exchange Servers. The anti-virus scan subsystem also includes storage for temporary objects while scanning objects in RAM. The storage is located in the working folder Store. 15

16 A D M I N I S T R A T O R ' S G U I D E Store is a subfolder within the application data folder (by default <application installation folder>/data); it must be excluded from the scan scope of any anti-virus programs installed in the corporate network. Otherwise the application may function incorrectly. The Anti-Spam component filters out unwanted mail. The component is essentially an anti-spam engine running within the program process of Kaspersky Security 8.0 for Microsoft Exchange Servers. Once a message is intercepted, it is transferred to the Anti-Spam engine for analysis. Depending upon the analysis result and the produced verdict, the message will be allowed to pass or deleted in accordance with the spam handling settings. Copies of deleted messages can be stored in Backup. The Internal Application Management and Integrity Control Module is launched in a separate process and is a Microsoft Windows service. The service is called Kaspersky Security 8.0 for Microsoft Exchange Servers and is launched automatically when the first message is being transferred, when the Management Console attempts to connect to the Security Server and after the initial Configuration Wizard has finished. This service does not depend on the state of the Microsoft Exchange Server (that is, whether it is started or stopped), so the application can be configured even if the Microsoft Exchange Server is stopped. When background scan mode is enabled, the Internal Application Management Module will receive all messages located in public folders and protected storage areas from the Microsoft Exchange server in accordance with the current settings. If a message has not been analyzed using the latest anti-virus database, it will be sent to the anti-virus component for processing. Objects are processed in background mode in the same way as in traffic scan mode. For correct operation of the application, the Internal Application Management Module must always be running; stopping this service manually is not recommended. 16

17 TYPICAL DEPLOYMENT SCHEMES Kaspersky Security should be installed on a Microsoft Exchange server. The application components you can install depend upon the role that the Microsoft Exchange Server performs. Kaspersky Security also supports deployment on a server cluster or on a Microsoft Exchange data availability group. You are advised to read through this section to select the most suitable deployment scheme. IN THIS SECTION Microsoft Exchange Server roles and corresponding configurations Server protection deployment Application deployment on a server cluster Application deployment on a Microsoft Exchange DAG MICROSOFT EXCHANGE SERVER ROLES AND CORRESPONDING CONFIGURATIONS Successful operation of Kaspersky Security requires that the protected Microsoft Exchange Server be deployed in at least one of the following roles: Mailbox. Hub Transport. Edge Transport. If Microsoft Exchange Server is deployed as a Mailbox, Kaspersky Security interacts with it using the VSAPI 2.6 standard. In other cases the Transport Agents technology is used. Please note that in the Hub Transport role objects are first scanned by the application and then processed by Microsoft Exchange Transport Agents. In the Edge Transport role, the procedure is reversed - the objects are first processed by Microsoft Exchange Transport Agents and then by the application. SERVER PROTECTION DEPLOYMENT The following procedure should be used to deploy the protection system for mail servers: 1. The Security Server component must be installed on all protected Microsoft Exchange servers within the network. The installation must be performed from the distribution kit individually for each server. 2. The Administration Console is installed along with the Security Server. It provides centralized access to all Kaspersky Security Security Servers from a single administrator workstation. If necessary, the Administration Console can be installed separately on a computer within the corporate network. If several administrators are working jointly, the Administration Console can be installed on each administrator's computer. 3. Create the list of managed servers (see the section "Creating the list of protected Microsoft Exchange servers" on page 41). 4. The Administration Console connects to the Security Server (see the section "Connecting the Administration Console to the Security Server" on page 42). 17

18 A D M I N I S T R A T O R ' S G U I D E APPLICATION DEPLOYMENT ON A SERVER CLUSTER Kaspersky Security supports the following cluster types: single copy cluster (SCC); cluster continuous replication (CCR). During setup the application recognizes a server cluster automatically. This means that the order in which the application is installed to different cluster nodes does not matter. The procedure for installing Kaspersky Security on a cluster of servers differs from the usual procedure in that: Before installation of Kaspersky Security is completed on all cluster nodes, the clustered mailbox servers (CMS) must not be moved between different cluster nodes. Proper functioning of Backup and the statistics component requires using a common database for all nodes of the cluster. To do that, the database must be specified during Kaspersky Security installation on all nodes of the cluster. The account used to perform the installation procedure must be authorized to write to the Active Directory configuration section. If a firewall is enabled on the cluster, the service of Kaspersky Security must be added to the list of trusted applications on each node of the cluster. The step is necessary to ensure correct interaction between Kaspersky Security and the Backup. After installation to a cluster of servers, most of the application settings are stored in the Active Directory, and all cluster nodes use those parameters. Kaspersky Security automatically detects active cluster nodes and applies the Active Directory settings to them. The procedure for uninstalling Kaspersky Security from a cluster of servers differs from the usual procedure in that: Clustered mailbox servers (CMS) must not be moved between nodes before application removal is completed. When uninstalling the application from an active cluster node, the Microsoft Exchange Information Store cluster resource and all Microsoft Exchange Database Instance resources which depend upon it are stopped. Once the removal procedure is complete, the original status of these resources will be automatically restored. After application removal the cluster configuration remains preserved in Active Directory, it can be used to reinstall the application. 18

19 T Y P I C A L D E P L O Y M E N T S C H E M E S APPLICATION DEPLOYMENT ON A MICROSOFT EXCHANGE DAG Kaspersky Security can be installed on servers included into a Microsoft Exchange Database Availability Group, (DAG). During setup the application recognizes automatically a Microsoft Exchange database availability group (further also referred to as the database availability group or DAG). The order, in which the application is installed on DAG nodes is irrelevant. The procedure for installing Kaspersky Security on a DAG of servers differs from the usual procedure in that: Proper functioning of Backup and the statistics component requires using a common database for all nodes of the DAG. To do that, the database must be specified during Kaspersky Security installation on all nodes of the DAG. The account used to perform the installation procedure must be authorized to write to the Active Directory configuration section. If a firewall is enabled on the DAG servers, Kaspersky Security must be added to the list of trusted applications on each server of the DAG. The step is necessary to ensure correct interaction between Kaspersky Security and the Backup. After installation to a DAG, most of the application settings are stored in the Active Directory, and all DAG servers use those parameters. Kaspersky Security automatically detects active servers and applies the Active Directory settings to them. After Kaspersky Security removal from DAG servers its configuration remains preserved in Aсtive Directory, it can be used to reinstall the application. 19

20 APPLICATION SETUP Kaspersky Security consists of two main components: the Security Server and Administration Console. The Security Server is always installed together with the Administration Console. The Administration Console can be installed separately on another computer for remote management of the Security Server. Depending upon your corporate server architecture, you can select one of three available installation variants: Security Server will be installed on the computer running Microsoft Exchange Server. The Administration Console will be installed to the same host. The Security Server and the Administration Console will be installed on the computer running Microsoft Exchange Server. The Administration Console may be installed on any computer within your corporate network for remote management of the Security Server. The Security Server will be installed on a cluster of servers running Microsoft Exchange Server. In that case the Security Server and Administration Console should be installed together on each node of the cluster. The Administration Console can be installed on any network computer within your company for remote management of the Security Servers. The Security Server can be installed on a Microsoft Exchange data availability group. Then the Security Server and Administration Console will be installed together on each server belonging to the data availability group. The Administration Console can be installed on any network computer within your company for remote management of the Security Servers. Some services of Microsoft Exchange Server have to be restarted after Kaspersky Security installation. Microsoft Exchange services will be restarted automatically without additional prompts. IN THIS SECTION Preparing for installation Upgrading from an earlier version Application setup procedure Getting started. The Application Configuration Wizard Restoring the application Removing the application PREPARING FOR INSTALLATION To install Kaspersky Security, you will need domain administrator privileges. In addition, the following mandatory components must be installed:.net Framework 3.5 SP1; Microsoft Management Console 3.0; Operation of Kaspersky Security requires an instance of Microsoft SQL Server 2005 / 2008 / 2008 R2 (Standard, Express or Enterprise) installed on one of the network computers. The SQL server can be installed on the same computer with Kaspersky Security. For working with Kaspersky Security, a fresh installation of SQL Server is recommended. 20

21 A P P L I C A T I O N S E T U P To create a database on the SQL server, you will need the local access rights for the computer where Kaspersky Security will be installed and administrator privileges on the SQL server. If the SQL server is running on a domain controller, you must be a member of the Enterprise Admins and / or Domain Admins group. UPGRADING FROM AN EARLIER VERSION Kaspersky Security supports updating version 8.0 Critical Fix 1 to the current version. Upgrading from earlier versions is not supported. The application cannot be updated on DAG servers. On DAG servers the previous version has to be removed before installing the current version. Updating the application on servers functioning as part of SCC or CCR clusters is strongly discouraged because such configuration considerably complicates data migration from the previous version to the new one. You are advised to remove the earlier application version before installing the current one. SQL server hosting the application database must remain accessible during the update procedure. Otherwise the update will fail. Parameter values and data of the previous application version will be transferred to the new version as follows: The license installed in the previous version will be used in the new version of the application. The starting date of the license validity period remains unchanged. Application settings configured in the previous version will be applied without changes to the corresponding settings in the new version except for the Use UDS checkbox. The box will be reset to the default state (off), if it has been checked. Database structure will also be updated during the application update. Backup and statistical data will be preserved. Ready reports do not appear in the interface of the new application version, but they remain in the reports folder (<application folder>/data/statistics/reports). Prior to updating, exit the Administration Console if it is started. To update Kaspersky Security to the current version, perform the following steps: 1. Start the setup_ru.exe file on the computer where the application version 8.0 Critical Fix 1 is installed. 2. Click the link Kaspersky Security 8.0 for Microsoft Exchange Servers to initiate the application update procedure. 3. In the displayed welcome screen of the application Setup Wizard, click Install. The application will be updated automatically. 4. When the update procedure completes, click Finish to exit the application Setup Wizard. APPLICATION SETUP PROCEDURE The Kaspersky Security installer is designed as a wizard which provides information about the operations you must perform during each step of the procedure. The Back and Next buttons can be used to navigate between the installation screens (steps) at any time. The Cancel button allows you to exit the installer. The installation procedure begins when the setup_en.exe file is run. 21

22 A D M I N I S T R A T O R ' S G U I D E IN THIS SECTION Step 1. Installing the required components Step 2. Greeting and License Agreement Step 3. Selecting the installation type Step 4. Selecting the application components Step 5. Configuring the connection to the Microsoft SQL Server Step 6. Copying files STEP 1. INSTALLING THE REQUIRED COMPONENTS During this step you have to make sure that the following required components are installed on your computer:.net Framework 3.5 SP1. You can install the component by clicking the Download and install.net Framework 3.5 SP1 button. The computer must be restarted after.net Framework 3.5 SP1 installation. If you continue setup without restarting, it may cause problems in the operation of Kaspersky Security. Microsoft Management Console 3.0 (MMC 3.0). Microsoft Management Console 3.0 (MMC 3.0) is a part of the operating system in Microsoft Windows Server 2003 R2 and later versions. To install the program in earlier versions of Microsoft Windows Server, you need to upgrade MMC to version 3.0. To do that, click the Download and install MMC 3.0 button. You can proceed to the next setup step by clicking the link Kaspersky Security 8.0 for Microsoft Exchange Servers. In addition, you can click the Installation guide button to download and install an installation guide. STEP 2. GREETING AND LICENSE AGREEMENT The welcome screen informs you that installation of Kaspersky Security to your computer has been started. Clicking the Next button opens the License Agreement window. The License Agreement is an agreement between the application user and Kaspersky Lab. Checking the box I accept the terms and conditions of this Agreement means that you have read the License Agreement and accepted its terms and conditions. Kaspersky Security cannot be installed if you do not accept the terms and conditions of the License Agreement. STEP 3. SELECTING THE INSTALLATION TYPE The installation type selection screen contains two buttons: Typical. Clicking this button will continue the installation procedure using the standard set of components, which suits most users. Please see Step 5 for further instructions. Custom. Clicking this button allows you to select the application components you would like to install manually. Custom installation mode is recommended for experienced users. Once the installation type is selected, the Setup Wizard proceeds to the next step. 22

23 A P P L I C A T I O N S E T U P STEP 4. SELECTING THE APPLICATION COMPONENTS If you have selected the Custom setup type, the installer will prompt you to select the components which you would like to install. The set of components available for installation will differ depending on whether Microsoft Exchange Server is installed and the role it is configured to perform. If Microsoft Exchange Server is deployed to act both as a Mailbox and Hub Transport, the following components will be available for selection: Administration Console; Anti-Spam protection component; Anti-Virus for the Mailbox role; Anti-Virus for the Hub Transport and Edge Transport roles. If Microsoft Exchange Server is deployed to act as an Edge Transport or Hub Transport only, the following application components will be available for selection: Administration Console; Anti-Spam protection component; Anti-Virus for the Hub Transport and Edge Transport roles. If Microsoft Exchange Server is deployed to act as a Mailbox only, the following components will be available for selection: Administration Console; Anti-Virus for the Mailbox role. In all other cases, only the Administration Console is available for installation. The path to the default installation folder is displayed in the lower part of the window. To change the installation folder, click the Browse button and specify another location. The path to the data folder is displayed below. The data storage folder contains the following items: Anti-Virus database; Anti-Spam database; quarantined objects. If you believe that the folder will occupy more space than the selected drive has available, you can click the Browse button to change the data storage folder location. Clicking the Reset button cancels the user-defined selection of components and restores the default selections. Clicking the Disk usage button opens a dialog containing information about the availability of the space required for installation of the selected components on local drives. STEP 5. CONFIGURING THE CONNECTION TO THE MICROSOFT SQL SERVER The purpose of this step is to configure a connection to an SQL server. 23

24 A D M I N I S T R A T O R ' S G U I D E Configuring the connection to a Microsoft SQL Server In the Name of SQL server field, specify the name (or IP address) of the computer and the SQL server instance, for example, MYCOMPUTER\SQLEXPRESS. Clicking the Browse button next to that field allows you to select an SQL server within the current network segment. In the Database name name field specify the name of the database where the application will store the Backup data and statistical information. If the SQL server contains no database with the specified name, it will be created. If you plan to use a centralized Backup and centralized storage of statistical data for several Security Servers, the same SQL server and database names must be specified for all the Security Servers. If you do not plan on using centralized storages, each Security Server can use its own database. If you deploy Kaspersky Security on a cluster or Microsoft Exchange DAG, using a common database for all Security Servers is strongly recommended. To create a database on the SQL server, you will have to choose an account that will be used to create the database. The following options are available: Active account. In this case the current user account will be used. Other account. In this case you must enter the name and password for the specified user account. You can click the Browse button to select an account. The SQL server browser must be started on the computer running the SQL server. Otherwise you will not be able to see the instance of the SQL server that you need. If Kaspersky Security is installed on an Edge Transport while the SQL server is running within a domain, there will be no way to establish a connection to the SQL server. In that case, a local SQL server instance should be used. To create a database on the SQL server, the account selected for that purpose must have the local access rights for the computer where Kaspersky Security will be installed and administrator privileges on the SQL server. If the SQL server is running on a domain controller, the account must belong to the Enterprise Admins and / or Domain Admins group. If you are using a remote connection to the SQL server, make sure that TCP/IP support is enabled in the SQL Server Configuration Manager. Select an account for the operation of application service In the next window you will see an offer to choose the account that will be used to start the application service and connect to the SQL server. The following options are available: Local System account. In this case the application service will be started and connections to the SQL server will be established using the local system account. Other account. In this case you must enter the name and password for the specified account. You can click the Browse button to select an account. For operations with an existing database the selected account must have the following privileges: Table 2. The privileges for connection to database BASE PROTECTED ENTITY PERMISSION DESCRIPTION DATABASE CREATE TABLE The right to add tables in the selected database DATABASE CREATE XML SCHEMA COLLECTION The right to create collections of XML schemas in the selected database SCHEMA CONTROL The right to control the dbo schema in the selected database If a new database is created, the application will automatically set these permissions for the selected account. 24

25 A P P L I C A T I O N S E T U P If you have selected an account registered with a domain, the account must be added to the Exchange View-Only Administrators domain group. After its addition, the application service must be restarted on all the computers where it has been started on behalf of that user. The step is necessary to apply the changes to the domain groups. STEP 6. COPYING FILES To proceed with the installation, press the Install button in the Setup Wizard window. It will initiate copying of the application files to the computer, registration of the components in the system, creation of the corresponding database on the SQL server and restarting of some services of Microsoft Exchange Server. Microsoft Exchange services will be restarted automatically without additional prompts. GETTING STARTED. THE APPLICATION CONFIGURATION WIZARD Once the files are copied and the components are registered in the system, the Setup Wizard will display a notification informing you that application setup is complete. Clicking the Next button in the Setup Wizard will start the Application Configuration Wizard. The Application Configuration Wizard will assist you in configuring the protection settings, installing the license, and testing the application functionality. To start product configuration in the Application Configuration Wizard, click Next. IN THIS SECTION Installing a license key Configuring server protection Enabling the KSN service Configuring the proxy server Notification settings Testing the application functionality INSTALLING A LICENSE KEY You can use the License screen of the Application Configuration Wizard to install a license for Kaspersky Security. If you deploy Kaspersky Security on a Microsoft Exchange DAG, it will be sufficient to install the license just once during application setup on any of the DAG servers. Once this is done, the Application Configuration Wizard will automatically detect the installed license during application setup on other servers of the DAG. Reinstalling the license will be unnecessary then. To install a license, perform the following steps: 1. Press the Add button. 2. In the displayed File name dialog, specify the path to the key file (a file with the *.key extension) and click the Open button. The application will install the license that allows using Kaspersky Security for the specified time subject to the terms and conditions defined in the license (see page 31). 25

26 A D M I N I S T R A T O R ' S G U I D E To remove a license, click the Remove button. CONFIGURING SERVER PROTECTION You can use the Protection settings window of the Application Configuration Wizard to configure the Anti-Virus and Anti-Spam protection settings. Anti-Virus and Anti-Spam protection is enabled by default. To define the protection settings, perform the following steps: 1. Leave the box Enable Anti-Virus protection immediately after installation selected to activate Anti-Virus protection immediately after application launch. 2. Leave the box Enable Anti-Spam protection selected to activate Anti-Spam protection immediately after application launch. If you do not want to activate the Anti-Virus and Anti-Spam protection immediately after application launch, uncheck the corresponding boxes. You can enable protection later using the Administration Console. 3. Check the box Enable Enforced Anti-Spam Updates Service, if you want the application to use the service for prompt delivery of Anti-Spam database updates. The following conditions will be required to ensure proper functioning of the Enforced Anti-Spam Updates Service: permanent Internet connection on the computer running the Security Server; regular updates of the Anti-Spam database (recommended frequency: every five minutes). 4. Leave the box Enable automatic database updating selected to make the application update its Anti-Spam and Anti-Virus databases automatically from the servers of Kaspersky Lab as soon as it starts. ENABLING THE KSN SERVICE You can use the KSN settings window of the Application Configuration Wizard to enable the KSN service for spam processing. The KSN service can make Kaspersky Security recognize new types of spam messages faster and minimize false alarms from Anti-Spam. This screen will only appear if you have selected the Anti-Spam protection component for installation. Access to the KSN service is regulated by a special KSN agreement. To enable the KSN service, read the KSN agreement and check the box I accept the KSN agreement and I want to use KSN. To view the full text of the KSN agreement in a separate window, click the button Display the KSN agreement. CONFIGURING THE PROXY SERVER You can use the Proxy server settings screen of the Application Configuration Wizard to set up a connection via a proxy server. The application will use the settings to connect to the update servers while updating its databases and to the servers of Kaspersky Lab providing external Anti-Spam services. To configure the proxy server settings, perform the following steps: 1. To make the application connect to the servers of Kaspersky Lab via a proxy, check the box Use proxy server. 2. Enter the proxy address in the Proxy server address field. 3. Define the proxy server port in the entry field. By default, port 8080 is used. 26

27 A P P L I C A T I O N S E T U P 4. To enable authentication with the proxy server, check the Use authentication box and enter the relevant information about the user account selected for that purpose in the Account and Password fields. Use the button to select one of the existing accounts. 5. If you wish to download updates from a local corporate server directly, check the Bypass proxy server for local addresses box. NOTIFICATION SETTINGS The Notification settings window of the Application Configuration Wizard allows you to configure the notifications sent by . Using notifications, you will be informed promptly of all Kaspersky Security events. To define the notification settings, perform the following steps: 1. In the Web-service address field, specify the address of the web service that will be used to mail messages via Microsoft Exchange Server. By default, in the Microsoft Exchange Server, it is the following address: 2. In the Account field, specify any account from among the mailboxes registered on the Microsoft Exchange Server. To do that, click Browse or enter the account name manually. 3. Type the password for the selected account in the Password field. 4. Enter in the Administrator address field the destination mail address, for example, your Click the Test button to send a test message. If the test message arrives in the specified mailbox, it means that delivery of notifications is configured properly. 6. Click Next to finish setting up the application options. 7. Click the Finish button in the final window of the Application Setup Wizard to quit the wizard. If the Start Administration Console after Application Configuration Wizard completion box is left checked, the Administration Console will start automatically. TESTING THE APPLICATION FUNCTIONALITY After Kaspersky Security is installed and configured, you are advised to verify its settings and operation using a test "virus" and its modifications. The test virus was specifically designed by EICAR (The European Institute for Computer Antivirus Research) to test anti-virus products. The test "virus" is not a malicious program and it contains no code that can harm your computer. However, most anti-virus products identify it as a virus. You can download the test "virus" from the official web site of EICAR at: Testing the Anti-Virus functionality To send a message with the test "virus", perform the following steps: 1. Create an message with an attached EICAR test "virus". 2. Send the message via Microsoft Exchange Server with Kaspersky Security installed and Security Server connected. 27

28 A D M I N I S T R A T O R ' S G U I D E 3. Check to make sure that the delivered message contains no virus. If a virus is detected on a server functioning as a Mailbox, the deleted virus will be replaced with a text file. When a virus is detected on a server functioning as a Hub Transport, the application adds the prefix Malicious object deleted to the message subject. After virus detection, the mailbox that you have specified in the Notification Settings window (see the section "Configuring notifications" on page 27) of the Initial Configuration Wizard should receive a notification about the intercepted virus. To view the application report on the detected virus, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree to the left, select and open the node corresponding to the server which was supposed to process the message containing the "virus". 3. Select the Reports node. 4. In the details pane, in the Quick reports section, perform the following steps: a. Select in the Type list the report type Protection for the Mailbox role or Anti-Virus for the Hub Transport role (depending upon the existing configuration). b. Click Generate report. 5. View the created report in the Ready reports section. To do that, double-click the desired report to open it. If the report contains information about the EICAR infection, the application is properly configured. To receive the reports to an address, perform the following steps: 1. In the details pane in the Anti-Virus report for the Mailbox role and Anti-Virus report for the Hub Transport sections check the Administrator box to enable sending of notifications to the address you specified in the notification settings (see section "Configuring notifications" on page 27) of the Application Configuration Wizard. If you did not specify an address in the Application Configuration Wizard, click the sending settings link to set up notification sending settings (see the section "Configuring notifications" on page 27). 2. To make sure that reports arrive in the specified address, click the Test button to send a test message. By default, the application saves a copy of an infected object in Backup. To check whether a copy of an infected object has been saved in Backup, perform the following steps: 1. In the console tree, select the Backup node. 2. Check to make sure that the infected object (message with attached "virus") appears in the details pane. Testing the Anti-Spam functionality To test normal functioning of Anti-Spam, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree to the left, select and open the node corresponding to the server which will be used to transfer the test message. 3. Select the Server protection node. 4. Select in the details pane the tab Protection for the Hub Transport role. 28

29 A P P L I C A T I O N S E T U P 5. Open the White and black list settings section. 6. Check the Add sender's address to black list box. 7. Specify in the entry field any address that you have access to. 8. Click the addition button to the right of the field. 9. Open the Scan settings section. 10. In the Blacklisted field, select Allow. 11. In the same field, check the box Add label. 12. Send a message from the specified mailbox to the administrator address through the protected mail server. If the message arrives with the [Blacklisted] label in the header, Anti-Spam is functioning correctly. RESTORING THE APPLICATION If the application encounters a failure while running (for example, if its executable files get damaged), you can use the restoration functionality provided in the installer. During restoration the installer will preserve the selected settings and user configuration including notifications and the path to the Quarantine database. To restore Kaspersky Security, perform the following steps: 1. Start the file setup_en.exe. 2. Click the link Kaspersky Security 8.0 for Microsoft Exchange Servers to start the application Setup Wizard and click Next. 3. Click the Next button in the welcome screen of the Initial Configuration Wizard. 4. In the Change, Repair or Remove the application window, click the Restore button. 5. In the Restoring window, click the Repair button. Restoration of the application will not be possible if its configuration files are damaged. In that case removing and reinstalling the application is recommended. 29

30 A D M I N I S T R A T O R ' S G U I D E REMOVING THE APPLICATION To remove Kaspersky Security from a computer, perform the following steps: 1. Start the file setup_en.exe. 2. Click the link Kaspersky Security 8.0 for Microsoft Exchange Servers to start the application Setup Wizard and click Next. 3. In the Change, Repair or Remove the application window, click the Remove button. 4. In the Remove window, click the Remove button. 5. In the Database removal window: If you want the application to delete the database from the SQL server during application removal, click Yes. If you want the application to leave the database on the SQL server during application removal, click No. Backup data added by the application will be deleted from the database. Statistical data added by the application will not be deleted. You can also uninstall the application using the standard software management tools in Microsoft Windows. During Kaspersky Security removal, some services of Microsoft Exchange Server will need a restart. Microsoft Exchange services will be restarted automatically without additional prompts. 30

31 MANAGING KASPERSKY SECURITY LICENSES When you purchase Kaspersky Security, you enter into a license agreement with Kaspersky Lab. This agreement grants you the right to use the application you purchased to protect the specified number of mailboxes for a defined period. Protection covers both mailboxes and public folders. Therefore, no additional license is needed to protect public folders when working in the Microsoft Exchange environment. Depending upon the application deployment variant, the following licensing schemes can be used: If the application is used on separate Microsoft Exchange servers, an individual license must be installed on each server. If the application is used on a server cluster, installing a single license will be sufficient, it will apply to the entire cluster. If the application is running on DAG servers, it will be sufficient to install one license, which will apply to the entire DAG. Licenses are time-limited. During the license validity period, you are entitled to: use the Anti-Virus and Anti-Spam functionality of the application; regular updates for the anti-virus and anti-spam databases; application updates; support on issues related to the installation, configuration and use of the purchased software product, provided 24 hours a day by phone or . The application recognizes availability of a valid license by the Kaspersky Security license key file, which is an essential part of any Kaspersky Lab product. Protection functionality of Kaspersky Security will not be available without a license! Trial and commercial licenses You may use a trial license to evaluate the benefits of Kaspersky Security. When the trial license expires, the application functionality will be disabled. The validity period of a trial license starts from the moment when the first trial key is added. The validity period of all the subsequent trial keys will be adjusted in accordance with the validity period of the first key. To use Kaspersky Security in an organization, a commercial license must be purchased. Once a commercial license expires, the application functionality will remain partially available, i. e. the application will continue anti-virus and antispam traffic scanning; however, database updates and application upgrades will no longer be provided, nor will you be able to contact the Technical Support service for assistance. Therefore, the application continues anti-virus scanning of the traffic and background scanning of storage areas, but uses outdated database versions.. In this case, the application cannot guarantee comprehensive protection against new viruses and spam which may appear after the license expires. Active license An active license is the license that the application uses at the moment. The application can have only one active license key. A trial or commercial license can be installed as an active license. 31

32 A DMI N I S T R A T O R ' S G U I D E If a commercial license for Kaspersky Security is installed as active, the application verifies its restrictions using special internal algorithms. If a violation of the terms and conditions of the license agreement is detected: the application functionality will be restricted; a record of the detected violation will be entered into the event logs; if the notification settings are configured, a notification about the violation will be issued and sent by . Each license includes a restriction based on the number of protected mailboxes. You can manage the number of protected mailboxes excluding from the scan scope certain storages (see the section "Creating a list of protected mailboxes and storages" on page 34) containing accounts that the application will not scan. You are advised to purchase a license which can protect all your mailboxes, as any unprotected storage areas increase the possibility of penetration and propagation of viruses via the system. By default, a notification is sent when the application is running fifteen days prior to the license expiration date. This message indicates when the currently installed license key will expire and gives information about renewing the license. The date of the notification and its destination address can be changed (see the section "Notification about license expiry" on page 34). Additional license Once you have installed an active commercial license, you can purchase an additional license for a product (see the section "Distribution Kit" on page 12) that includes Kaspersky Security and install it. After the current license expires, the additional license becomes active automatically and the application continues to function with no changes. Thus you can ensure uninterrupted protection of your corporate mail servers. Kaspersky Security supports only one additional license. A trial license cannot be installed as an additional one. License restrictions In some cases (for example, if the sales contract was terminated or if the license agreement restrictions were changed), Kaspersky Lab terminates the license agreement with the user. In this case, the serial number of the license key will be added to the list of cancelled licenses, the so-called black list. If your active license is found in the black list, the reserve license will not be activated and the application will be disabled except for the management and anti-virus database updating services. If your license has been accidentally blacklisted, you are advised to update your databases and, if the error persists, contact the Technical Support Service. IN THIS SECTION Viewing information about installed licenses Installing a license key Removing a license key Notification about license expiry Creating the list of protected mailboxes and storages

33 M A N A G I N G K A S P E R S K Y S E C U R I T Y L I C E N S E S VIEWING INFORMATION ABOUT INSTALLED LICENSES To view information on installed licenses, perform the following steps: 1. Start the Administration Console of the application. 2. In the Administration Console tree, select the necessary server node and then the Licenses node. The details pane will display information about installed licenses. The following information is displayed: Type. The license key type. Owner. Person or legal entity for which the license was issued. Restrictions. Number of users (mailboxes) covered in the license. Expiration date. License expiration date. Serial number. License serial number. Status. The license state. INSTALLING A LICENSE KEY If Kaspersky Security is running on a DAG, a single license for the entire DAG will be sufficient. You can install it by connecting through the Administration Console to any server within the DAG. To install a license for Kaspersky Security, perform the following steps: 1. In the Management Console, select the node Licenses. 2. In the details pane, click the Add button in the Active license section. 3. In the displayed File name dialog, specify the path to the key file (a file with the *.key extension) and click the Open button. The license will be installed and made active. Information about the license will appear in the Active license section. Once you have installed an active license, you can install an additional license. Only commercial license can be installed as an additional license. A trial license cannot be installed as an additional one. To install an additional license, perform the following steps: 1. Select the Licenses node in the Administration Console. 2. In the details pane, click the Add button in the Additional license section. 3. In the displayed File name dialog, specify the path to the key file (a file with the *.key extension) and click the Open button. The license will be installed and made additional. Information about the license will appear in the Additional license section. 33

34 A D M I N I S T R A T O R ' S G U I D E REMOVING A LICENSE KEY To remove a license for Kaspersky Security, perform the following steps: 1. In the Administration Console, select the Licenses node in the Administration Console. 2. Select one of the following operations: If you want to remove the active license, press the Delete button in the Active license section. If you want to remove the additional license, press the Delete button in the Additional license section. Selected license will be removed. NOTIFICATION ABOUT LICENSE EXPIRY The application verifies compliance with the license agreement after every database update. License validation may have the following results: the license is missing; the active key expires within the next few days; the license has expired; the active license was found in the black list. In these cases the application logs an appropriate record and, provided that notifications are configured (see the section "Configuring notification settings" on page 73), s the information to the address specified in the settings. If a license is about to expire, the application by default starts informing about that 15 days before the actual event. You can set up an earlier or a later notification date. To configure notifications about expiry of the Kaspersky Security license, perform the following steps: 1. In the Management Console, select the node Licenses. 2. In the details window, specify in the field Notify about license expiry in the number of days remaining until a license expires when you should be notified about the forthcoming expiry. 3. Click the Save button. 34

35 M A N A G I N G K A S P E R S K Y S E C U R I T Y L I C E N S E S CREATING THE LIST OF PROTECTED MAILBOXES AND STORAGES The application will protect the number of mailboxes specified in the active license. If the number is insufficient, you may unprotect some mailboxes. To do that, you have to move to unprotected storage the mailboxes that need no protection. By default, the application protects all public folders created on the protected mail server. You can remove protection from public folders if you think that scanning them would be redundant. To remove protection from mailbox storage or public folders storage: 1. In the Management Console, select the node Server protection. 2. On the Anti-virus protection for the Mailbox role tab, open the Protection for mailboxes group of settings. 3. In the Protected mailbox storages section, check the boxes corresponding to the mailbox storages you wish to protect. 4. In the Protected public folder storages section, check the boxes corresponding to the public folder storages which you wish to protect. 5. To apply the changes, click the Save button. The lists displayed include all mailbox storage areas created on the protected Microsoft Exchange server. By default, the application protects the storages that already existed when the application was installed and all new storage areas. 35

36 APPLICATION INTERFACE The user interface of the application is provided by the Administration Console component. The Administration Console is a dedicated isolated snap-in integrated into MMC. IN THIS SECTION Main window Context menu MAIN WINDOW The main window of the Administration Console contains the following sections (see figure below). Toolbar. Displayed in the upper part of the main window. The buttons on the toolbar allow direct access to some frequently accessed features of the application. Menu. Displayed immediately above the toolbar. The menu provides management functions for files and windows, as well as access to the help system. Console tree. Located in the left part of the main window. The console tree displays connected Security Servers and the settings of Kaspersky Security. Connected servers and the settings of Kaspersky Security are listed as nodes. You can open parent nodes by clicking the corresponding plus sign. An open node is displayed with the minus sign next to it. details pane. Located in the right part of the main window. The window displays the contents of the node selected in the tree. The topmost node of the console tree is Kaspersky Security 8.0 for Microsoft Exchange Servers. Double-clicking it opens the list of connected servers with Kaspersky Security installed. The details pane also displays connected servers and the Add server button. Left-clicking the connected server node with the mouse displays the following information in the details pane: The list and status of application components installed on the selected server. Information about the installed license. The Anti-Virus and Anti-Spam database update status. Graphs providing statistical information about the Anti-Spam and Anti-Virus activity. Clicking the plus sign next to a connected server opens in the console tree the list of subnodes containing the settings and controls of Kaspersky Security. Kaspersky Security subnodes have the following purpose: Server protection used for viewing and editing the settings for anti-virus and anti-spam protection. Updates used for viewing and editing the settings for anti-virus and anti-spam database updates. Notifications used for viewing and editing the settings for notifications. Backup used for viewing the Backup content, sending and removal of objects from Backup. Reports used for viewing and editing the settings for Anti-Virus and Anti-Spam reports. Settings used to view and edit the settings for notifications, Backup, reporting and statistics. 36

37 A P P L I C A T I O N I N T E R F A C E Licenses used to view the information about the current and additional licenses, install and remove licenses. Figure 1. Main application window When you select a node in the console tree, the application displays the node contents in the details pane. CONTEXT MENU Each category of objects in the console tree has its own context menu, which you can open by right-clicking on the object. In addition to the standard Microsoft Management Console (MMC) commands, this context menu contains commands used for handling selected objects. You can use the context menu to perform the following operations: Add server. Select in the Administration Console tree the node Kaspersky Security 8.0 for Microsoft Exchange Servers and right-click it. Select the Add server command from the context menu. Enable snap-in diagnostics. Select in the Administration Console tree the node Kaspersky Security 8.0 for Microsoft Exchange Servers and right-click it. Select the command to Enable snap-in diagnostics in the context menu. Remove a connected server. Select in the Administration Console tree a connected server node and right-click it. Select the Delete command in the context menu. Update the Anti-Virus and the Anti-Spam databases. Select in the Administration Console tree the Updates node and right-click it. Select the command to Update the anti-virus database or Update Anti-Spam database in the context menu. Configure the settings for delivery of notifications. Select in the Administration Console tree the Notifications or Reports node and right-click it. Select the sending settings command in the context menu. 37

38 STARTING AND STOPPING THE APPLICATION Kaspersky Security is started automatically when Microsoft Exchange Servers loads, at Microsoft Windows startup, when a message passes the protected Microsoft Exchange Server and when the Administration Console connects to the Security Server. If anti-virus protection of the server is enabled, it will start immediately after the Microsoft Exchange Server is launched. Figure 2. Enabling server protection You can enable and disable anti-virus and anti-spam protection separately for the Mailbox and Hub Transport roles. To enable anti-virus protection for a connected Microsoft Exchange server acting as a Mailbox, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 38

39 S T A R T I N G A N D S T O P P I N G T H E A P P L I C A T I O N 4. In the details pane, on the Anti-virus protection for the Mailbox role tab check in the Anti-Virus scan settings section the box Enable anti-virus protection for the Mailbox role. 5. Click the Save button. To enable anti-virus protection for a connected Microsoft Exchange server acting as a Hub Transport, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 4. In the details pane, on the Protection for the Hub Transport tab check in the Anti-Virus scan settings section the box Enable anti-virus protection for the Hub Transport role. 5. Click the Save button. To enable anti-spam protection on a connected Microsoft Exchange server, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 4. In the details pane, open on the Protection for the Hub Transport role tab the section Anti-Spam analysis settings. 5. Check the Anti-spam mail scanning box. 6. Click the Save button. To stop Kaspersky Security, perform the following steps: 1. Disable the anti-virus and anti-spam protection using the Administration Console (see above). 2. Stop the Kaspersky Security service and set it to the Disabled startup type. To start the application after automatic startup has been disabled for Kaspersky Security, perform the following steps: 1. Make sure that the Kaspersky Security service is configured for Automatic startup. 2. Enable anti-virus and anti-spam protection using the Administration Console (see above). 39

40 DEFAULT MICROSOFT EXCHANGE SERVER PROTECTION STATUS Anti-virus and anti-spam protection of the Microsoft Exchange server starts immediately after the Security Server component is installed unless it has been turned off in the Application Configuration Wizard (see section "Configuring server protection" on page 26). The operation mode of the application is as follows: The application will scan objects for the presence of currently known malicious software: the body of the message and attached objects in any format will be scanned, except for container objects with a nesting level above 32. the maximum time for scanning an object is 180 seconds. Selection of the operation to be performed upon detection of an infected object depends upon the role of the Microsoft Exchange server where the object was found: When an infected object is detected on a server functioning as a Hub Transport or Edge Transport, the object will be deleted automatically, the application saves a copy of the message in Backup and the prefix [Malicious object deleted] will be added to the corresponding message subject. When an infected object is detected on a server functioning as a Mailbox, the application saves a copy of the object (attachment or message body) in Backup storage and attempts to disinfect the object. If disinfection is impossible, the application deletes the object and replaces it with a text file containing a notification in the following format: Malicious object <VIRUS_NAME> has been detected. The file (<OBJECT_NAME>) was deleted by Kaspersky Security 8.0 for Microsoft Exchange Servers. Server name: <server_name> When a protected or corrupted object is found, by default the application skips it. Users can select the Delete operation for these categories of objects. In that case, the application saves a copy of the message in Backup. The application protects the content of public folders and messages stored on the server. Anti-spam mail filtering is performed. By default, the low intensity level of anti-spam scanning is used. This level provides an optimal combination of scanning speed and quality: The Allow operation is used to handle all messages; however, mail with the "Spam" verdict will bear a special [!!Spam] label. The Probable spam setting is enabled. Messages with that verdict will be labeled [!!Probable Spam]. The maximum duration for scanning a single message is 30 seconds. The maximum size of an object to be scanned is 300 KB. External services are used to check IP addresses and URLs: DNSBL and SURBL. These services allow spam filtering using public black lists of IP addresses and URLs. The UDS service is disabled (see section "Configuring anti-spam analysis" on page 58). If the KSN service has been enabled in the application Setup Wizard, it will participate in traffic inspection by the Anti-Spam (see section "Enabling the KSN service" on page 26). Otherwise the KSN service will be disabled (see section "Configuring anti-spam analysis" on page 58). If updates have been enabled for the databases of Kaspersky Security in the Application Configuration wizard (see section "Configuring server protection" on page 26), the databases will be updated regularly from the servers of Kaspersky Lab. 40

41 GETTING STARTED The application s operation can be controlled from the administrator's workstation through the Administration Console. You can connect any number of Security Servers to the Administration Console and manage them both locally and remotely. IN THIS SECTION Starting: Administration Console Creating the list of protected Microsoft Exchange servers Connecting the Administration Console to the Security Server STARTING: ADMINISTRATION CONSOLE To start the Administration Console, perform the following steps: 1. Select Start Programs. 2. Select Kaspersky Security 8.0 for Microsoft Exchange Servers from the list of programs. 3. Click Administration Console. When the Administration Console starts, the Kaspersky Security snap-in connects to MMC, and the console tree displays the application icon and the Kaspersky Security 8.0 for Microsoft Exchange Servers node. The console tree also displays the node of the local Security Server (if it has been installed) connected to the console. CREATING THE LIST OF PROTECTED MICROSOFT EXCHANGE SERVERS You can create a list of protected Microsoft Exchange servers. To do that, each of the Microsoft Exchange servers that you wish to protect must have the Security Server installed. You can add either the local computer (see figure below) or any protected Microsoft Exchange server within the network to this list. A connection between the Management Console and Kaspersky Security can also be established immediately after adding a server. Microsoft Exchange database availability groups (DAG) cannot be added to the list of protected servers. Instead, you can add any of the DAG servers to connect to it for manipulations that apply to the entire DAG (such as configuration of notification settings or viewing of Backup contents), or a specific server to configure its individual parameters (such as Backup settings). To add a Security Server of Kaspersky Security to the list of protected servers, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. Select the Kaspersky Security 8.0 for Microsoft Exchange Servers node in the console tree. 3. Select the Add server command in the context menu of the node or the corresponding item in the Action menu. 41

42 A D M I N I S T R A T O R ' S G U I D E Figure 3. Adding a Security Server 4. Select one of two suggested options: Local computer. In this case you will add the Security Server running on the local computer. Custom server. In this case you can connect a Security Server installed on a remote Microsoft Exchange server. To connect to a Security Server located on a remote server, you should add the Kaspersky Security service to the trusted applications list of the remote computer's firewall or allow RPC connection. 5. If you have selected the Custom server option, type its name in the entry field. You can enter the name manually by specifying one of the following: IP address; fully-qualified domain name (FQDN) in the format <Computer name>.<dns-domain name>; the computer name in the Microsoft Windows network (NetBIOS name). You may select a computer from the list displayed after clicking Browse. 6. Click OK. The selected computer will be added to the list of protected servers. 42

43 G E T T I N G S T A R T E D CONNECTING THE ADMINISTRATION CONSOLE TO THE SECURITY SERVER After launch the Administration Console will connect automatically to the local Security Server; the Server will then appear in the Administration Console tree. To connect to a Security Server located on a remote computer, you should add the Kaspersky Security service to the trusted applications list of the remote computer's firewall, or allow RPC connection. Administration Console cannot be connected to a Microsoft Exchange database availability group (DAG). Instead, it can be connected to a Security Server on any of the DAG servers for manipulations that apply to the entire DAG (such as configuration of notification settings or viewing of Backup contents), or the Security Server of a specific server to configure its individual parameters (such as Backup settings). To connect the Administration Console to a remote Security Server, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. Select the Kaspersky Security 8.0 for Microsoft Exchange Servers node in the console tree. 3. Use the Add server command from the context menu or the corresponding command in the Action menu. You can also click the Add server button in the details pane. 4. Select in the displayed dialog Other computer, click Browse and type its name in the entry field. You can enter the name manually. To do that, specify one of the following: IP address; fully-qualified domain name (FQDN) in the format <Computer name>.<dns-domain name>; the computer name in the Microsoft Windows network (NetBIOS name). You may select a computer from the list displayed after clicking Browse. 5. Click OK. The selected computer will be added to the list of protected servers. 43

44 UPDATING THE ANTI-VIRUS AND ANTI- SPAM DATABASES Kaspersky Lab provides all its users with the opportunity to update the Kaspersky Security anti-virus databases, which are used to detect malicious programs and to disinfect infected objects (see figure below). The database files contain a description of all currently known malware and methods of disinfecting infected objects, as well as a description of potentially dangerous software. The Anti-Spam database is regularly updated as well. Setting minimum frequency of the Anti-Spam database updates is recommended for maximum efficiency of spam filtering. It is extremely important to keep all databases up to date. You are advised to update your databases immediately after installation of the application, as the databases included in the distribution kit will be out of date by the time you install your application. The anti-virus databases on Kaspersky Lab's update servers are updated every hour. The Anti-Spam database is updated every five minutes. You are advised to use the same frequency for automatic application updates (see section "Automatic update" on page 46). Figure 4. Anti-virus database update Kaspersky Security can retrieve database updates from the following sources: from Kaspersky Lab's update servers on the Internet; from a local update source, such as a local or network folder; from another HTTP or FTP server, such as your Intranet server. 44

45 U P D A T I N G T H E A N T I - V I R U S A N D A N T I - S P A M D A T A B A S E S Updating is performed either manually or automatically according to a schedule. After the files are copied from the specified update source, the application automatically connects to the new databases. IN THIS SECTION Manual update Automatic update Selecting the update source Editing the connection settings MANUAL UPDATE To view information about updates to the Anti-Virus database and update it manually, perform the following steps: 1. In the Administration console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-virus database update group of settings. Information about database updates contains the following data: Result of the last update. Information about the database update status. Database release date. Time when the database currently used in the application was made available on the server of Kaspersky Lab (UTC). Records. The number of virus signatures in the current anti-virus database. 4. In the Run mode dropdown list, select the Manually element. 5. Press the Launch the update button. 6. To stop the update procedure, click the Stop button. To view information about updates to the Anti-Spam database and update it manually, perform the following steps: 1. In the Administration Console, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-Spam database update group of settings. Information about database updates contains the following data: Result of the last update. Information about the database update status. Database release date. Time when the database currently used in the application was made available on the server of Kaspersky Lab (UTC). 4. In the Run mode dropdown list, select the Manually element. 5. Press the Launch the update button. 45

46 A D M I N I S T R A T O R ' S G U I D E 6. To stop the update procedure, click the Stop button. If the application is running on a cluster or Microsoft Exchange DAG, manual update of the database has to be performed on each of the Security Servers within the cluster or DAG. AUTOMATIC UPDATE To configure automatic updates of the Anti-Virus database, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-virus database update group of settings in the details pane. 4. Select one of the options from the Run mode dropdown list: Periodically. Use the every N minutes, hours, days entry field to define the frequency of future updates. Daily. Define the precise time in HH:MM format (UTC). On selected day. Check the boxes next to the days of the week when you would like to update the database, and specify the update time. 5. Click the Save button. 6. To stop the update procedure, click the Stop button. You can only stop the update in progress. The next update will be performed according to the schedule. If the application is running on a Microsoft Exchange DAG, the automatic Anti-Virus database update settings configured on one of the servers will be automatically applied to all servers within the DAG. Configuring automatic updating on other servers of the DAG is not necessary. To configure automatic updates of the Anti-Spam database, perform the following steps: 1. In the Administration console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-Spam databases update group of settings in the details pane. 4. Select one of the options from the Run mode dropdown list: Periodically. Use the every N minutes, hours, days entry field to define the frequency of future updates. Daily. Define the precise time in HH:MM format (UTC). On selected day. Check the boxes next to the days of the week when you would like to update the database, and specify the update time. 5. Click the Save button. 6. To stop the update procedure, click the Stop button. You can only stop the update in progress. The next update will be performed according to the schedule. 46

47 U P D A T I N G T H E A N T I - V I R U S A N D A N T I - S P A M D A T A B A S E S SELECTING THE UPDATE SOURCE To choose an Anti-Spam database update source: 1. In the Administration console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-virus database update group of settings in the details pane. Kaspersky Lab's update servers, if you wish to download updates from the Kaspersky Lab servers. HTTP server, FTP server, local or network folder, if you wish to download updates from any of these sources. 4. Specify the address of the corresponding server or local or network folder in the entry field. 5. Click the Save button. If the application is running on a Microsoft Exchange DAG, the automatic Anti-Virus database update settings (in particular, the source of updates) configured on one of the servers will be automatically applied to all servers within the DAG. Configuring automatic updating on other servers of the DAG is not necessary. To choose an Anti-virus database update source: 1. In the Administration Console tree, select the node of a connected server and open it and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Anti-Spam database update group of settings in the details pane. Kaspersky Lab's update servers, if you wish to download updates from the Kaspersky Lab servers. HTTP server, FTP server, local or network folder, if you wish to download updates from any of these sources. 4. Specify the address of the corresponding server or local or network folder in the entry field. 5. Click the Save button. 47

48 A D M I N I S T R A T O R ' S G U I D E EDITING THE CONNECTION SETTINGS To configure connection to an updates source, perform the following steps: 1. In the Administration console tree, select the node of a connected server and open it by clicking the corresponding plus by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Updates node. 3. Open the Connection settings group of settings in the details pane. 4. If your Internet connection is established through a proxy server, enable the option to Use proxy server. 5. Specify the timeout duration in the Connection timeout field. The default connection timeout is 60 seconds. By default, the timeout is set to 60 seconds. 6. Click the Save button. If you connect to the Internet using a proxy server, you will have to configure your proxy server settings. To configure the proxy server settings, perform the following steps: 1. In the Administration console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Settings node. 3. In the details pane, in the Proxy server settings configuration section, perform the following steps: a. Enter the proxy address in the Proxy server address field. b. Define the proxy server port in the entry field. By default, port 8080 is used. c. To enable authentication with the specified proxy server, check the Use authentication box and enter the relevant information about the user account selected for that purpose in the Account and Password fields. d. If you want the application to connect to local corporate servers directly, check the Bypass proxy server for local addresses box. 4. Click the Save button. 48

49 ANTI-VIRUS PROTECTION One of the main purposes of Kaspersky Security is anti-virus scanning of mail traffic and messages in mailboxes and public folders, as well as disinfection of infected objects using the current (latest) version of its databases. All messages arriving at the Microsoft Exchange server are scanned in real time. Both incoming and outgoing e- mail traffic are processed, as are all transit messages. You can configure the application to perform the following operations with messages containing malicious objects: Skip the message and the malicious object which it contains. Delete the malicious object but allow the message to pass. Delete the message together with the malicious object. When a malicious object gets deleted on a server functioning as a Mailbox, the deleted object will be replaced with a text file containing the name of the malicious object, the date of the database used to detect the malicious object and the name of the Microsoft Exchange server where the object was detected. When a malicious object is detected on a server functioning as a Hub Transport, the application adds the prefix Malicious object deleted to the message subject. When traffic scan mode is enabled, the application remains loaded in the computer's RAM, and the Interceptor analyzes traffic received from the Microsoft Exchange server and transfers it to the Anti-Virus Scan Subsystem. The Anti-Virus performs the following operations: scans messages using the Anti-Virus database; if an message or part of it is infected, the application processes the detected malicious object in accordance with the selected settings; Before processing, a copy of the object can be saved in the Backup storage. If anti-virus protection of the server is enabled, traffic scans will start and stop simultaneously with the startup and stopping of the Microsoft Exchange Server. Kaspersky Security does not scan messages created by protected users in the Public folders of unprotected Microsoft Exchange servers. If messages are transferred from the Public folders of an unprotected area to a protected one, the application will scan them. During data replication between protected and unprotected storages, any changes made by the application as a result of the anti-virus scan are not synchronized. messages which are stored on the server, as well as the contents of public folders, are also rescanned on a regular basis using the latest version of the anti-virus database, if background storage scanning is enabled (see the section "Background scan" on page 55). Using background scan mode decreases the load on the servers during busy hours and increases the security level of the infrastructure in general. Background scans can be launched either automatically (using a schedule) or manually. Operation of the application in background scan mode may slow down the operation of Microsoft Exchange Server; therefore, it is best to use it during periods of minimum load on mail servers, for example, at night. When background scan mode is enabled, the Internal Application Management Module will receive all messages located in public folders and protected storage areas from the Microsoft Exchange server in accordance with the current settings. If a message has not been analyzed using the latest anti-virus database, it will be sent to the anti-virus component for processing. Objects are processed in background mode in the same way as in traffic scan mode. The application analyzes the message body and attached files in any format. Kaspersky Security differentiates simple objects (such as a message body or a simple attachment, for instance, an executable file) from containers, which consist of several objects (such as an archive or a message with another message attached). 49

50 A D M I N I S T R A T O R ' S G U I D E When scanning multivolume archives, Kaspersky Security treats and processes each volume as a separate object. In this case, Kaspersky Security can detect malicious code only if the code is fully located in one of the volumes. If a virus is also divided into parts between volumes, it cannot be detected when only part of the data is loaded. In this situation, the malicious code may propagate after the object is restored as one entity. Multiple-volume archives can be scanned after they are saved to the hard drive by the anti-virus application installed on the user's computer. If necessary, you can define a list of objects that should not be scanned for viruses. The following types of objects can be excluded from the scan scope: archives, all containers with a nesting level above the specified value, files matching specified masks. Files over 1 MB will be saved to the Store working folder for processing. The Store folder is located in the data folder of the application. The Store folder and the temporary file storage folder TMP must be excluded from the scan scope of any anti-virus applications operating in the enterprise local network. IN THIS SECTION Enabling and disabling anti-virus server protection Creating rules for object processing Scanning attached archives and containers Configuring protection settings for mail accounts Creating scanning exclusions Background scan ENABLING AND DISABLING ANTI-VIRUS SERVER PROTECTION If the anti-virus server protection is enabled, anti-virus scanning of the traffic will be started or stopped at the same time as Microsoft Exchange Server. If the anti-virus protection settings specify background scanning of storage areas (see the section "Background scan" on page 55), scanning can be launched manually or according to the schedule. Please note that disabling anti-virus server protection considerably increases the risk of malware penetrating the system. You are advised not to disable anti-virus protection for long periods of time. Anti-Virus has to be enabled separately for the Mailbox and Hub Transport roles. To enable anti-virus protection for a connected Microsoft Exchange server acting as a Mailbox, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 4. In the details pane, on the Anti-virus protection for the Mailbox role tab check in the Anti-Virus scan settings configuration section the box Enable anti-virus protection for the Mailbox role. 5. Click the Save button. 50

51 A N T I - V I R U S P R O T E C T I O N If the application is running on a Microsoft Exchange DAG, anti-virus protection enabled for the Mailbox role on one of the servers will be enabled automatically on all the DAG servers, too. Enabling the anti-virus protection for the Mailbox role on the remaining DAG servers is not necessary. To enable anti-virus protection for a connected Microsoft Exchange server acting as a Hub Transport, perform the following steps: 1. Launch Kaspersky Security by selecting StartPrograms Kaspersky Security 8.0 for Microsoft Exchange Servers Administration Console. 2. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 3. Select the Server protection node. 4. In the details pane, on the Protection for the Hub Transport tab check in the Anti-Virus scan settings configuration section the box Enable anti-virus protection for the Hub Transport role. 5. Click the Save button. If you need to disable the Kaspersky Security service manually, perform the following actions: 1. Disable anti-virus protection using the Administration Console (see above). 2. Stop the Kaspersky Security service and set it to the Disabled startup type. To start the application after automatic startup has been disabled for Kaspersky Security, perform the following steps: 1. Make sure that the Kaspersky Security service is configured for Automatic startup. 2. Enable anti-virus protection using the Administration Console (see above). CREATING RULES FOR OBJECT PROCESSING Object processing rules allow you to select the operation used to handle each type of object. Following an anti-virus scan, each object is assigned a status which can take the following values: Infected - object contains at least one known virus. Clean the object contains no viruses. Protected - object is password-protected. Corrupted - object is corrupted. The rules used to process objects for the Mailbox and Hub Transport roles of a Microsoft Exchange Server have to be created separately. To create an object processing rule, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. Perform one of the following steps: 51

52 A D M I N I S T R A T O R ' S G U I D E If you want to create object processing rules for the Mailbox role, open in the details pane the Protection for the Mailbox role tab and then the Anti-Virus scan settings configuration section. If you want to create object processing rules for the Hub Transport role, open in the details pane the Antivirus protection for the Hub Transport role tab and then the Anti-Virus scan settings configuration section. 4. In the Objects processing rules section, use the Infected object dropdown list to select an action: Allow. Skip the message and the malicious object which it contains. Delete the object. Delete infected object but allow the message to pass. Delete the message. Delete messages containing an infected object with all attachments. 5. In the Protected object dropdown list, select an action: Allow. Password protection may prevent anti-virus scanning of protected objects. Select the option to Allow if you wish to skip such objects. Delete the message. Select this option if you want to delete password-protected objects. Messages containing such objects will be deleted entirely. 6. In the Corrupted object dropdown list, select an action: Allow. Select this option if you wish to skip such objects. Delete the message. Select this option to delete corrupted objects. 7. To ensure that a copy of the object is saved to backup storage before the object is processed, check the Save a copy of the object in the backup storage box. If the application is running on a Microsoft Exchange DAG, object processing rules configured for the Mailbox role on one of the servers will be propagated automatically to other DAG servers. Configuring the object processing rules for the Mailbox role on other servers of the DAG is not necessary. However, the object processing rules for the Hub Transport role have to be configured individually on each of the DAG servers. SCANNING ATTACHED ARCHIVES AND CONTAINERS Kaspersky Security scans attached archives and containers by default. You can disable scanning of attachments to optimize the operation of Kaspersky Security, decrease the server load and improve traffic processing performance. It is not recommended that you disable scanning of attachments for a long time, since they may contain viruses and other malicious objects. To configure scanning of attached archives and containers, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane select the Anti-Virus scan exclusions tab. 4. Uncheck the box Scan archives if you do not want the application to scan the archives attached to messages. To enable scanning of archives, check the box. 5. Uncheck the box Scan attached containers, if you do not want the application to scan attached containers. To enable scanning of attached containers, check the box and enter the nesting level for containers in the field Scan containers with the nesting level not more than. Maximum supported nesting level is

53 A N T I - V I R U S P R O T E C T I O N 6. Click the Save button. If the application is running on a Microsoft Exchange DAG, the settings for scanning of attached archives and containers configured on one of the servers will be automatically applied to all servers within the DAG. Configuring scanning of attached archives and containers on other servers of the DAG is not necessary. CONFIGURING PROTECTION SETTINGS FOR MAIL ACCOUNTS To enable selective protection of mailboxes, perform the following steps: 1. In the Administration Console, select the Server protection node. 2. On the Anti-virus protection for the Mailbox role tab, open the Protection for mailboxes group of settings. The lists of Protected mailbox storages and Protected public folder storages will display the mailbox storages and public folders on the protected Microsoft Exchange server. If the application is running on a Microsoft Exchange DAG, the lists will contain the mailbox storages and public folders on all the servers within the DAG. 3. In the Protected mailbox storages list, check the boxes of the mailbox storages, for which protection should be enabled. 4. In the Protected public folder storages list, check the boxes of the public folder storages, for which protection should be enabled. 5. To apply the changes, click the Save button. CREATING SCANNING EXCLUSIONS To decrease the load on the server imposed by anti-virus scanning, you can limit the list of objects to be scanned. These scanning restrictions will apply both to the traffic scan and to the background storage scan. To decrease the load on the server, you can use the following measures: Disable scanning of archives and containers (see section "Scanning attached archives and containers" on page 52). Specify filename masks. The application will not scan files with the names matching specified masks. Specify the recipients whose mail will be allowed to pass without scanning. If the application is running on a Microsoft Exchange DAG, the scanning exclusions configured on one of the servers will be automatically applied to all servers within the DAG. Configuring scanning exclusions on other servers of the DAG is not necessary. To exclude files from scanning using file masks, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane select the Anti-Virus scan exclusions tab. 4. Check the Do not scan files matching the masks box. 53

54 A D M I N I S T R A T O R ' S G U I D E 5. Input the mask for the files which are not to be scanned in the entry field. Examples of allowed masks: *.txt - all files with the *.txt extension, for example, readme.txt or notes.txt; readme.??? all files named readme with an extension of three characters, for example, readme.txt or readme.doc; test - all files named test without an extension. 6. Click the button to the right of the field to add the mask from the entry field to the general list of excluded masks. 7. To delete a mask from the list of excluded masks, highlight it in the list and click the button. 8. To export the list of excluded masks to a file, click the button. 9. In the displayed window, enter the file name in the File name field and click the Save button. 10. To import the list of excluded masks to the application, click the button. 11. In the displayed window, specify the file containing the list of excluded masks in the File name field and click Open. 12. Click the Save button. To exclude messages for the selected recipients from the scan scope, perform the following steps: 1. Check the Do not scan messages for the recipients box. 2. Specify the address of a recipient whose incoming mail is not to be scanned in the entry field. 3. Click the button to the right of the field to add the address to the trusted list. 4. To add an Active Directory item to the list of trusted addresses, click the button. 5. Select in the displayed window the necessary records in Active Directory and click OK. 6. To remove an address from the trusted list, highlight it in the list and click the button. 7. To export the list of trusted recipients to a file, click the button. 8. In the displayed window, enter the file name in the File name field and click the Save button. 9. To import the list of trusted addresses from a file, click the button. 10. In the displayed window, specify the file containing the list of trusted addresses in the File name field and click Open. 11. Click the Save button. 54

55 A N T I - V I R U S P R O T E C T I O N BACKGROUND SCAN Kaspersky Security performs background anti-virus scanning of the mail stored on the server and the content of public folders with user-defined settings. Only those messages which have not been scanned using the current version of the Kaspersky Security database will be scanned. Background scanning is available only if Microsoft Exchange Server is deployed in the Mailbox role. The application scans message bodies and attached files using the anti-virus scan settings for the appropriate server role. The application scans public folders and boxes only in protected storage areas. If the application is running on a Microsoft Exchange DAG, the background scanning settings configured on one of the servers will be automatically applied to all servers within the DAG. Configuring background scanning settings on other servers of the DAG is not necessary. To ensure that Kaspersky Security scans the messages stored on the server and the content of public folders: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Anti-virus protection for the Mailbox role tab, open the Protection for mailboxes group of settings. 4. In the Background scan section, use the Schedule dropdown list to select the option that suits you best: Manually. Background scanning will have to be started manually. Daily. Background scanning will be performed daily. Specify precise scan time in the entry field in HH:MM format. On selected day. Background scanning will be performed on the selected days. Check the boxes next to the days of the week when you would like to perform a background scan and specify in the entry field the precise time when the procedure should start in HH:MM format. Monthly. Background scanning will be performed once a month. Use the arrows to select the day of the month for background scanning and specify the precise start time in the time entry field in HH:MM format. 5. Enable the Scan message body option to check message bodies during background scanning. 6. Check the Scan recent messages only box to scan just the mail that has arrived within the specified time interval before the background scan. 7. Specify the number of days in the Scan messages received no later than <N> days before background scan entry field. Maximum parameter value is 364 days. 8. Check the Limit the scan time box and define the necessary value for the setting Stop the scan <N> hours after scan start to optimize the procedure duration. 9. To apply the changes, press the Save button. 10. To launch the background scan immediately, click the Start scan button. Background scanning will be started on the selected server only. This remains true for any configuration of Microsoft Exchange servers, including DAG. If you want to start background scanning immediately on other DAG servers, you have to initiate the procedure separately for each server. 11. To stop the background scan, click the Stop button. Background scanning start and stop actually occur within a minute after the corresponding buttons are pressed. 55

56 ANTI-SPAM PROTECTION One of the main purposes of Kaspersky Security is filtering out unwanted messages (spam) in the mail traffic passing a relay server. The Anti-Spam component filters incoming during its arrival, i.e. before the mail appears in the mailboxes of the users. Anti-spam checks are used with the following data types: internal and external traffic via SMTP using anonymous authentication on the server; messages arriving on the server through anonymous external connections (edge server). Anti-spam checks are not used with the following data types: internal corporate mail traffic; external mail traffic arriving on the server during authenticated sessions. You can enable scanning of such traffic manually (see section "Configuring additional settings" on page 64). Each message is checked for signs of spam. To do that, the application first checks the message attributes: the sender's and recipient's addresses, message size, headers (including From and To), etc. Second, it uses content-based filtration to analyze the message content (including the Subject header) and attached files. The application uses unique linguistic and heuristic algorithms based on comparison with sample messages and indepth analysis of the text, layout and other attributes. After filtering, the application produces one of the following verdicts (statuses) for the inspected messages: Spam. The application unambiguously recognizes the message as spam. Probable spam. The message may contain spam. Formal notification. An automatic message informing, for example, about mail delivery to the recipient. Object contains no spam. The message is spam-free. Blacklisted. or IP address of message sender is present in the black list of addresses. You can select the operations, which the application will perform with messages having a specific status. The following operations are available for selection: Allow. Deliver a message to the recipient without changes. Reject. If you select this operation, the sending server will receive a return code in response, informing of an error during message delivery (error code 500). The message will not be delivered to the recipient. Delete. If you select this operation, the sending server will receive a notification in response that the message has been sent (code 250); however, the message will not be delivered to the recipient. Add SCL value. The application will assign a rating to messages indicating the probability of spam content inside (SCL, Spam Confidence Level). The SCL rating can be a number ranging from -1 to 9. High SCL rating means a higher probability of spam content in a message. To calculate the SCL rating, the spam rating a message receives after its analysis is divided by 10. The value thus obtained is the SCL rating. If the calculated value exceeds 9, the SCL rating is considered to be equal to 9. Add label. Messages recognized by Kaspersky Security as spam or potential spam are tagged with special [!!Spam], [!!Probable Spam] or [!!Blacklisted] labels in the Subject field. You can modify the text of these labels in the Administration Console. 56

57 A N T I - S P A M P R O T E C T I O N The application supports flexible configuration of anti-spam analysis intensity. The following intensity levels are available: Maximum. This intensity level should be used if you receive spam too often. When you select this level, the frequency of false positives rises: that is, useful mail is more often recognized as spam. High. This intensity level provides lower protection level compared with Maximum but better spam recognition accuracy. Using the High level is recommended if you receive spam often. Low. This intensity level offers slightly lower protection than the High level. This level provides an optimal combination of scanning speed and quality. Minimum. This intensity level should be used if you rarely receive spam. By default, the application uses the Low intensity level of anti-spam protection. You can increase or decrease the level. Depending upon the specified intensity level, the Spam or Probable spam status will be assigned to the scanned messages in accordance with the spam rating received after analysis. Table 3. Correspondence between the intensity levels and the spam rating thresholds used to assign the Spam and Probable spam status. INTENSITY LEVEL PROBABLE SPAM SPAM Maximum High Low Minimum To ensure more thorough anti-spam filtration, the application supports external services, such as: DNSBL. Public lists of IP addresses known to generate spam. SURBL. Public lists of hyperlinks to the resources advertised by spam senders. DNSBL and SURBL are updated with the Anti-Spam database every five minutes. During spam rating detection the application considers the responses from DNSBL and SURBL servers. A spam rating is an integer ranging from 0 to 100. During spam rating calculation, the application considers the weight assigned to each responding DNSBL and SURBL server. If the total rating of the servers that have responded exceeds 100, the spam rating of such a message will be increased by 100. If it is smaller than 100, the spam rating of the message will not be increased. UDS. It is a service developed and maintained by Kaspersky Lab for detection of spam mail-outs. UDS checks are based on comparison of message attributes (sent in a special UDS request to the servers of Kaspersky Lab) to the database of known spam mail. If a request matches one of the known spam mail-outs, spam rating of the corresponding message will be increased. The UDS technology allows filtering of known spam mail-outs even before updating of the content filtration databases. The UDS service creates an irreversible message signature on the client side (it cannot be used to restore message subject, text or recipient / sender addresses) and sends it to a UDS server. If the signature is found in the black lists of the UDS server, the spam rating of the message will be increased. For the service to function you must open the following ports: 7060 for UDS1 and 7080 for UDS2. Connection is established over UDP. UDS is disabled by default. To start using UDS, you have to accept a special KSN agreement regulating handling of the information from the computer running Kaspersky Security. KSN. It is a complex of distributed services improving user protection, accelerating the response of Kaspersky Lab applications to new types of threats and spam, and minimizing the number of false alarms. KSN operation is based on the analysis of data fragments automatically sent from user computers to the servers of Kaspersky Lab. KSN enables Kaspersky Security to react as quickly as possible to new emerging spam types and process spam messages with high accuracy. KSN is disabled by default. To enable KSN, you have to accept a special KSN agreement regulating handling of the information from the computer running Kaspersky Security. Enforced Anti-Spam Updates Service. The service providing quick updates to the Anti-Spam database. If the Enforced Anti-Spam Updates Service is enabled, the application will keep contacting the servers of Kaspersky 57

58 A D M I N I S T R A T O R ' S G U I D E Lab and updating the Anti-Spam database as soon as new spam descriptions become available on Kaspersky Lab servers. This approach helps improve the efficiency of Anti-Spam against new emerging spam. To ensure proper functioning of the Enforced Anti-Spam Updates Service the following conditions are required: permanent Internet connection on the computer running the Security Server; regular updates of the Anti-Spam database (recommended frequency: every five minutes). Kaspersky Security allows the use of a dynamic DNS client. A Dynamic DNS client detects potential participation of a sender's IP address in a botnet using reverse lookup of its DNS. This functionality can be used provided that the protected SMTP server has no xdsl or dial-up users. You can enable SPF technology for anti-spam processing. SPF (Sender Policy Framework) allows validation of the sender's domain to make sure it is not forged. Domains use SPF to authorize certain computers to send mail on their behalf. If a message sender is not included in the list of authorized senders, its spam rating will be increased. IN THIS SECTION Configuring anti-spam analysis Creating the black and white lists of senders Configuration of the parameters used to determine spam rating Using external services for spam processing Configuring additional settings CONFIGURING ANTI-SPAM ANALYSIS To configure the anti-spam scanning settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane, open on the Protection for the Hub Transport role tab the section Anti-Spam analysis settings. 4. Check the Anti-spam mail scanning box if you want to scan incoming mail using the Anti-Spam component. 5. Use the slider to set the Intensity level of anti-spam analysis. Kaspersky Security uses four intensity levels to filter messages: Maximum. This intensity level should be used if you receive spam too often. When you select this level, the frequency of false positives rises: that is, useful mail is more often recognized as spam. High. This intensity level provides lower protection level compared with Maximum but better spam recognition accuracy. Using the High level is recommended if you receive spam often. Low. This intensity level offers slightly lower protection than the High level. This level provides an optimal combination of scanning speed and quality. Minimum. This intensity level should be used if you rarely receive spam, for example, if you are working in protected corporate environment. 58

59 A N T I - S P A M P R O T E C T I O N 6. Select in the Rules for spam processing section the operation, which the application will perform over messages having each of the listed statuses: Allow. The message will be delivered to recipients unchanged. Reject. The sending server will receive in response a return code informing of an error during message delivery (error code 500). The message will not be delivered to the recipient. Delete. The sending server will receive in response a notification informing that the message has been sent (code 250); however, the message will not be delivered to the recipient. 7. Specify additional operations, which the application will perform over messages having each of the listed statuses. Check the boxes for the following settings at your discretion: Add SCL value. The application will add a rating to the message indicating the probability of spam content in it (SCL, Spam Confidence Level). The SCL rating can be a number ranging from -1 to 9. High SCL rating means a higher probability of spam content in a message. Save a copy. A copy of the message can be saved in the Backup storage. Add label. messages recognized by Kaspersky Security as spam, potential spam or blacklisted mail are tagged with special [!!SPAM], [!!Probable Spam] or [!!Blacklisted] labels in the Subject field. The labels can be modified. 8. Configure the settings pertaining to the additional services used in the checks: If you want to enable the KSN and UDS services, perform the following steps: a. Read the KSN agreement and accept its terms and conditions by checking the box I accept the KSN agreement. To read the KSN agreement, you can display it in a separate window by clicking the Display the KSN agreement button. b. To enable the KSN service, check the box Use Kaspersky Security Network (KSN). c. If necessary, configure the timeout for requests to a KSN server in the KSN timeout field. The default value is 10 sec. d. To enable the UDS service, check the box Use Urgent Detection System (UDS). e. If necessary, configure the timeout for requests to a UDS server in the UDS timeout field. The default value is 10 sec. If you want the application to use the service for prompt delivery of Anti-Spam database updates, check the box Use Enforced Anti-Spam Updates Service. If you want the application to connect to the servers of KSN and Enforced Anti-Spam Updates Service via a proxy server, check the box Use proxy to access KSN and Enforced Anti-Spam Updates Service. You can define the proxy configuration in the Settings node. 9. Click the Save button. CREATING THE BLACK AND WHITE LISTS OF SENDERS You can create lists of trusted senders, i.e. the senders whose messages should not be analyzed for spam content (white list) and lists of senders whose mail will always be considered spam (black list). You can add to the black and white lists and IP addresses of senders. You can also create the white list of recipient addresses. Messages for recipients added to that list will not be checked for spam presence. 59

60 A D M I N I S T R A T O R ' S G U I D E To configure theblack and white lists, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. On the Protection for the Hub Transport role tab of the details pane, open the White and black list settings configuration section. Creating the black and white lists of mail addresses To create the white list of senders, perform the following steps: 1. Check the box Add sender's address to white list. 2. In the entry field, specify the address of a sender whose mail is not to be checked by the Anti-Spam component. You can specify an individual address or a mask like *@domain.com describing all addresses of a specific domain. 3. Click the button to add the record from the entry field to the list. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. 7. Click the Save button. To create the black list of senders, perform the following steps: 1. Check the Add sender's address to black list box. 2. Specify the address of a sender whose mail is to be considered spam in the entry field. You can specify an individual address or a mask like *@domain.com describing all addresses of a specific domain. 3. Click the button to add the record from the entry field to the list. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. 7. Click the Save button. Creating the black and white lists of sender IP addresses To create the the white list of IP addresses, perform the following steps: 1. Check the box for the Add the sender's address to the white list of IP addresses setting. 2. Enter the IP address of a sender whose mail is not to be checked by the Anti-Spam component in the entry field. You can specify an individual IP address or a range of IP addresses in CIDR notation (represented as XXX.XXX.XXX.XXX/YY). 60

61 A N T I - S P A M P R O T E C T I O N 3. Click the button to add the record from the entry field to the list. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. 7. Click the Save button. To create the the black list of IP addresses, perform the following steps: 1. Check the box for the Add the sender's address to the black list of IP addresses setting. 2. Specify the IP-address of a sender whose mail is to be considered spam in the entry field. You can specify an individual IP address or a range of IP addresses in CIDR notation (represented as XXX.XXX.XXX.XXX/YY). 3. Click the button to add the record from the entry field to the list. 4. To delete a selected record from the list, click the button. 5. To export the list to a file, click the button. 6. To import the list from a file, click the button. 7. Click the Save button. Creating the white list of recipients' addresses To add recipients to the white list, perform the following steps: 1. Check the box for the Add recipient's address to white list setting. 2. Enter a recipient whose incoming mail is not to be checked by the Anti-Spam component in the SMTP address entry field. 3. Click the button to add the record from the entry field to the list. 4. To add to the list an Active Directory item, click the button. Select in the displayed window the necessary records in Active Directory and click OK. 5. To delete a selected record from the list, click the button. 6. To export the list to a file, click the button. 7. To import the list from a file, click the button. 8. Click the Save button. 61

62 A D M I N I S T R A T O R ' S G U I D E CONFIGURATION OF THE PARAMETERS USED TO DETERMINE SPAM RATING You can configure the Anti-Spam settings affecting detection of a special message property - its spam rating. These settings allow you to increase the spam rating of a message based on the analysis of its sender's address, subject and foreign language in the content. To configure the application to increase spam rating of a message based on the analysis of its sender's address, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane, open on the Protection for the Hub Transport role tab the configuration section Spam rating detection settings. 4. In the Increase spam rating when parsing the sender's address group, selectively check the following boxes as necessary: If the "To" field is empty. The spam rating of a message will be increased if its "To" field is empty. If the sender's address contains digits. The spam rating of a message will be increased if the address of its sender contains digits. If the sender s address (in message body) contains no domain. The spam rating of a message will be increased if the address of its sender contains no domain name. 5. Click the Save button. To configure the application to increase spam rating of a message based on the analysis of its subject, perform the following steps: 1. In the details pane, open on the Protection for the Hub Transport role the configuration section Spam rating detection settings. 2. In the Increase spam rating when analyzing message subject: group of settings, selectively check the following boxes as necessary: If the subject is longer than 250 characters. The spam rating of a message will be increased if its subject contains more than 250 characters. If the subject of the message contains multiple spaces and/or dots. The spam rating of a message will be increased if its subject contains multiple spaces and / or dots. If the message subject contains a time stamp. The spam rating of a message will be increased if its subject contains a digital ID or a time stamp. 3. Click the Save button. To configure the application to increase spam rating of a message based on the analysis of its content language, perform the following steps: 1. In the details pane, open on the Protection for the Hub Transport role tab the configuration section Spam rating detection settings. 2. In the Increase spam rating for messages written in: group of settings, check the boxes for the languages whose presence in a message you consider a sign of spam: 62

63 A N T I - S P A M P R O T E C T I O N Chinese, if you are not expecting mail in the Chinese language. Korean, if you are not expecting mail in the Korean language. Thai, if you are not expecting mail in the Thai language. Japanese, if you are not expecting mail in the Japanese language. 3. Click the Save button. USING EXTERNAL SERVICES FOR SPAM PROCESSING Kaspersky Security can use external services for spam processing. External services are publicly available Internet resources and services, such as black lists of IP addresses. To use external services to check IP addresses and URLs, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane, open on the Protection for the Hub Transport role tab the configuration section Using external Anti-Spam services. 4. Check the box Use external services for validation of IP or URL addresses to detect spam, if you want the application to consider the results from these services during anti-spam analysis. 5. In the DNSBL configuration group of settings, check the Use the default DNSBL box to employ DNSBL (Domain Name System Block List) services for the purposes of anti-spam analysis. DNSBL is a public list of IP addresses known to generate spam. 6. Check the Use custom list of DNSBL servers box to enable the corresponding option. When enabled, the option allows you to create a custom list below. To add a record to the list, specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button. You can use the and buttons respectively to import and export the list. button. To remove a record, use the 7. In the SURBL configuration group of settings check the Use the default SURBL box to analyze messages using the default SURBL (Spam URI Realtime Block List). SURBL is a list of hyperlinks to the resources advertised by spam senders. Thus, if a message contains an URL from that list, it will be identified as spam. 8. Check the box Use custom list of SURBL servers to enable the corresponding option. When enabled, the option allows you to create a custom list below. To add a record to the list, specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button. You can use the and buttons respectively to import and export the list. button. To remove a record, click the 9. To perform a reverse DNS lookup for the sender's IP address, enable the option to Check sender IP for presence in DNS. 10. To use SPF (Sender Policy Framework) technology, check the box Use SPF. 11. To check whether the sender's IP belongs to a botnet, enable the option to Check whether the sender s IP is found in dynamic DNS. In the case of a positive result, the message's spam rating will be increased. 12. Specify the timeout for DNS requests in the entry field. By default, the timeout is set to 10 seconds. 63

64 A D M I N I S T R A T O R ' S G U I D E CONFIGURING ADDITIONAL SETTINGS You can configure additional Anti-Spam settings, such as time- or size-based scanning restrictions, and analysis of Microsoft Office files. To specify scanning restrictions based on procedure duration and object size, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Server protection node. 3. In the details pane, open on the Protection for the Hub Transport role tab the configuration section Additional settings. 4. In the Restrictions section, use the Maximum time for scanning a message entry field to specify the necessary value. If the scanning procedure takes longer than specified, the scan will be stopped. The default value is 30 seconds. The application will produce the Clean object verdict for such objects, but if service headers are enabled, they will contain a record informing that scan duration was exceeded. 5. In the Restrictions section, use the Maximum object size to scan entry field to specify the necessary value. If an object exceeds the specified size, it will not be scanned. The default value is 300 KB. The application will produce the Clean object verdict for such objects, but if service headers are enabled, they will contain a record informing that the object size has been exceeded. To configure the settings for scanning of Microsoft Office files, use the Scan settings for Microsoft Office files configuration section to perform the following steps: 1. Enable the option to Scan DOC files to configure Anti-Spam to check Microsoft Word documents. 2. Enable the option to Scan RTF files to configure Anti-Spam to check RTF documents. To configure additional settings, use the Other settings section to perform the following steps: 1. Check the Use the "Probable Spam" verdict box if you want the application to use the "Probable Spam" rating for suspicious messages. 2. Check the Use image analysis box if you want the application to analyze images in mail attachments using GSG (image analysis) technology. It is used to analyze images by checking them against the samples in the Anti-Spam database. If a match is found, the spam rating of such messages will be increased. 3. Check the Enable storage and use of spam samples in UTF-8 encoding (Anti-Spam databases update is required) box to enable storage and use of spam samples in UTF8 encoding. This mode helps avoid data losses in spam samples in East Asian languages, but slightly increases the time necessary to process each message. Enabling it is recommended if UTF8 encoding is used in correspondence. Modification of this setting will become effective after the Anti-Spam database is updated. 4. Check the Enable service headers box to enable addition of x-headers to messages containing information about the scan results. 5. Check the Scan authorized connections box to enable scanning of mail received via a Trusted Connection. 6. Check the Skip anti-spam scanning for messages sent to the Postmaster address box to disable scanning of messages arriving for the Postmaster address. 64

65 BACKUP STORAGE Kaspersky Security allows duplicates of untreated objects to be placed in Backup storage before the object is processed. Subsequently, objects located in Backup storage may be: saved to disk to retrieve the data in the object. You can also restore the infected object and have the application re-scan it using an updated anti-virus database; deleted; sent to Kaspersky Lab for analysis - only for suspicious files containing a modification of a known virus, or an unknown virus. The experts of Kaspersky Lab will analyze the file, attempt to recover the data, and if the file is infected with unknown malicious code, update the appropriate database. Then, when you re-scan this file with an anti-virus program for file systems (for example, Kaspersky Anti-Virus for Windows Servers) using the updated database, you can disinfect it and recover the data intact; sent to the recipients. Saved objects will be delivered to the recipient(s). A backup copy of an object scanned by the Anti-Virus component is created only if the Save a copy of the object in the backup storage box is checked in the anti-virus protection settings. Objects processed by the Anti-Spam component are saved in Backup as well. Backup is located in the database specified during application setup. If several Security Servers use the same database (for example, in a DAG configuration), Backup will be used to store objects received from each of these servers. Objects are stored in Backup in encrypted form, which ensures: no risk of infection, as the object is not accessible without decoding; better performance for the anti-virus application, as encrypted files stored in Backup are not identified as infected and are not rescanned. The data volume that can be stored in the Backup storage may be restricted by one of the two following parameters: The total number of objects in the backup storage should not exceed one million. This restriction cannot be lifted or modified. The user can specify additional restrictions on the Backup storage size and the length of an object s storage period. The application checks compliance with these restrictions regularly (every minute). The application performs the following actions: if the allowed number of objects in the backup storage is exceeded, the application will remove the necessary number of the oldest objects; if the backup storage size is limited and there is not enough free disk space to save the new object, the application will free the required space by deleting the oldest objects; if the object storage period is limited, the application will remove objects which have been stored for longer than the limit. You can use the Backup node to perform the following operations: view the Backup storage content; manage backup copies of objects: view their properties, restore them, send them to recipients, send them for analysis and remove them. 65

66 A D M I N I S T R A T O R ' S G U I D E Quick data filtering can be configured to enable convenient viewing and searching of the Backup storage area (see the section "Configuring the Backup filters" on page 69). IN THIS SECTION Viewing the Backup contents Viewing properties of an object in Backup Configuring the Backup filters Restoring objects from Backup Sending an object from Backup to recipients Sending an object from Backup for analysis Deleting objects from Backup Configuring the Backup storage settings VIEWING THE BACKUP CONTENTS In Backup you can view all stored objects listed in a table with specific headers. Each column header indicates a certain type of information about the listed objects. The lower left part of the details pane displays the total number of objects in Backup, the disk space occupied by these items and the number of objects displayed in the details pane after a filter is applied. To view the Backup content, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. The list of object copies saved in Backup will appear in the details pane (see the figure below). By default, you can view the following information about each object in Backup: From. The address of the message sender. To. The address of the message recipient. Subject. Message subject. Verdict. Message status. 66

67 B A C K U P S T O R A G E Reception time. Precise time of message arrival on Microsoft Exchange server. Figure 5. Viewing Backup You can configure the appearance of the details pane changing the displayed table columns and their order. To configure the details pane view, perform the following steps: 1. To add or remove columns, click the Add / Remove columns button. 2. In the displayed dialog, check the boxes corresponding to the data types which you would like to review in the details pane. Uncheck the boxes for the data types, which you do not want to see. You can perform ascending and descending sorting of the data contained in the table by any column. To do that, click one of the headers, for example From, To, Subject. The number of objects that the details pane can display is limited. To view other objects, use the navigation buttons in the lower right corner of the details pane. The current window number is displayed between the two pairs of navigation buttons. To proceed to the next window, press the > button. To proceed to the previous window, press the < button. To proceed to the last window, press the >> button. To return to the first window, press the << button. 67

68 A D M I N I S T R A T O R ' S G U I D E VIEWING PROPERTIES OF AN OBJECT IN BACKUP To view the properties of an object in Backup, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select an object stored in Backup in the details pane. 4. Press the Properties button. If the Properties button does not appear in the details pane because of insufficient screen space, click the Additionally button and select the Properties menu item. The Message properties dialog will appear. You can view the following information in the properties: Virus. The virus name will appear in this field if a message is infected. Object type. Type of the object: message body or attachment. From. The sender's address. To. The address of the message recipient. Cc. Address of the message copy recipient. Size on disk. Disk space occupied by the message. Subject. Message subject. Path. Object storage path. Server name. Name of the server that has placed the object in Backup. Virtual server name. Virtual server name. For cluster configurations of Microsoft Exchange only. Cluster name. Cluster name. For cluster configurations of Microsoft Exchange only. Reception time. Precise time of message delivery (day, month, year, hour, minute). Message creation date. Precise time of message creation (day, month, year, hour, minute). Database release date. Release date of the databases. Verdict. Verdict produced by the application for the object. Size. Object size (bytes). You can select several objects and view their properties. To do that, highlight the objects and click the Properties button. If the Properties button does not appear in the details pane because of insufficient screen space, click the Additionally button and select the Properties menu item. You can use the displayed Properties of the selected objects window to review the verdicts for all selected objects. 68

69 B A C K U P S T O R A G E CONFIGURING THE BACKUP FILTERS The use of filters allows searching and structuring of the data contained in Backup storage, as only the information matching the filtering conditions remains visible (see the figure below) after a filter is applied. The feature may be helpful when Backup contains lots of objects. You can use filtering, for example, to find the objects that need to be restored. Figure6. Configuring Backup filters To configure Backup filters, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select one of the criteria to be used to filter the objects in Backup from the dropdown list at the top of the details pane. You can select one of the suggested options: Only spam. In this case the details pane will only display objects with the "Spam" verdict. Only viruses. In that case the details pane will only display infected messages and mail containing viruses in attachments or the message body. Search for words. If you select this option, enter in the text box the key words which will be used to search for messages. The From, To and Subject fields will be searched. Custom filter. In this case, select the criterion for the filter from the dropdown list, define a condition based on a certain value (e.g., is equal to or is not equal to) and specify that value. For the Message creation date, Reception time and Database release date criteria, specify the value using the calendar. For the Verdict criterion, select the desired verdict from the dropdown list. For other criteria, input the value manually in the entry field. 4. Press the Search button. The applied filter will appear above the details pane, while the window itself will list the objects matching the search criteria. 69

70 A D M I N I S T R A T O R ' S G U I D E 5. To reset a filter, click the Remove button to the right of the filter. Once filters are applied, you can also sort the data in the table in ascending or descending order by any column. To do that, click one of the headers, for example From, To, Subject. RESTORING OBJECTS FROM BACKUP Restoring objects from the Backup may lead to computer infection. To restore an object from Backup, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select the object which you would like to restore in the details pane. 4. Press the Save to disk button. If the Save to disk button does not appear in the details pane because of insufficient screen space, click the Additionally button and select the Save to disk menu item. 5. In the window that opens, specify the folder to which you wish to save the restored object and, if necessary, enter or modify the object name. 6. Click the Save button. The application will decode the encrypted object and save its copy with the defined name in the specified folder. The restored object will have the same format as before it was first processed by the application. After the object is successfully restored, the corresponding notification will be displayed on the screen: "Selected object has been saved to disk". SENDING AN OBJECT FROM BACKUP TO RECIPIENTS You can send a copy of a message stored in Backup to its original recipients. To send an object from Backup to recipients, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select in the details pane the object which you would like to send to the recipients. 4. Click the button Send to recipients. If the Send to recipients button does not appear in the details pane because of insufficient screen space, click the Additionally button and select the Send to recipients menu item. Selected object will be sent to the recipients of the original message. SENDING AN OBJECT FROM BACKUP FOR ANALYSIS Objects can only be sent for analysis to the experts of Kaspersky Lab if they have the Suspicious status. Before you send objects for analysis, you should configure the general notification settings (see the section «Configuring notification settings.» on page 73). 70

71 B A C K U P S T O R A G E To send an object for examination, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Use the table displaying backup storage contents to select an object with the Suspicious status which you wish to send for analysis. You can use a filter to search for objects (see section "Configuring the Backup filters" on page 69). 4. Select the Send for analysis command in the context menu. The application will automatically create an message with the selected object as an attachment on the computer where the managed Security Server is installed and send it to Kaspersky Lab. The object is sent in encrypted form, and therefore will not be detected by Kaspersky Security again. After the message is sent, a notification confirming that the file has been sent will be displayed by the computer from which administration is conducted. DELETING OBJECTS FROM BACKUP. The following objects are automatically deleted from Backup: The oldest object, if adding a new object will exceed the restriction imposed on the total number of objects in backup storage. The maximum number of files in this version is limited to one million. Older objects, if there is a restriction imposed on the backup storage size and if there is not enough space to store a new object. Objects whose storage period has expired, if there is a restriction imposed on the storage period. Objects may also be manually removed from Backup storage. This feature may prove useful for deleting objects that have been successfully restored or sent for analysis, and to create free space in the Backup storage. To delete objects from Backup, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Backup node. 3. Select the object(s) which you would like to delete in the details pane. You can use a filter to search for objects (see section "Configuring the Backup filters" on page 69). 4. Click Delete and then click Yes in the displayed confirmation window. The objects will be deleted from Backup. 5. To delete all objects at once, click Delete all and then click Yes in the displayed confirmation window. If filters have been applied to Backup content, only the objects matching the filters will be removed from Backup. If no filters have been applied to Backup content, all objects will be purged from the Backup storage. 71

72 A D M I N I S T R A T O R ' S G U I D E CONFIGURING THE BACKUP STORAGE SETTINGS The Backup storage is created during installation of the Security Server component. The Backup storage settings have default values that can be modified by the administrator. To change the Backup settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Settings node. 3. In the details pane, in the Data storage configuration section, check the Restrict the Backup storage size box. 4. Specify the maximum allowed Backup size in the Backup size cannot exceed entry field. The default value is 5120 Mb. 5. Check the Restrict the duration of object storage in Backup box and specify the necessary number of days in the Store objects no longer than field. The default value is 30 days. If none of the options is enabled, the Backup storage size will only be restricted by the number of objects stored inside (up to one million). To apply the changes, press the Save button. Irrespectively of the configuration chosen for deployment of the application (single server, cluster of servers or a DAG), Backup settings are independent for each physical server. They have to be configured separately on each physical server. 72

73 NOTIFICATIONS Kaspersky Security can send notification messages about infected, protected and corrupted objects that it discovers while scanning. Notifications can be delivered using the following methods: By sending messages. This requires you to edit the general settings that will be used to send notifications. By registering the event in the Microsoft Windows system log on the computer where the Security Server component is installed. In this case, the information is accessible using Events viewer, a standard Microsoft Windows log viewing and management tool. You can configure the application to send notifications about the revealed infected, protected and corrupted objects to the addresses of message sender, recipients, administrator and to additional addresses, for example, to security officers. IN THIS SECTION Configuring notification settings Configuring notification delivery settings CONFIGURING NOTIFICATION SETTINGS To define the notification settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Notifications node. In the details pane you can configure notifications for the following types of objects: Infected objects. To configure notifications about infected objects, open the Notify about infected objects configuration section. Corrupted objects. To configure notifications about corrupted objects, open the Notify about corrupted objects configuration section. Protected objects. To configure notifications about protected objects, open the Notify about protected objects configuration section. System errors. To configure notifications about system errors, open the Notify about system errors configuration section. Sender and recipient notifications for this type of object are not supported. 3. Define notification settings for each type of objects in the Notify by section. 4. Check the Administrator box if you want to have the notifications sent to the administrator's address. 5. Check the Sender box if you want to have the notifications sent to the sender of the message where the corresponding object is detected. 6. Check the Recipient box if you want to have the notifications sent to the recipient of the message where the corresponding object is detected. 7. Check the box for The following recipients and specify the mail address(es) where notifications should be sent in the entry field. 73

74 A D M I N I S T R A T O R ' S G U I D E 8. To record the event in the Microsoft Windows system log, select the Register in Windows event log checkbox. If the application is running on a Microsoft Exchange DAG, the notification settings configured on one of the servers will be automatically applied to all servers within the DAG. Configuring notifications on other servers of the DAG is not necessary. CONFIGURING NOTIFICATION DELIVERY SETTINGS To define the notification sending settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Notifications node. 3. Open the sending settings window using the context menu of the Notifications node or the sending settings link in the details pane. Figure 7. Configuring the delivery settings 4. In the Web service address field, specify the address of the web service that will be used to mail messages via Microsoft Exchange Server. By default, in the Microsoft Exchange Server, it is the following address: 5. In the Account field, specify any account from among the mailboxes registered on the Microsoft Exchange Server. To do that, click Browse and select an account in the displayed window or enter the account name manually. 6. Type the password for the selected account in the Password field. 7. In the Administrator address field, specify the mail recipient's address. 8. Click the Test button to send a test message. If the test message arrives in the specified mailbox, it means that delivery of notifications is configured properly. You can also configure delivery of notifications in the Configuring notification settings section of the Settings node. If the application is running on a Microsoft Exchange DAG, the notification settings configured on one of the servers will be automatically applied to all servers within the DAG. Configuring delivery of notifications on other servers of the DAG is not necessary. 74

75 REPORTS Kaspersky Security supports creation and viewing of reports on the activity of the Anti-Virus and Anti-Spam components. You can use the reports to review the statistics of application activity for a specific time interval. The application generates a separate report for each component covering a time interval ranging from one day to one month. The reports may be standard or detailed. Standard reports contain information about objects processed during the entire time period without indication of the time when each individual event occurred. Detailed reports provide precise time frame for each event. The minimum time interval reflected in the detailed report is one hour. Reports can be generated automatically according to schedule or manually. You can view the reports in the application or receive them via . ed reports are attached to a message. The message contains explanatory text as follows: Attached file contains an activity report on Kaspersky Security 8.0 for Microsoft Exchange Servers. Furthermore, you can create Quick reports about all events that occurred within a user-defined time interval. Quick reports can be generated separately for the Anti-Virus and the Anti-Spam components. IN THIS SECTION Creating a quick report Configuring an anti-virus report Configuring Anti-Spam reports settings Viewing Ready reports CREATING A QUICK REPORT To create a quick report, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open the Quick reports configuration section in the details pane. 3. Enter the name for the report being created in the Report name field. 4. Select one of the options from the Type dropdown list: Anti-Virus for the Mailbox role. The application will generate a report about the Anti-Virus component activity for the Mailbox role. Anti-Virus for the Hub Transport configuration. The application will generate a report about the Anti- Virus component activity for the Hub Transport role. Anti-Spam. The application will generate a report about the Anti-Spam component activity. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain brief information about objects processed during the entire reporting period without indication of the time frame when each individual event occurred. 75

76 A D M I N I S T R A T O R ' S G U I D E Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is one day, the minimum time frame for each event is one hour. If the period is one week, the minimum time frame for each event is six hours. If the period is one month, the minimum time frame for each event is one day. 6. Select one of the options from the Interval dropdown list: per day. The report will cover the last 24 hours. per week. The report will cover the last week. per month. The report will cover the last month. 7. Specify the beginning date of the reported period in the Start with field or pick the necessary date from the calendar. 8. If you want to have the created report ed, specify the recipients for the report: a. If you want the application to send the report to the administrator's address, check the box Administrator. b. If you want to send the report to additional addresses, check the box The following recipients and enter the addresses (comma-delimited). To make sure that the additional addresses have been entered correctly, click the Test button. If the test message arrives in the specified mailboxes, it means that the delivery settings are correct. If the test message has not arrived, make sure that the delivery settings (see the section "Configuring notification delivery settings" on page 74) are defined properly. 9. To create a quick report using the defined settings, click the Generate report button. Generated report will appear in the Ready reports section. 10. Click the Save button to save the changes to the settings. CONFIGURING AN ANTI-VIRUS REPORT To configure the Anti-Virus report settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open one of the following configuration sections in the details pane: a. If you want to configure a report for Mailbox, open the Anti-Virus report for the Mailbox role configuration section. b. If you want to configure a report for Hub Transport, open the Anti-Virus report for the Hub Transport role configuration section. 3. Check the Use schedule to generate reports automatically box if you want the application to generate reports on Anti-Virus activity in accordance with the specified schedule. 4. Enter the name for the report being created in the Report name field. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain information about objects processed during the entire reporting period without indication of the time frame for each individual event. Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is one day, the minimum time frame for each event is 76

77 R E P O R T S one hour. If the period is one week, the minimum time frame for each event is six hours. If the period is one month, the minimum time frame for each event is one day. 6. Select one of the options in the Report schedule dropdown list: Daily. If you choose this option, specify the precise report generation time in the entry field. Weekly. If you choose this option, use the dropdown list to select the day of the week when the report should be created. Specify the precise time for report generation in the entry field. Monthly. If you choose this option, select the day of the month when you want to have the report generated. Specify the precise time for report generation in the entry field. 7. If you want to have the created reports ed, specify the report recipients: a. If you want the application to send the report to the administrator's address, check the box Administrator. b. If you want to send the report to additional addresses, check the box The following recipients and enter the addresses (comma-delimited). To make sure that the additional addresses have been entered correctly, click the Test button. If the test message arrives in the specified mailboxes, it means that the delivery settings are correct. If the test message has not arrived, make sure that the delivery settings (see the section "Configuring notification delivery settings" on page 74) are defined properly. 8. To create an Anti-Virus report using the defined settings, click the Generate report button. Generated report will appear in the Ready reports section. Created report will contain information for the past time period ending at 00:00 of the current day. The report will contain no information for the current day. 9. To apply the changes, click the Save button. CONFIGURING ANTI-SPAM REPORTS SETTINGS To configure Anti-Spam report settings, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open the Anti-Spam report configuration section in the details pane. 3. Check the Use schedule to generate reports automatically box if you want the application to generate the reports on Anti-Spam activity in accordance with the specified schedule. 4. Enter the name for the report being created in the Report name field. 5. Select one of the options from the Detail level dropdown list: Standard. The report will contain information about objects processed during the entire reporting period without indication of the time frame for each individual event. Detailed. The application will generate a detailed report indicating the time frame for each event depending upon the length of the reported period. If the period is one day, the minimum time frame for each event is one hour. If the period is one week, the minimum time frame for each event is six hours. If the period is one month, the minimum time frame for each event is one day. 6. Select one of the options in the Report schedule dropdown list: 77

78 A D M I N I S T R A T O R ' S G U I D E Daily. If you choose this option, specify the precise report generation time in the entry field. Weekly. If you choose this option, use the dropdown list to select the day of the week when the report should be created. Specify the precise time for report generation in the entry field. Monthly. If you choose this option, select the day of the month when you want to have the report generated. Specify the precise time for report generation in the entry field. 7. If you want to have the created reports ed, specify the report recipients: a. If you want the application to send the report to the administrator's address, check the box Administrator. b. If you want to send the report to additional addresses, check the box The following recipients and enter the addresses (comma-delimited). To make sure that the additional addresses have been entered correctly, click the Test button. If the test message arrives in the specified mailboxes, it means that the delivery settings are correct. If the test message has not arrived, make sure that the delivery settings (see the section "Configuring notification delivery settings" on page 74) are defined properly. 8. To create an Anti-Spam report using the defined settings, click the Generate report button. 9. Generated report will appear in the Ready reports section. Created report will contain information for the past time period ending at 00:00 of the current day. The report will contain no information for the current day. 10. To apply the changes, click the Save button. VIEWING READY REPORTS To ensure proper display of images in the reports upgrading Microsoft Internet Explorer to version 8.0 or later is recommended. To view the reports on the Anti-Virus and Anti-Spam activity in the application, perform the following steps: 1. In the console tree, select the node of a connected server and open it by clicking the corresponding plus sign or double-clicking the server name. 2. Select the Reports node and open the Ready reports configuration section in the details pane. You can use the table of ready reports to review all created reports. The table displays the following information about each report: Name. Default name or user-defined name. Type. Report type: Anti-Spam, Anti-Virus for the Mailbox role or Anti-Virus for the Hub Transport role. Date. Report creation date. Time. The time of report creation. This column and the reports viewing windows display local time in accordance with the region specified in the settings of the computer running the Administration Console. Detail level. Standard or Detailed. 78

79 R E P O R T S Interval. Time interval covered in the report. 3. To view a specific report, select it in the list and click the Display button. Figure 8. Viewing the Ready reports Viewing an Anti-Virus report The header of the standard Anti-Virus report contains the following information: Report type; Name of the server, cluster or DAG, for which the report was created; Time interval covered in the report; Date, month, year, and time (local) of report creation. You can view the following information in the standard Anti-Virus report table: Verdict. Object status after Anti-Virus processing. Number of objects. The number of objects with the specified verdict. Percentage. The share of objects with the specified verdict compared to the total number of objects. Size. The size of objects (MB). 79