Filtering Service. Secure Gateway (SEG) Service Administrative Guides. Revised February 2013

Transcription

1 Secure Gateway (SEG) Service Administrative Guides Filtering Service Revised February AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

2 Protection Administrator Guide Proprietary and Confidential

3 RESTRICTION ON USE, PUBLICATION, OR DISCLOSURE OF PROPRIETARY INFORMATION. Copyright 2012 McAfee, Inc. This document contains information that is proprietary and confidential to McAfee. No part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission from McAfee. All copies of this document are the sole property of McAfee and must be returned promptly upon request. McAfee, Inc South Meridian Blvd., Suite 400 Englewood, CO USA Direct Fax November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 2

4 Contents Overview...1 Differences in Administration for Service Providers...1 Account Management Necessary for Protection...1 MX Record Validation...2 Alias Domain Names...2 Auto-creation of Users...2 Filtering Policies...2 Types of Inbound Filtering...3 Types of Outbound Filtering...8 Configurable Actions for Filtered User-level Policy Configurations...10 Quarantine...10 Customizing the Interface...11 Licensed Branding...11 Language Localization...12 Outbound Disclaimer...12 Notifications...13 Monitoring and Reporting...13 Optional Utilities...13 Spam Control for Outlook...13 Disaster Recovery Services...14 Fail Safe Continuity...14 Access Protection Administration 15 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iii

5 Who Can Access Protection Administration windows...15 Other Documents You Might Need Protection Documents...19 Web Protection Service Documents...20 Message Archiving Documents...20 User Guides...20 Ensure You Can Receive from Your Service Provider...20 Log on to the Control Console...20 Reset Your Password from the log on window...21 Check the Status of Protection on the Overview 25 Set up Your Servers 29 Confirm Your Inbound Servers Setup...29 Set up Additional Inbound Servers...29 Delete an Inbound Server...30 Add IP Address of Outbound Server, If Necessary...31 Delete an Outbound Server...32 Set up a Smart Host (If Outbound Mail Defense is Turned on)...32 Add an Outbound Disclaimer...32 Redirect Your MX Records...33 Check Your MX Record...34 Set up User Creation Mode SMTP Discovery or Explicit...36 Customize Inbound Mail Filters 39 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iv

6 Enterprise or Service Provider Customer...39 Create a Custom Policy (Enterprise Customer Only)...41 Configure a Virus Filter...43 Set Protection to Notify Users about s with Viruses...44 Configure a Spam Filter...45 Define the Action to Take on Spam...46 Define Additional Words That Indicate Spam...47 Set up Spam Quarantine Reports...50 Configure a Content Filter...53 Turn Off a Default Content Filter...55 Custom Content Group...56 Notify Users about Spam Content...57 Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons...58 Configure Web Hyperlink Filters (ClickProtect)...60 Define an Attachment Filter...62 Filter by Attachment File Types...62 Filter by Attachment File Name...65 Filter Zip File Attachments...66 Notify Users about Attachment Violations...67 Allow or Deny to or from Specific Addresses...68 Allow from a Specific Address...69 Deny from a Specific Address...70 Deny to a Specific Recipient...72 Save a Copy of an Allow, Deny, or Recipient Shield List...73 Add Allow, Deny, or Recipient Shield Addresses with a Batch File Authentication...73 Transport Layer Security...73 Enforced SPF...75 Define the Format and Text of Notifications to Users...80 Variables within a Notification...80 Define the Format and Text of Virus Notifications...81 Define the Format and Text of Content Violation Notifications...83 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission v

7 Define the Format and Text of Attachment Violation Notifications Authentication...85 Disaster Recovery...87 Assign a Group to the Custom Policy...88 Customize Outbound Mail Filters 89 Create a Custom Outbound Policy...89 Configure a Virus Filter...90 Configure a Content Filter Encryption for Content Groups...91 Define an Attachment Filter...92 Define the Format and Text of Notifications to Users...92 Assign a Group to the Custom Policy...92 Managing Quarantine Reports 93 Set up Quarantine Reports...93 Monitor Users Quarantined Primary Addresses, Aliases, and Public Domain Addresses...94 Search for Quarantined Interpret the Search Results...95 Sort the Search Results...96 Delete Quarantined Messages...97 Release Quarantined Messages...97 View Quarantines Messages...97 Monitor Your Own Quarantine...99 Set up Disaster Recovery Services 101 Administer Disaster Recovery Services Set up Spooling for Disaster Recovery Set up Notifications of Disaster Recovery User-Level Policy Configuration 103 System Reports 105 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vi

8 Protection Reports View an Protection Report Traffic Overview Traffic: Enforced TLS Report Traffic: Encryption Threats: Overview Threats: Viruses Threats: Spam Threats: Content Threats: Attachments Enforced TLS: Details Enforced SPF Report ClickProtect: Overview ClickProtect: Click Log Quarantine: Release Overview Quarantine: Release Log View Details of Log Items User Activity Event Log Audit Trail Inbound Server Connections Disaster Recovery: Overview Disaster Recovery: Event Log November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vii

9 Administer MSP Connector Configure the MSP Connection Add Domains to the MSP Connection Turn on Exception Notifications for the MSP Connection View an MSP Connector Audit Report Administer Performance Reports Performance Report Descriptions Tips and Frequently Asked Questions 153 FAQs Tips/Techniques November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission viii

10 Differences in Administration for Service 1. Overview Protection provides security services that safeguard corporations from unsolicited spam (junk mail), viruses, worms, and unwanted content at the network perimeter before they can enter the internal network. Multiple layers of Protection provide secure and complete filtering to protect your users. You can enable or disable specific layers by changing the licensed packages of features and/or through configuring the specific policies in the Control Console, the comprehensive graphical interface into Protection. This document describes the tasks necessary to configure and maintain your Protection. Differences in Administration for Service Providers This document is for use by Enterprise customers only. Service Provider customers do not administer groups for Protection and therefore, do not assign groups to filtering policies. Instead, Service Provider customers assign policies directly to domains. The capabilities for managing policies and groups, as described in this document, apply only to Enterprise customers. Account Management Necessary for Protection Account Management is a set of administrative windows you use to configure and manage the entities that use or are affected by Protection ( Protection), as well as the Web Protection Service (WDS) and Message Archiving products. These entities include: Domains Users Other administrators, including other Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers In addition, for Protection only, you use Account Management to administer groups of users that share a common filtering policy. For more information, see Account Management Administrator Guide. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 1

11 Auto-creation of Users Protection Administrator Guide MX Record Validation You can validate that the MX Records that are configured for your domain are properly redirected by entering the specific DNS and/or IP address for your MTA server. The Control Console displays the MX Record configuration as reported by the authoritative DNS server. See Check Your MX Record. Alias Domain Names You can configure alias domain names that act as virtual domains using the configurations and addresses defined in the primary Domain name. addresses are created automatically for alias domains (for example, is automatically created for allowing the single user to receive for both addresses. For more information, see Account Management Administrator Guide. Auto-creation of Users The Protection automatically creates new user accounts if all the following is true: SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a convenient way to add users to your service. However, this capability might also add users who are not real users at your company and not add users who are real. SMTP discovery creates users that receive eight valid s within a 24 hour period. A user account does not exist for the address in the designated Domain. The s were not addressed to an alias domain name. For more information, see Set up User Creation Mode SMTP Discovery or Explicit. Filtering Policies Protection has default inbound and outbound mail filters to block and clean malicious and to quarantine that might be malicious. The filters are configured by using policies, which are the parameters for the filters default policies are automatically assigned to each of your domains. You can customize the default inbound policy for any and each domain, or any and each group, to fit your business Protection. For more information, see Customize Inbound Mail Filters. 2 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

12 Filtering Policies Types of Inbound Filtering Protection can filter both inbound and outbound . Inbound filtering that is available to be configured is as follows: Anti-Spam Filtering Real-time Blackhole List Anti-Virus Filter Content Filtering and ClickProtect Attachment Filtering Multi-Level Allow and Deny Lists Anti-Spam Filtering Spam is usually defined as unsolicited (and usually unwanted) and commercial sent to a large number of addresses. However, what one recipient may consider as spam, another recipient would consider as legitimate . In addition, spam has become a tool of hackers and electronic terrorists who deliberately attempt to gather proprietary information from computer systems and/or attempt to cause harm to a company s system. Typically, these types of spammers deliberately use naming standards, hijacked From: addresses, scrambled content, etc., to bypass spam filters such as blacklists and keyword lists. Using Stacked Classification Framework, Protection provides the most comprehensive and effective spam-blocking product on the market today blocking 98% of spam and providing an industry-leading low false positive rate (legitimate marked as spam). The Stacked Classification Framework aggregates the most effective spam filters and techniques in the industry into a spam likelihood. As appropriate, is assigned a high or medium likelihood of being spam. A separate action can be assigned to each likelihood. The spam classification techniques include the following: Spam FilterType IP Reputation Connection Manager Description This filter operates at the front of the Stacked Classification Framework. It rates the reputation of every incoming , based on IP reputation data collected by your Protection provider on an on-going basis. Connections are dropped for all messages which originate from IP addresses that are determined to carry a reputation for sending spam. Bayesian Statistical Filtering Statistical algorithms built by your Protection provider identify and quantify the possibility that an is spam based on how often elements in that have appeared in identified spam s. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 3

13 Filtering Policies Protection Administrator Guide Spam FilterType Industry Heuristics Proprietary Heuristics URL Filtering Reputation Analysis Reputation-Based RBL Filtering Sender Policy Framework (SPF) Description Protection incorporates thousands of successful industrywide spam-fighting rules to recognize characteristics of spam. Protection experts write and update thousands of proprietary rules to block spam, including fraudulent phishing spam, using real-time data from your service provider s Threat Center. URL filtering works by comparing embedded links found in s with URLs associated with identified spam. Protection constantly monitors inbound to build a list of IP addresses and domain names to rate the reputation of the sender based upon the percentage of spam s received from that address in the past. Using up to 31 real-time blackhole lists (RBLs) of known spammers provided by the industry, Protection creates a single RBL indicator to help gauge the likelihood of an being sent by a known spammer. By using multiple black lists to create a single vote and by rating the reputation of each RBL based on its accuracy at distinguishing spammers from senders of legitimate helps to minimize the possibility of a non-spammer being blocked by mistake. The SPF classifier helps identify and block fraudulent spoofing s those sent by spammers with forged From addresses from entering your network. For each inbound , the SPF classifier will look up the sending domain s Domain Naming System (DNS) record and its list of authorized IP addresses. s that carry an IP address not found on the authorized list will be included within the Stacked Framework Classification System for the detection of spam. By determining whether or not the relationship between the DNS record and the IP address is legitimate, Protection is able to more accurately filter out fraudulent spoofed s. As a result, Protection reduces risk for users who might be duped by the into divulging confidential personal information. Real-time Blackhole List The Real-time Blackhole List (RBL) is a system for creating intentional network outages (blackholes) for the purpose of limiting the transport of known-to-be-unwanted mass . The RBL is a database of IP addresses that are reported to be spam sources. 4 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

14 Filtering Policies Anti-Virus Filter Protection provides highly effective, organization-wide virus and worm protection. By identifying viruses and worms at your network perimeter before they enter or leave your messaging infrastructure Protection minimizes outbreak and infection risks to your enterprise messaging infrastructure. You can configure whether infected s are quarantined, denied, or stripped of infection. Provides maximum protection using multiple, industry-leading anti-virus engines to allow Protection to customize the protection to meet the latest threats. Virus definition updates every 5 minutes provide up-to-the-minute defense against the latest threats. Provides safe, external virus scanning and quarantine management for protection against viruses before they reach your network. Protects your users, networks, and data from harm Content Filtering and ClickProtect Protection protects your organization and reduces liability and risk by automatically identifying unwanted and malicious content before it enters or leaves your network. You can enable any of the following types of content filtering: Content Filter Type Predefined Content Keyword Groups Customized Content Keyword Groups Multiple Levels of HTML Filtering Graphic Image Replacement Description You can enable or disable predefined content keyword groups provided by Protection: Profanity Sexual Overtones Racially Insensitive You can define customized content keyword groups containing terms and phrases to satisfy the business and security Protection of your organization. You can designate the level of HTML filtering to be used (low, medium, or high), with predefined actions for each level. Depending on the level, malicious HTML tags and scripting options embedded in are stripped. You can enable or disable the automatic replacement of images with a transparent 1x1 pixel GIF within HTML s. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 5

15 Filtering Policies Protection Administrator Guide Content Filter Type Stripping of Spam Beacons or Web bugs Disabling hyperlinks within with ClickProtect SM Description Spam beacons and web bugs are typically transparent, 1x1 pixel graphics embedded in HTML content that send information about your system to the source (usually a URL) of the spam beacon or web bug. Typically, web bugs are used on Web sites to monitor surfing behavior, but now spammers are hiding them in their mass mailings as spam beacons. If the graphic is not removed before an is opened, the spam beacon sends a signal back to the spammer s URL that lets the spammer know whether the was opened and if the recipient s address is valid. If the spammer gets this signal, the recipient is marked as a valid address and is guaranteed to receive more spam in the future. You can enable or disable the automatic stripping of spam beacons or Web bugs within HTML s. ClickProtect allows you to monitor and disable or enable whether Web hyperlinks received in s can be clicked and followed by the user. With multiple levels of ClickProtect policy control, Administrators can customize the desired level of protection. This feature supports blocking phishing sites and accidental downloads of viruses and worms. Attachment Filtering Protection provides you the ability to control the types and sizes of allowed attachments entering your network. You can control attachment filtering using any of the following: Attachment Filter Type Attachment Filtering by File Type Attachment Filtering by Size Custom Attachment Rules by Filename Filtering for Files Contained within a Zip File Attachment Encrypted or High Risk Zip File Attachment Rules Description You can enable or disable filtering of attachments by file type. File type is determined using the file extension, MIME content type, and binary composition. You can designate a maximum allowed size for each enabled attachment type. You can configure custom rules using filenames that override the global settings for an attachment file type. You can designate that the rule use the entire filename or any part of the filename. You can configure custom rules to cause Protection to analyze the files within a zip file attachment, if possible, to determine if a file in the zip file violates attachment policies. If the zip file cannot be analyzed, you can designate the action to be applied. You can configure custom rules for s with encrypted zip files and/or zip files that are considered high risk (too large, too many nested levels, etc.). 6 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

16 Filtering Policies Multi-Level Allow and Deny Lists Protection allows you to define lists of s that will always be denied (blacklists) or will always be accepted (whitelists) at multiple levels. In addition, you can enable thirdparty Real-time Blackhole List to be used to filter unwanted s. The administrator-level lists override the user-level lists in a top-down manner: global lists first, policy set lists next, and lastly user-level lists. For example, if the same address is added to a user-level Allow list and the policy set Deny list, the address is always denied. At the same level, the Allow list overrides the Deny list. For example, if you designate a range of addresses (for example, by designating an entire domain) in the Deny list, but then designate a single address from that domain in the Allow list, the from that single address will be always accepted while the from any other address in the domain in the Deny list will be always denied. The same address string cannot be added multiple times in the same list or added to both the Allow and Deny lists. Be aware that s that have been quarantined by Protection may not need to be added to Deny lists because they are already being blocked from entering your network. Following are the types of Allow and Deny lists that are available in Protection: Allow/Deny List Type Global Deny List Policy set-level Sender Deny Lists and Sender Allow Lists Description If your Protection provider determines that a Sending SMTP has sent too many invalid incoming s within a specified time period, it will add the IP address for that Sending SMTP to a Global Deny List for a designated time period (default is 2 hours). During the denial period, all s received from that Sending SMTP will be automatically denied. This process helps to protect against dictionary harvest and Denial of Service attacks. This process can be disabled at the system level. Sender Deny lists indicate sender addresses from which is denied automatically. Sender Allow lists indicate sender addresses from which is allowed without spam, content, or attachment filtering (virus filtering is always enabled unless specifically disabled). You can designate a single address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file. Each policy set affects the filtering for all user accounts in the groups that are subscribed to that policy set. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 7

17 Filtering Policies Protection Administrator Guide Allow/Deny List Type User-level Deny Lists and Allow Lists Recipient Shield List Description Maintained by you and/or the user, Deny lists indicate sender addresses from which is denied automatically. Allow lists indicate sender addresses from which is allowed without spam filtering (all other enabled filtering will be applied). You can designate a single address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file. These lists affect only the s received for the designated user account and its alias addresses (user-level lists). You can define a list of recipient addresses for which you want to specify special actions (for example, you want to deny all s for a user who is an ex-employee). You can also specify the action to take if the recipient address is invalid in your system (permfailed by your server as an invalid recipient). Types of Outbound Filtering You can add outbound filtering to each package, helping to ensure the safety and appropriateness of information being sent from your corporate system to valued customers or business partners. Filter Type Content Filtering Attachment Filtering Virus Scanning Description This feature automatically prevents inappropriate, malicious, or confidential content from leaving your corporate system, allowing you to monitor and enforce your corporate policies. Outbound attachments can be filtered by size, by MIME content type, or by binary content, according to your corporate policies. Outbound virus scanning stops viruses and worms from leaving your corporate system, preventing your enterprise from being the source of -borne viruses to customers, suppliers, and partners. Configurable Actions for Filtered In Protection, filtering policies control how s are filtered within a specific Domain and how Protection will respond during filtering and reporting. Depending on the feature package that is licensed for a domain, specific filters will be available to be enabled and configured. Also, depending on the enabled filter, various actions must be configured that define how Protection will respond if an violates the specific filter policy. 8 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

18 Filtering Policies Based on the defined policy configuration, each that violated the specified policy can have any of the following actions taken, depending on the type of policy: Action Quarantine Tag Deny Delivery Do Nothing or Allow Delivery Silent Copy Strip Attachment Clean Custom X-Header Disable Filter Description The is added to the respective quarantine area and is not sent to the recipient address. If the violated a spam policy, the is reported in the user s Spam Quarantine Report. The subject line of the has a descriptive phrase (for example, [SPAM] ) added to the beginning of the subject text and the is sent to the recipient address. The is blocked automatically. Depending on the sending system s configuration, the sender may or may not be notified with a 5xx Deny . The is forwarded to the recipient address with no processing applied. The values in the reports and the Overview window will be incremented for the relevant policy to indicate that an did trigger the specific policy. A copy of the is forwarded to a list of designated addresses with no notification to the sender or recipient. If the had an attachment that violated configured policies, this action causes that attachment to be removed from the and the is be sent to the recipient address. Text is inserted into the notifying the recipient that an attachment has been stripped. Only the attachment that violated the policy is stripped. If the had an attachment that contained a virus or worm, this action attempts to remove the virus or worm and preserve the attachment. If the clean is successful, text is inserted into the notifying the recipient that an attachment had contained a virus and was cleaned. If this action is selected, a second fall-back action also must be designated in case the Clean action fails. This action is specific to the virus filtering policies. If the was determined to have a high or medium likelihood of being spam, you can configure that a custom X-header be inserted into the . This X-header can be used by your servers to perform additional actions within your network, such as redirecting the . Each spam likelihood can have a different custom X-header. This action is specific to the spam filtering policies. A non-administrator user cannot disable virus filtering if it is licensed and enabled for a specific Domain or policy set. Only Administrators can enable or disable virus filtering for a specific Domain or policy set. You can designate that Protection first attempts to remove the virus from an infected attachment, and if the clean fails, perform another action. You can designate that only the infected attachment is stripped. and the remaining contents and attachments are sent to the recipient. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 9

19 User-level Policy Configurations Protection Administrator Guide Notifications for Filtered You can enable or disable notifications to the sender and/or recipient addresses of that was filtered because of virus, content keywords, or attachment. For more information, see one of the following: Set Protection to Notify Users about s with Viruses Notify Users about Spam Content Notify Users about Attachment Violations User-level Policy Configurations By default, policy configurations are defined for each domain and group. All s received for all user accounts within a domain or group are processed using the same policy configurations. Optionally, user-level policy configurations can be defined for individual users that override the Domain/Group policies. Thus, if there is a conflict between a user-level policy and any of the other types of policy configurations, the user-level policy setting will be used. These user-level policy configurations allow customization of actions for each user. User-level policies are confined to the following policies: Enable or disable processing for spam, virus, content keyword, attachments, and/or HTML content. Specify actions to take for s if they are determined to have a high or medium likelihood of being spam. Configure the spam quarantine reporting To manage the policy for an individual user, see User-Level Policy Configuration. To establish user control of policies, see Set up Spam Quarantine Reports. User also can have some control over their policies. Quarantine Protection provides multiple quarantine areas with different security accesses to store and support review of suspect outside of your network. s that violate configured policies and that have the Quarantine action applied are sorted into multiple quarantines to ease management and support security levels: Spam Quarantined Messages Accessible to all users, with users with role of User or Reports Manager allowed to access only their own personal spam quarantine 10 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

20 Customizing the Interface Virus Quarantined Messages Accessible to only Administrators and Quarantine Managers Attachment Quarantined Messages Accessible to only Administrators and Quarantine Managers Content Keyword Quarantined Messages Accessible to only Administrators and Quarantine Managers Within each quarantine, you can do any of the following: Delete selected s or all s Release selected s or all s for delivery to the recipient View selected in a Safe View window Add the sender addresses to the recipients user-level Allow list and release the s (available only for quarantined spam s) ed Reports of Quarantined Spam s Optionally, s are sent to users to indicate that spam s that have been quarantined, using either of the following types of s: Spam Quarantine Report Spam Quarantine Reports are HTML-based notifications of quarantined spam s that sent to users. Multiple links in the Reports allow management of quarantined spam based on policy set-level and user-level configurable control settings. When the user clicks a link, the designated action is performed and the user is automatically logged into the Control Console. Spam Quarantine Summary Spam Quarantine Summaries are optional text-based notifications of quarantined spam sent to users, to support applications that are not HTML-compatible. The user clicks the link provided in the and is automatically logged into the Control Console. Once logged in, the user can navigate to the relevant window to manage the spam quarantine and modify personal settings. Customizing the Interface Licensed Branding There are multiple branding levels that control the appearance and URL addresses used within the Control Console and Spam Quarantine Reports and Summaries: Standard Branding uses images and addresses provided by your service provider. Private You control the images and addresses. Cobrand Branding uses images provided by you and your service provider., and addresses provided by you. White Label Branding uses no identifying images and uses addresses provided by you. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 11

21 Customizing the Interface Protection Administrator Guide Branding levels other than Standard must be licensed separately. For more information, see Rebrand Your User Interface in Account Management Administrator Guide. Language Localization Within the Control Console, windows and features available to the non-administrative user (whose role is User) can be provided in translated form supporting multiple languages. When the user logs in via the log on window, he or she can select the desired language in the Language field. Thereafter, all spam quarantine reporting s and window and field labels will be provided in the designated language. The following languages are supported: Brazilian Portuguese Chinese Simplified Chinese Traditional Danish Dutch English Finnish French German Italian Japanese Korean Norwegian Portuguese Russian Spanish Swedish Turkish This feature is available only to non-administrative user accounts. This feature must be enabled at the system level to be available. As a Customer Administrator, you can set the language for a user on the user s Preferences window. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide. Outbound Disclaimer You can define text that will be appended to the content to support liability or legal requirements for your organization. Every that was sent from your organization to Protection for filtering will have the designated text added to the end of the content. This feature requires that outbound filtering be licensed. 12 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

22 Monitoring and Reporting See Add an Outbound Disclaimer. Notifications You can customize the content of the notification for each combination of the type of filter and each type of action (quarantine, deny, or strip). See Define the Format and Text of Notifications to Users. Monitoring and Reporting Protection provides near-real-time monitoring for most reports of system usage, filtering, etc., for the designated Domain and date or date range. Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv). There are multiple reports available for viewing in the Control Console: For more information, see System Reports. Optional Utilities Your service provider provides additional, free tools that provide additional support for your network. Spam Control for Outlook If you receive that you feel should have been filtered as spam, you can use the Spam Control for Outlook plug-in. The Spam Control for Outlook plug-in automatically packages the data, forwards it to your service provider s Threat Center, and then deletes it from your Microsoft Outlook mailbox. This utility only works for the Outlook mail client. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 13

23 Disaster Recovery Services Protection Administrator Guide Disaster Recovery Services Fail Safe The Fail Safe Disaster Recovery Service provides protection against lost s in the case when your inbound server (a.k.a. Customer MTA server) may be unavailable to receive . If you have multiple inbound servers configured in Protection, all of these servers must be unavailable before Fail Safe is invoked. When your inbound servers becomes unavailable, Fail Safe begins spooling , which means Fail Safe stores your s in a temporary location until your inbound server becomes available. Once any of your inbound servers become available, Fail Safe begins unspooling the s. That is, Fail Safe restores these stored s to the inbound server using the first in, first out order. The messages Fail Safe stores are not available until the messages have been unspooled. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days. For more information, see Administer Disaster Recovery Services. Continuity Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Continuity delivers the messages. Users can access their messages through a Web-based interface while messages are in Continuity only. Continuity also has unlimited storage capacity and removes messages that have been in Continuity storage for more than 60 days. For more information, see Administer Disaster Recovery Services. 14 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

24 Who Can Access Protection Admin- 2. Access Protection Administration As a customer of Protection, you can have administrators who access the Control Console with different levels of privileges within Account Management and Protection. Who Can Access Protection Administration windows The levels of administrative users you can add are as follows: Administrative level Reports Manager Group Administrator Quarantine Manager Domain Administrator Customer Administrator Group Adsministrator Description The Reports Manager can view, for an assigned domain, reports available with Protection. The Reports Manager can also manage his or her own user preferences and all other tasks a user can perform. The Group Administrator can add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create, edit, and modify Protection policies for the assigned groups. Finally, a Group Administrator can view user lists and user details. A Group Administrator does not need to be a member of a group in order to have these capabilities. Note: A Group Administrator cannot add or remove a group nor edit user information The Quarantine Manager, for an assigned domain, can manage the same areas as a Report Manager, plus manage, for the assigned domain, all users Quarantine for spam and other problematic messages, only if Protection is enabled. The Domain Administrator, for an assigned domain, can manage the same areas as a Quarantine Manager, plus manage server setup and authentication rules for the domain. The Customer Administrator can manage all aspects of the customer s Account Management for all domains. The Group Administrator can, within the Group Administrator s assigned domain, add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create and modify Protection policies for the assigned groups. A Group Administrator does not need to be a member of a group in order to have these capabilities. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 15

25 Who Can Access Protection Administration windows Protection Administrator Guide The following figure summarizes the levels of administrators, plus users, in an Protection configuration. Table 1: Protection Window Access Privileges Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Overview No Yes Yes No No Policies tab Policy Sets No Yes No No Yes Anti-virus: Action No Yes No No Yes Anti-virus: Notifications Anti-SPAM: Classification Anti-SPAM: Content Groups Anti-SPAM: Reporting Content: Content Groups No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes 16 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

26 Who Can Access Protection Admin- Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Content: Custom Content Groups Content: Notifications Content: HTML Shield Content: Click Protect Attachments: File Types Attachments: File Name Policies Attachments: Additional Policies Attachments: Additional Notifications Allow/Deny: Sender Allow Allow/Deny: Sender Deny Allow/Deny: Recipient Shield Enforced TLS: Actions Enforced TLS: Notifications Notifications: Content Notifications: Attachment Group Subscriptions No Yes No No Yes No Yes No No Yes No Yes No No Yes Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes Disaster Recovery Yes No No Yes Quarantine Tab No Yes Yes Yes No SetupTab No November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 17

27 Who Can Access Protection Administration windows Protection Administrator Guide Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Inbound Servers Setup No Yes Yes No No Outbound Servers Setup Outbound Disclaimer Disaster Recovery Setup Yes. Depending on your purchased package, this service might need to be enabled. Yes. Depending on your purchased package, this service might need to be enabled. Yes. Either FailSafe or Continuity must be enabled or included in your package. Yes Yes No No Yes Yes No No Yes Yes No No MX Records Setup No Yes Yes No No User Creation Settings No Yes No No No Reports tab Traffic Overview No Yes Yes Yes No Threats Overview No Yes Yes Yes No Threats: Viruses No Yes Yes Yes No Threats: Spam No Yes Yes Yes No Threats: Content No Yes Yes Yes No Threats: Attachments ClickProtect:Over view ClickProtect: Click Log No Yes Yes Yes No No Yes Yes Yes No No Yes Yes Yes No 18 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

28 Other Documents You Might Need Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Quarantine: Release Overview Quarantine: Release Log No Yes Yes Yes No No Yes Yes Yes No User Activity No Yes Yes Yes No Event Log No Yes Yes Yes No Audit Trail No Yes Yes Yes No Inbound Server Connections No Yes Yes Yes No Disaster Recovery: Overview Disaster Recovery: Event Log Yes. Either FailSafe or Continuity must be enabled. Yes. Either FailSafe or Continuity must be enabled. Yes Yes Yes No Yes Yes Yes No Other Documents You Might Need Account Management is a self-contained subset of windows you access on the Control Console. You use it in conjunction with the administration windows for the previouslymentioned products. For information on administering these products, see the online help in the Control Console or the documentation as listed below. Protection Documents Protection Concepts Guide Protection Quick Start Intelligent Routing User Guide Continuity Administrator Quick Start Guide November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 19

29 Ensure You Can Receive from Your Service Provider Protection Administrator Guide Web Protection Service Documents Web Protection Service Quick Start WDS Connector Installation Guide Message Archiving Documents Message Archiving Administrator Guide Message Archiving Quick Setup Guide for Microsoft Exchange Server 2000 Message Archiving Quick Setup Guide for Microsoft Exchange Server 2003 Message Archiving Quick Setup Guide for Microsoft Exchange Server 2007 User Guides In addition, a variety of guides for your users are available. These are: Protection User Guide Message Archiving User Guide Spam Control for Outlook Continuity User Quick Start Guide Ensure You Can Receive from Your Service Provider If you had or still have a different security or filtering service and your network is administered so that you can receive only from IP addresses associated with that security service, you must administer your network to allow incoming from the Control Console servers. For example, a port in your company s firewall may need to be enabled to receive from the IP addresses of the Control Console servers. This enablement is necessary in order for you and your users to set the initial password for access to the Control Console. Log on to the Control Console To manage your account, you must log on to the Control Console with the following steps. Note: The first time you log on, you might need to create your password. If so, see Reset Your Password from the log on window. 1 Open a browser on your computer and enter the URL for the Control Console. 20 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

30 Log on to the Control Console The URL should be identified in the Service Activation Guide you received from your provisioner. If you don t have the URL, contact your sales representative or Customer Support. 2 At the Control Console log on window, enter your address and password. 3 Click Sign in. If you have not previously entered an answer to a security question, the Security Question window pops up. The answer to the security question is used is used to validate you, the user, if you forget your password. You can later change your security question and/or security answer on the Preferences window of your user account. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide. 4 Select a security question and type the answer. Your answer is not case-sensitive. Note: If you also use the Protection, you can also log onto the Control Console from a Spam Quarantine Report. Reset Your Password from the log on window Note: This capability may not be available if the user authentication method is set to LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the system level. If you forget your password or want to reset it, perform the following steps: 1 On the log on window, click the Forgot your password or need to create a password? link. The following window is displayed. 2 In the Username field, type your address. 3 Do one of the following: November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 21

31 Log on to the Control Console Protection Administrator Guide If your address is working and you are already receiving , select password information to me. If your address is not working, select password information to my Domain Contact. Your Domain Contact might be your administrator or another person your administrator defined for your domain within the Control Console. Check with your administrator on who that person is. 4 Click Next. If you selected the option for your , your application receives an momentarily with further instructions. Continue with Step 5. If you selected the option to a Domain Contact, that person receives an from which the person can reset your password. The person can also forward the message to an alternative address you might have. Contact that person for the password, then try to log on again. You are finished with this procedure. 5 If you selected the option to information to you, open the in your application. The subject line says Control Console Sign in Information. The is similar to the following: 6 Click the link in the . The link is active for only a limited time after the is sent (typically, 60 minutes). 22 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

32 Log on to the Control Console 7 If you previously had selected a security question, the security question is displayed. If you had not previously selected a security question, select a question from the Security Question drop-down menu. 8 Type the answer to the question in the Security Answer field. 9 For the Security Question field, click Change if you need to change the security question or answer. You must answer this question when you forget your password or need to reset it. The Security Question and Security Answer fields are displayed. Select a question from the Security Question drop-down menu, then type an answer. 10 In the Password field, type a password. The password must comply with the following rules: Length must be a minimum of 8 characters. Alphabetical, numeric, and special character types are allowed. There must be at least one character that differs in character type (alphabetical, numeric, or special) from the majority of characters. Thus, if the password contains mostly alphabetical characters, then at least one character must be either a special character or numeric. For example, majordude is invalid, but majordude9 is valid. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 23

33 Log on to the Control Console Protection Administrator Guide Allowed special characters are: left parenthesis ( ( ) ampersand ( & ) right bracket ( ] ) right parenthesis ( ) ) asterisk ( * ) colon ( : ) apostrophe ( `) hyphen ( - ) semicolon ( ; ) tilde ( ~ ) plus sign ( + ) double quotes ( " ) exclamation (! ) equals sign ( = ) single quotes ( ' bar ( ) less than sign ( < ) hash ( # ) backslash ( \ ) greater than sign ( > ) dollar sign ( $ ) left curly bracket ( { ) period (. ) percentage sign ( % ) right curly bracket ( }) question mark (? ) caret ( ^ ) left bracket ( [ ) Spaces are not allowed. Passwords are case-sensitive (for example, Password, password, and PASSword would be different passwords). Make sure you can remember your password, but do not use obvious passwords (for example, password, your name, or a family member s name). Keep your password safe and private. 11 Retype your password in the Confirm Password field. 12 Click Save. 24 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

34 3. Check the Status of Protection on the Overview The Overview window provides the following high-level information about the traffic to your domain over the previous 24 hours: Disaster recovery information News and update information Customer Administrators will see the information for all the domains in the customer where the role was defined. Domain Administrators will see the information for only the domain where the role was defined. 1 Select Protection Overview. The Overview window is displayed with the initial view. 2 Click Display Statistics. The Overview window is displayed with the complete view. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 25

35 The sections on the window provide the following information: Section Inbound 24-Hour Snap Shot Description Displays a 24-hour snapshot of inbound traffic: Messages Number of inbound messages processed Avg Size Average size of inbound messages, including attachments Bandwidth Average bandwidth used by inbound messages Viruses Number of inbound s that contained viruses Spam Number of inbound s that were potentially spam Quarantined Total number of inbound s that were quarantined for any reason, including spam, virus, etc. 26 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

36 Outbound 24-Hour Snap Shot Traffic (Last 24 Hours {timezone}) Policy Enforcement (Last 24 Hours {timezone}) Disaster Recovery Current Status Disaster Recovery Activity (Last 24 Hours) What s New News Section Description Displays a 24-hour snapshot of the domain s or Customer s outbound traffic: Messages Number of outbound messages processed Avg Size Average size of outbound messages, including attachments Bandwidth Average bandwidth used by outbound messages Avg Size Average size of outbound messages, including attachments Viruses Number of outbound s that contained viruses Quarantined Total number of outbound s that were quarantined for any reason, including viruses. Displays a graph of traffic volume for the last 24 hours of the designated time zone. Optionally, select one of the graphic display type icons to change the appearance of the graph. Displays the percentage of messages that had the different actions applied (for example, stripped, blocked, tagged, quarantined, cleaned, or normally delivered) over the past 24 hours of the designated time zone. Optionally, select one of the graphic display type icons to change the appearance of the graph. Displays domains that are currently in Disaster Recovery. The Protection is currently spooling the specified domain's Displays how many s were spooled and unspooled by Fail Safe for all domains in the indicated Customer during the last 24 hours of the designated time zone. Spooled Messages Indicates the number of s that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them. Unspooled Messages Indicates the number of s that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them. Displays a list of new information available about Protection. Depending on the configuration, this section may be blank or may contain different information. Displays any updates on current threats and other important security news (links). Click the desired link to view the complete information. Depending on the configuration, this section may be blank or may contain different information. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 27

37 28 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

38 Confirm Your Inbound Servers Setup 4. Set up Your Servers This section describes how to ensure your inbound and outbound servers are set up correctly for Protection. Confirm Your Inbound Servers Setup Protection filters destined for your inbound Simple Mail Transfer Protocol (SMTP) server or servers. Your provisioner should have already defined one or more SMTP servers in the Control Console. To confirm that these servers are defined, perform the following steps: 1 Click Protection Setup. 2 From the domain drop-down menu on the Setup window, select the domain whose SMTP server you want to check. The SMTP Host Address field displays the domain name(s) or IP address(es) for the domain s SMTP server. In our example, domain denver.acme.com has an SMTP server with a domain name of mail1.denver.acme.com. The Inbound Servers Setup window is displayed. 3 Ensure the SMTP server listed are valid and correct. 4 Ensure that all other information on the window is correct, and select Save. 5 Repeat steps 2 through 4 for any other domains in your network. Set up Additional Inbound Servers You can configure additional inbound servers to receive inbound from Protection for the designated domain. All servers for a domain that receive inbound from Protection must be configured on the Inbound Servers Setup window. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 29

39 Set up Additional Inbound Servers Protection Administrator Guide Any server addresses designated here must be valid and available to connection from Protection. After the Save Changes button is clicked, the Protection immediately routes to the active servers. 1 Click Protection Setup. 2 From the domain drop-down menu, select the domain whose SMTP server you want to add. 3 Click Add New Host. A new set of fields appears for the server 4 In the SMTP Host Address field, type the fully qualified DNS or IP address of the server host being configured. CIDR notation is not allowed. If you do not have a registered and valid DNS name for your servers, you must enter the IP addresses of each server. 5 In the Port field, type the port on the server to which the Protection will connect. The default value is In the Preference field, type the number indicating order of connection preference between multiple servers. Protection attempts to connect first to the server with the lowest preference number. If that server is not available (either down or too busy), Protection tries the server with the next lowest preference number, and so on. If multiple servers have the same preference number, Protection will randomly route the delivery between them. 7 Click the Active checkbox to allow the server is immediately start accepting traffic. Caution: If all servers are set to inactive, all s received for this domain will be tempfailed. 8 Click Save. Delete an Inbound Server To delete an inbound server, perform the following steps: 1 Access the appropriate domain on the Inbound Server Setup window 2 Click the Delete checkbox next to the server you want to delete. 3 Click Save. 30 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

40 Add IP Address of Outbound Server, If Add IP Address of Outbound Server, If Necessary If your service includes Outbound Message filtering, you must identify one or more outbound mail servers through which your users send outgoing mail. While your outbound server might use a Domain Name Server (DNS) name within your network (for example, lewisoutbound.acme.com), you identify the outbound sever within Protection with an IP address (for example, ). Alternatively, you can specify a Classless Inter-domain Routing (CIDR) address for a range of outbound servers (for example, /27) only. The address must be a public address. Any server addresses designated here must be valid and available for a connection. After the Save Changes button is clicked, Protection immediately accepts traffic from the active servers. Note: If is received from an outbound server that is not configured in the Protection system, it will be refused. If no outbound package has been designated for the selected domain, this window is unavailable. 1 Click Protection Setup Outbound Servers. The Outbound Server Setup window is displayed. 2 Click Add New Address, and add the address of the outbound server. 3 Click Save Changes. 4 Record the address listed under Recommended Smart Host Server Settings. You should use this address to perform the next task, Set up a Smart Host (If Outbound Mail Defense is Turned on). Important: You or your network administrator should also do the following before or immediately after adding your outbound server(s): Update Sender Policy Framework (SPF) records on your mail server(s) to ensure only authorized sources are sending outbound . Scan your network for open relays, viruses and malware. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 31

41 Add IP Address of Outbound Server, If Necessary Protection Administrator Guide Delete an Outbound Server To delete an outbound server, perform the following steps: 1 Access the appropriate domain on the Outbound Server Setup window 2 Click the Delete checkbox next to the server you want to delete. 3 Click Save Changes. Set up a Smart Host (If Outbound Mail Defense is Turned on) To ensure that your outbound is filtered, you must designate, for each of your outbound mail servers, an Protection server as your Smart Host. Your outbound is then relayed through Protection before continuing to its final destinations. The outbound Smart Host address is listed at the bottom of the Outbound Server Setup window, or you can refer to your Service Activation Guide for more details. Note: This task is performed on your outbound server or servers, on your network router, or on some other server, depending on your network s configuration. Add an Outbound Disclaimer You can create and assign text that will be appended to all outgoing s that are filtered by Protection for the designated domain. For example, you might want to specify that the sent from your company is the property of your company with all right reserved. Note: If no outbound package has been designated for the selected Domain, this window is unavailable. 1 Click Protection Setup Outbound Servers. 32 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

42 Redirect Your MX Records The Outbound Server Setup window is displayed. 2 Click Display disclaimer in outbound messages. 3 In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000 characters is allowed. 4 Click Save. Redirect Your MX Records The Mail Exchange (MX) record for each of your mail servers is a specification within a Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP). Each MX record specifies a host name and preference that determines where and how your ISP routes your company s . Your MX record or records at your ISP must be changed to fully-qualified domain names (for example, denver.acme.com) within the Protection network. These changes allow Protection to filter your before it arrives at your company s mail servers. Your Network Administrator or Domain Registrar is typically the individual responsible for making these changes. The information necessary for your company to make these changes is provided in your Protection Activation Guide, which you receive when you first sign up for service. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 33

43 Check Your MX Record Protection Administrator Guide Check Your MX Record Be aware that because of the nature of the Internet, it may take several days for your MX record redirect to propagate to all the servers that may be sending to your server. During that time, your server may still receive directly from those servers until they are updated with your latest MX record information. The MX Record Analysis window allows you to query Protection or your company s Authoritative DNS Name Server for the MX Records that are recognized for the SMTP server names for a domain. You can then confirm that all the IP records that are configured for your domain s MX Records are correctly redirected to Protection. The analysis indicates the following: All Authoritative Name Servers for the entered DNS name All MX Records that are recognized by the Authoritative Name Servers this process retrieves all the MX Records for a given domain Whether the hostname for each MX Record is a valid hostname, an outdated hostname that will work but should be updated, or an unrecognized hostname which may be allowing to be routed around Protection This window also indicates the recommended values (using the default values configured at the system level for Protection) to assist you in determining whether your MX Records are redirected correctly. For example, if all the SMTP servers defined for a domain do not show the same information, this can indicate that your MX Records are not defined correctly. Note: This feature must be enabled at the system level to be available in Protection. 1 Click Protection Setup MX Records. The MX Record Analysis window is displayed. 34 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

44 Check Your MX Record By default, the window shows the results of a DNS lookup by Protection on the IP addresses you submitted to your Internet Service Provider. The column headings show the following: Field MX Record Analysis Results for MX Records returned by Description The domain for which a DNS lookup was performed. The name of the DNS server, which can be the DNS server of your Protection provider or a DNS server from your company, if selected. Under each MX Records returned by heading, MX records should be listed that were set by your Internet Service Provider, along with the priority preference of the record, and the status of the MX record. Valid MX Record is current and fully authenticated. Valid recommend update MX Record uses an older hostname standard. It still works, but it is recommended that you update to the current hostname standard. Unrecognized MX Record could not be authenticated and may be allowing to enter your system bypassing Protection. This situation, if occurring within 72 hours of the MX Record change, may indicated the changes are not yet complete. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 35

45 Set up User Creation Mode SMTP Discovery or Explicit Protection Administrator Guide 2 Check the Recommended MX Record Settings. This section indicates a list of typical MX Record configurations using the system-defined default values and the currently selected domain name. Note that this list may not match your actual MX Record configurations. These values are configured at the system level. You can alternatively enter a fully-qualified DNS Server name at your company in the Target Authoritative Name Server field, then click Analyze. This capability is helpful if the default display of MX records appears to be incomplete or in error. Similar results to those returned by Protection provider s DNS Server might occur. Note: You can also select the View only this name server link to reduce the number of DNS server lists of MX Records. Click the View all name servers link list all DNS servers again. Set up User Creation Mode SMTP Discovery or Explicit Note: This procedure applies only if your service includes Protection. Explicit user creation means that you must add user addresses using one of the methods that are described later. SMTP Discovery means that users are created automatically based on SMTP transactions. That is, several incoming messages to a user indicate that the user exists for the customer. As a result, Protection creates that user in the Control Console. SMTP Discovery is the default setting for a new customer, such that at initial startup of service, users might be created in the Control Console without any administration by you, the Customer Administrator. Note: Only messages delivered to recipient addresses in a primary domain are counted for the purpose of user creation. Messages sent to recipient addresses in alias domains are not counted. When the action is deny, the is rejected and an error message is displayed to the sender. If you use Directory Integration, explicit user creation is highly-recommended. To turn on Explicit User Creation, perform the following steps: 1 Click Protection Setup. 2 Click User Creation Settings. 36 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

46 Set up User Creation Mode SMTP Dis- 3 Under the User Creation Mode heading, select Explicit. 4 Click Save. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 37

47 Set up User Creation Mode SMTP Discovery or Explicit Protection Administrator Guide 38 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

48 Enterprise or Service Provider Customer 5. Customize Inbound Mail Filters Protection has default inbound and outbound mail filters to block and clean malicious and to quarantine that might be malicious. The filters are configured by using policies, which are the parameters for the filters Default policies are automatically assigned to each of your domains. You can customize the default inbound policy for any and each domain, or any and each group, to fit your business needs. To change customers, select the link in the upper right of the opened window. In the Select window, begin entering the name of the entity you want and select that entity when a list of entities appears. Enterprise or Service Provider Customer Important: This document is for use by Enterprise customers only. The way in which custom policies are applied to your users varies depending on whether you are classified as a service provider or enterprise customer. If you are a service provider customer, each domain can have one custom policy (see Figure 7). If you are an enterprise customer, a single default policy applies to all domains. Thus, for an enterprise customer, you must create a group or groups of users, and for each group, you can create a custom policy. A group can be created according to domain membership (see Figure 8) or according to any other user characteristics that may apply across multiple domains (see Figure 9). For procedures, see Create a Group in Account Management Administrator Guide. Note: Because a group defined by an enterprise customer can contain users from different domains, a group policy does not apply to a domain, but rather to the group of users to which it is defined. A custom group policy supersedes the default policy that is assigned to all domains. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 39

49 Enterprise or Service Provider Customer Protection Administrator Guide Figure 6: Service Provider Custom Policy Assignment Figure 7: Enterprise Custom Policy Assignment (Groups by Domain) 40 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

50 Create a Custom Policy (Enterprise Cus- Figure 8: Enterprise Custom Policy Assignment (Groups by Other Attributes) Create a Custom Policy (Enterprise Customer Only) Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains. 1 Click Protection Policies Inbound Policies link. 2 Click New to launch the New Policy window. The New Policy Set fields are displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 41

51 Create a Custom Policy (Enterprise Customer Only) Protection Administrator Guide Field Description Name Owner Description Direction Copy From Copy Sender Allow List Copy Sender Deny List Copy Recipient Shield List Copy ClickProtect Allow List Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy. The Owner heading indicates who can edit the policy. If the owner is Customer, only Customer Administrators can edit the policy. If the owner is Group, then Group Administrators assigned to that group, as well as Customer Administrators, can view or edit the policy. Enter a description of the new policy set. From the drop-down menu, select the direction of , inbound SMTP or outbound SMTP, for which this policy will be configured. From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields. Select to copy the Sender Allow list from the policy set selected in the Copy From field. Selectto copy the Sender Deny list from the policy set selected in the Copy From field. Select to copy the Recipient Shield list from the policy set selected in the Copy From field. Select to copy the ClickProtect Allow list from the policy set selected in the Copy From field. 3 Click Save. The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs. 42 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

52 Configure a Virus Filter Configure a Virus Filter Protection uses multiple virus scanning applications to analyze to determine if a virus may be present. In your custom policy, you can configure how Protection handles an that contains a known virus. Important Note: If an is detected that contains a wide-spread worm or virus (for example, SoBig or MyDoom), Protection may automatically block that , regardless of the settings in your custom policy. To create a new policy content filter, perform the following steps: 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Virus. The Actions window is displayed. 4 Complete the fields as described in the following table. Field Description November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 43

53 Configure a Virus Filter Protection Administrator Guide If a Message Contains a Virus If a Message Cannot be Cleaned Select an action Protection should take if an contains a virus: Do nothing Protection sends the to the recipient with no filtering or notification. Caution: This action is potentially hazardous because the will still contain the virus. Quarantine the message after attachment is stripped Protection strips an infected attachment from the and sends the to quarantine with the message that an attachment had been stripped. Protection does not send a separate notification to the recipient. Strip the attachment Protection strips the infected attachment from the and sends the to the recipient. Protection inserts text into the to notify the recipient that an attachment has been stripped. Deny delivery Protection denies delivery of the . Clean the message Protection attempts to remove the virus content and save the remainder of the message. If successful, Protection sends the to the recipient with the message that the had been cleaned of a virus. If you select this action, you must also select an action for the If a Message Cannot be Cleaned field. If you previously selected Clean the message, select an action Protection should take if Protection fails to clean an infected Quarantine the message after attachment is stripped The infected attachment is stripped from the and the is sent to the recipient s virus quarantine area without notification to the recipient. Text is inserted into the indicating that an attachment has been stripped. Strip the attachment The infected attachment is stripped from the and the is sent to the recipient. Text is inserted into the notifying the recipient that an attachment has been stripped. Deny delivery The is denied delivery. 5 Click Save or click on the Notifications under the Virus tab. Set Protection to Notify Users about s with Viruses You can direct Protection to send notification s to the recipient and/or sender when an is filtered because it contained a known virus. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. Note: Virus notifications will not be sent out for s that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Protection. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Virus. 44 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

54 Configure a Spam Filter 4 Click Notifications. 5 Complete the following fields: Field To the sender when a message is due to a virus infection To the recipient when a message is due to a virus infection Description Select one or more conditions that will cause Protection to send a notification to the sender. Quarantined The infected was quarantined. Denied delivery The infected was denied delivery. Stripped The infected attachment was stripped and the sent to the recipient. Select one or more conditions that will cause Protection to send a notification to the recipient. Quarantined The infected was quarantined. Denied delivery The infected was denied delivery. Stripped The infected attachment was stripped and the sent to the recipient. Configure a Spam Filter Protection spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework to determine if is spam. Based on this analysis, Protection give each a score. There are three scores are used to determine the likelihood of spam and what actions should be taken. Those scores are: Medium likelihood if default settings are used. This is normally quarantined for review. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 45

55 Configure a Spam Filter Protection Administrator Guide High likelihood if default settings are used. This is normally quarantined for review. Critical likelihood. This spam is blocked. If you specified an additional Realtime Blackhole List (RBL) in the Spam window of the assigned policy, the RBL can influence the spam score as well. To configure a spam filter, you can perform the following tasks Define the Action to Take on Spam Spam Content Groups Subtab Spam Reporting Subtab Define the Action to Take on Spam 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Spam. The Classification window is displayed. 4 Complete the following fields: Field Description 46 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

56 Configure a Spam Filter If a Message is Probably Spam (Medium likelihood) area Select an action Protection should take if an has a spam score of 90% or higher: Tag the message subject with [SPAM] Protection adds the phrase [SPAM] to the beginning of the s subject text and sends the to the recipient. Quarantine the message Protection sends the to quarantine. Deny delivery Protection denies delivery of the . Note: s that have the following actions applied will be reported as Other in the Threats: Spam report. Do nothing Protection sends the to the recipient with no filtering or notification. If a Message is Probably Spam (High likelihood) area Select an action Protection should take if an has a spam score of 99.9% or higher. These actions are the same as those for Medium likelihood. 5 Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go to step 8. Multiple real-time blackhole lists (RBLs) of known spammers are provided by the industry, from which Protection creates a single RBL indicator to assess the risk of an originating from a known spammer. The use of multiple blackhole lists to create a single vote and rate the reputation of each RBL for accuracy helps to minimize the possibility of blocking a non-spammer by mistake. 6 If you clicked More Options, click the Enable Real Time Blackhole List (RBL) checkbox. Note: You can also block spammers by completing a Sender Deny List under the policy s Allow/Deny option. 7 Click Save or click on Content Groups under Virus. Define Additional Words That Indicate Spam Protection spam content filtering controls spam by comparing the content (subject and body) of an against predefined lists of keywords or phrases (spam content groups). You can define a custom spam content group that contains additional lists of keywords that are used to filter as spam. For each content group, you also define the action to take on that contains a keyword. If the action is to send spam matches to quarantine, users who receive Spam Quarantine Reports can view the matching messages in the quarantine. Note: A spam content group does not analyze the content within attachments. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 47

57 Configure a Spam Filter Protection Administrator Guide The action for a content group you define overrides spam actions for Protection default spam filters. For example, if Protection determines that an has a medium likelihood of being spam and also contains a keyword that is in your spam content group, the action defined for your spam content group is applied. However, if you also define content filtering on the Content Content Groups window (see Configure a Content Filter, that content filter overrides the keyword filtering you define on the following Spam Content Groups window. In addition, spam identified by the Content Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click the Spam. 4 Click Content Groups. 5 Double-click the Content Group you wish to modify. 6 In the Group Name field, type the name of your spam content group. This name should summarize the kind of keywords you want Protection to look for. For example, you might want to identify musical terms, such as concert, music, rock, jazz, and so on, as spam. In this case, your group name might be music. 7 From the Action drop-down menu, select an action to take if an matches a keyword: None The is forwarded to the recipient address. Quarantine the message The is sent to the recipient's domain content quarantine area. Deny Delivery The is denied delivery. Allow The is sent to the recipient address. Note: The Allow option is useful if you want to override standard Protection spam content filtering for particular keywords. 48 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

58 Configure a Spam Filter Note: s that match keywords but are allowed will be reported as Other in the Threats: Spam report. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the at the beginning of the subject text and the is sent to the recipient address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 8 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in . Use the following rules for entering keywords. Each entry must be on its own line (separated by a hard return). If an entry contains multiple words, the entire phrase is used as a literal string (as is). If individual words are desired, each word must be on its own line. Letter-case (for example, upper case or lower case) is ignored. The wildcards question mark (?) and asterisk (*) can be used to designate the following:? designates any single character, including white space characters (for example, menu, space, line break, etc.). For example, w?y would catch way, why, and w y. * at the end of the string designates multiple characters until a white space character is encountered. For example, refi* would catch refinance, refinancing and refine. * followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered. For example, refi*d would catch refinanced, but would also catch refinishing is a great way to save d. If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, \* or \?). 9 For example, why\? (without quotes) would catch the string why? and the question mark would not be used as a wildcard.click the Enable checkbox to turn on the spam content group. 10 Click Save for the new spam content group. 11 Click Save for the policy or continue to the Reporting tab. To change a policy s existing spam content group, click Edit. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 49

59 Configure a Spam Filter Protection Administrator Guide Set up Spam Quarantine Reports When Protection scores and determines that might be problematic, but the is not clearly a security risk, Protection place the into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including: How reports are formatted. How often reports are sent How Spam is filtered What actions users can take on quarantined See the Protection User Guide on how users might manage quarantine reports. To set up quarantine reports for users, perform the following steps: 1 Click Protection Policies. 2 Select a policy set for which the quarantine reports will apply. 3 Click Spam Reporting. 4 Under the Enable Spam Quarantine Reporting for heading, select one of the following options: All users All user accounts associated with the policy set receive Spam Quarantine Reports. Note: Users must be able to log into the Control Console to manage their spam quarantine areas. Selected users Only those user accounts configured for Spam Quarantine Reports on the User Management windows receive the reports. No users No users associated with this policy set receive Spam Quarantine Reports. 50 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

60 Configure a Spam Filter 5 Under the Default Settings heading, complete the following field: Field Frequency Report Type HTML Format Description From the Frequency drop-down menu, select how often users receive Spam Quarantine Reports if they have in spam quarantine. From the Report Type drop-down menu, select the content that each Spam Quarantine Report should contain: HTML All Quarantined All s in your spam quarantine area are listed in the Spam Quarantine Report. HTML New Items Since Last Report Only those s received since the previous Spam Quarantine Report are listed in the Spam Quarantine Report. Text Summary A text-only notification is sent to you with a link to your spam quarantine, instead of the Spam Quarantine Report. This option supports users with applications that do not support HTML content. Text New Items Since Last Report A text-only report is sent to you that indicates how many new s have been quarantined as spam since the last report and the total number of spam s in your spam quarantine. The report also lists the messages that have been quarantined since the last report. From the HTML Format drop-down menu, select one of the following: HTML with Actions The links Allow, Deny, and Release are enabled in the Spam Quarantine Reports. HTML without Actions The links Allow, Deny, and Release are disabled in the Spam Quarantine Reports. Users must log into the Control Console to perform these actions. Note: This field is ignored if the Report Type field is set to Textonly Summary. 6 Under the Spam Quarantine Report Security Settings heading, complete the following fields: Field Report Links Description From the Report Links drop-down menu, select the number of days after which the links in the Spam Quarantine Report become inactive. A low value may not give the users enough time to review their Spam Quarantine Report and perform any spam management. A high value might increase the security risk of unauthorized access into the Control Console using an old Spam Quarantine Report. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 51

61 Configure a Spam Filter Protection Administrator Guide Field Restrict user rights when accessing quarantine from spam quarantine report Description Select this field Selectso that administrator-level users will be logged in with role of User when accessing the Spam Quarantine Reports. If you leave the checkbox blank, administrator-level users will be logged as their administrative role. Note: Selecting this option is recommended to provide additional security for the Control Console. This option applies to all administrative levels, including Reseller Administrators, Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers. 7 Under the Other Options heading, select any or all of the following options: Field Allow users to personalize spam filtering actions Allow users to personalize delivery frequency Allow users to personalize report type Allow users to opt out of spam filtering Enable Always Deny shortcut from spam quarantine report Show spam score on spam quarantine report Allow users to download Spam Control For Outlook Description Select to allow users to customize actions that Protection takes on that is likely to be spam. Users actually select the actions on spam from the Preferences window on the Control Console. Select to allow users to change the frequency with which they receive Spam Quarantine Reports. Users select the frequency of reports from the Preferences window on the Control Console. Select to allow users to change the default settings you set in the Report Type field on this window. Users can change the Report Type from the Preferences windowwindow on the Control Console. Select to allow users to turn filters for spam on or off. Users can turn off spam filtering from the Preferences window on the Control Console. Select to enable the Always Deny link in user s Spam Quarantine Reports, the Message Quarantine windows, and the Safe Message View window. If you leave the checkbox blank, users must go to the Allow/Deny Sender Lists window to change their Allow or Deny lists. Select to display the spam likelihood score for each quarantined message in the Spam Quarantine Reports. Select to display a link in Spam Quarantine Reports, from which users can download the Spam Control For Outlook utility. The location from which the utility is downloaded is configured in the Branding Settings window. Note: This feature can be enabled or disabled at the system level. 52 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

62 Configure a Content Filter Field Allow nonadmin users to sign in directly to the Control Console Display message content in Safe Message View Display user addresses in spam quarantine report Allow users to configure alternate address for spam report delivery Description Select to allow users to log into the Control Console using the Sign in window. Note: This feature does not affect the ability of users to log in by clicking a link in a Spam Quarantine Report. If Control Console access is not enabled and users do not receive the Spam Quarantine Report, the Quarantine Manager or higher level roles must perform any changes to the user settings, maintenance of the users spam quarantine, etc. Select to allow users to view the body content of an in the Safe Message View window. If you leave the checkbox blank, the user must release the to see what it contains in the body content. Select to enable the view of user addresses in the HTML SQR report so that users do not have to scroll through multiple addresses before they get to the quarantine items. Select to allow users to choose an alternate address to reroute their Spam Quarantine Report if needed. Users may go to Account Management User Preferences to add their alternate. Alert! Please be advised that redirecting a user's SQR allows the chosen alternate recipient to have full access to their Control Console account, including access to that user's Preferences. Therefore; please encourage the user to choose their alternate address carefully. 8 Click Save. Configure a Content Filter You can create a custom content filter. The content filter does the following: Blocks or quarantines the that contains prohibited keywords. Notifies the sender or recipient when an has been quarantined or blocked. Blocks HTML malicious tags or prohibited images. Manages the ability for users to click on links in . Note: Content filtering does not analyze the content within attachments. Note: You also define content filtering on the Spam Content Groups window (see Configure a Spam Filter, the Content Content Groups overrides the keyword filtering you define on the following Spam Content Groups window. In addition, spam identified by the Content Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 53

63 Configure a Content Filter Protection Administrator Guide Note: Due to the nature of the content filtering, the window images may contain offensive material. To create a new policy content filter, perform the following steps: 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Content. The Content Groups window is displayed, showing the default content groups. Profanity Racially Insensitive Sexual Overtones You cannot change the keywords in these groups. The Content Group Policy fields are displayed. Protection also provides predefined content groups that contain valid and acceptable personal identifiable information that is allowed in messages due to specific policies. You cannot edit these content groups, but can designate whether or not they are used. Following are the two types of predefined content groups: Credit Card Number Social Security Number The Credit Cards that are supported include AMEX, VISA, MC, and DISC. Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in various ways and Protection may not be able to capture all messages that contain this information. More Options If a Customer or Domain subscribes to Encryption, then selecting this option can be used to enforce Encryption if the outbound message contains the word [encrypt]. The word, [encrypt] can reside in the message subject line or the body of the outbound message. 54 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

64 Configure a Content Filter Note: This option is only available on the Outbound Policy Content Group window. 1 Click Edit or double-click on your selected Content Group, you may perform the following: Group Name This defaults to the name of your selected group. Content This field is disabled for Content Groups 2 From the drop-down Action list, the following actions may be applied to a Content Group None The is forwarded to the recipient address. Quarantine the message The is sent to the recipient's domain content quarantine area. Deny Delivery The is denied delivery. Allow The is sent to the recipient address. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the at the beginning of the subject text and the is sent to the recipient address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. 3 Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 4 Click Save Turn Off a Default Content Filter You can deactivate any of the Protection default content filters if you want to allow containing those keywords to be delivered or you want to replace the list of keywords with your own list. Note: Instead of turning off the content filter, you can also choose the action None for the filter. In this case, Protection filters , but delivers matching to users with no other notifications or marking. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Content. The Content Groups window is displayed, showing the default content groups. Profanity Racially Insensitive Sexual Overtones 4 Double-click one of the default content groups. 5 Uncheck the Enable checkbox. 6 Click Save. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 55

65 Configure a Content Filter Protection Administrator Guide Custom Content Group The Custom Content Groups subtab allows customers to define their own custom content keyword group and assist in monitoring their . By configuring a Content Group, the customer can determine how the system reacts if it receives an that contains text that violated that content policy. Customers can also define a different action for each content group. Note: If the content group is enabled, then will be filtered for that content. 1 Click New or double-click your selected Custom Content Group,and perform the following: 2 Group Name: select and type of your Custom Content Group. 3 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in . Use the following rules for entering keywords. Each entry must be on its own line (separated by a hard return). If an entry contains multiple words, the entire phrase is used as a literal string ( as is ). If individual words are desired, each word must be on its own line. Letter-case (for example, upper case or lower case) is ignored. The wildcards question mark (?) and asterisk (*) can be used to designate the following:? designates any single character, including white space characters (for example, menu, space, line break, etc.). For example, w?y would catch way, why, and w y. * (without quotes) at the end of the string designates multiple characters until a white space character is encountered. For example, refi* would catch refinance, refinancing and refine. * followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered. 56 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

66 Configure a Content Filter For example, refi*d would catch refinanced, but would also catch refinishing is a great way to save d. If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, \* or \?). For example, why\? (without quotes) would catch the string why? and the question mark would not be used as a wildcard. Caution: It is possible to create wildcard combinations that will filter valid , including all , and/or will substantially slow processing. Be very careful if you use wildcards to ensure that only the desired content is filtered. 4 From the Action drop-down menu, select an action to take if an matches a keyword: None The is forwarded to the recipient address. Quarantine the message The is sent to the recipient's domain content quarantine area. Deny Delivery The is denied delivery. Allow The is sent to the recipient address. Note: The Allow option is useful if you want to override standard Protection spam content filtering for particular keywords. Note: s that match keywords but are allowed will be reported as Other in the Threats: Spam report. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the at the beginning of the subject text and the is sent to the recipient address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 5 Click the Enable checkbox to turn on the spam content group. 6 Click Save for the new spam content group. 7 Click Save for the policy or continue to the Notifications tab. Notify Users about Spam Content You can direct Protection to send notification s to the recipient and/or sender when an is filtered because it contained spam content. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. Note: Virus notifications will not be sent out for s that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Protection. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 57

67 Configure a Content Filter Protection Administrator Guide 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click Notifications. Complete the following fields: Field To the sender when a message is due to a content group violation To the recipient when a message is due to a content group violation Description Select one or more conditions that will cause Protection to send a notification to the sender. Quarantined The infected was quarantined. Denied delivery The infected was denied delivery. Select one or more conditions that will cause Protection to send a notification to the recipient. Quarantined The infected was quarantined. Denied delivery The infected was denied delivery. Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons You can configure how Protection filters for HTML attachments or various forms of HTML coding within . 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click HTML Shield. 58 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

68 Configure a Content Filter 5 Under HTML Shield Protection, select one of the following options: Field Low Medium High None Description Select this option to remove only malicious HTML tags from the and forward the to the recipient. Text is added to the to indicate that HTML content was removed. Select this option to remove the following HTML content from the and forward the to the recipient: Malicious HTML tags HTML comments and attributes All Java, Javascript, and ActiveX code Text is added to the to indicate that HTML content was removed. Select this option to remove all HTML content, including scripts as in the Medium option, from the and to forward the to the recipient. Text is added to the to indicate that HTML content was removed. Select this option to not perform HTML filtering on . 6 Under Options for Low and Medium Setting, sselectelect Enable spam beacon and web bug blocking to block spam beacons and web bugs. A spam beacon can reveal user activity to spammers while flagging the recipient s address as active. A Web bug is any one of a number of techniques used to track who is reading a Web window or , when, and from what computer. A Web bug can also be used to see if an was read or forwarded to someone else, or if a Web window was copied to another Website. Note: This option is available only if you picked the Low or Medium options for HTML filtering. 7 Select Replace all image links with a default transparent image to eliminate objectionable images in . This option replaces links to images in with links to an image with one transparent pixel. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 59

69 Configure a Content Filter Protection Administrator Guide Note: This option is available only if you picked the Low or Medium options for HTML filtering. 8 Click Save or continue to ClickProtect. Configure Web Hyperlink Filters (ClickProtect) You can configure whether Web hyperlinks in are blocked or can be clicked and followed by the user. You can also designate a ClickProtect Allow List of URL addresses that are excluded from the ClickProtect processing (for example, your corporate URLs). As another option, you can set tracking of links that are clicked so that they are reported in the ClickProtect: Click Log Report. Caution: ClickProtect only processes links in s with accepted message formats, which include HTML or Rich Text 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click ClickProtect. 5 Click one of the following options: Disable ClickProtect Disables this feature completely and allows users to click and access Web hyperlinks in the s without logging information in the system. Display warning message before redirecting Displays a dialog box with a customizable warning message. Users can then either stop the click-through process or continue to the Web site. Display warning message and deny click-throughs Displays a dialog box with a customizable warning message and does not allow users to continue with the click-through process. 60 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

70 Configure a Content Filter 6 If you clicked one of the last two options above, overtype the text in the Warning Message text box. You can also leave the default text if desired 7 In the Allow URL or IP field, type URL or IP addresses that you want to allow users to access and bypass ClickProtect processing. The following values are allowed: IP Address Complete address (for example, ) or partial address with wild cards (for example, *). Domain Name Qualified domain name (for example, xyz.com) or subdomains (for example, *@*.xyz.com denies s from any subdomain of the XYZ domain, such as user@abc.xyz.com). If you know you want to allow all s from this domain, then use this option instead of typing in each address associated with the domain. The following list provides some examples of allowable URLs domainname.com The following are not accepted in domain names: slashes IP addresses. 8 Click Add. The value is added to the list box. Note: (This step is only available to certain user roles, when a user-defined policy set is selected.) If you want to include the values listed for the Default Inbound policy set, select the check box located beneath the list. Upload a List of Allowed URLs You can create a list of allowed URLs and upload that list to the Control Console. To upload a list, perform the following steps: 1 Create a file with a predefined list of URLs. The predefined list must be in the following format: Must be a text file One entry per line File must be available for your browser to access 2 On the ClickProtect window, go to the More Options section. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 61

71 Define an Attachment Filter Protection Administrator Guide Additional fields are displayed. 3 To upload the file, click Browse next to the Upload List field and locate the file. 4 Click Upload Allow List. The contents are added to the ClickProtect Allow List box. 5 Click Save. Download a List of Allowed URLs from the Control Console If you want to download the list of allowed URLs to your local drive, click Download ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in Microsoft Excel. Define an Attachment Filter You can create a customer attachment filter. You can filter for attachments based on the following criteria: Filter by Attachment File Types, including file size. Filter by Attachment File Name Filter Zip File Attachments Filter by Attachment File Types To filter by file type, you must define the following: What file types are allowed to be received File size restrictions on the allowed file types 62 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

72 Define an Attachment Filter The action that will be used if an violates any of the file type attachment policies To create a new policy content filter, perform the following steps: 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 For each file type in the Allowed Attachment Types section, select one of the following options from the drop-down menu: Disallow All containing this file type are blocked. A file size, such that an with a file of this file type that exceeds the file size is blocked. Max 500 KB Max 1 MB 2 MB 5 MB 10 MB 15 MB Any size with this file type is allowed and delivered. Note: By default, each listed attachment file type is allowed unless you specifically select it to be disallowed, except for the types Executables and Scripts. These two file types are relatively easy to self-invoke from an , and thus increase the security risk of a self-running virus or worm. The following table lists the file extensions associated with each file type: File Type Microsoft Word Documents *.doc, *.dot, *.rtf, *.wiz Example File Extensions November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 63

73 Define an Attachment Filter Protection Administrator Guide Microsoft Powerpoint Documents Microsoft Excel Documents Microsoft Access Files Other Microsoft Office Files Adobe Acrobat (PDF) Files Macintosh Files Compressed or Archived Files Audio Files Video/Movie Files Image Files Executables Scripts File Type ASCII Text Files Postscript Files *.pot, *.ppa, *.pps, *.ppt, *.pwz *.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp *.cal, *.frm, *.mbx, *.mif, *.mpc, *.mpd, *.mpp, *.mpt, *.mpv, *.win, *.wmf *.abf, *.atm, *.awe, *.fdf, *.ofm, *.p65, *.pdd, *.pdf *.a3m, *.a4m, *.bin, *.hqx, *.rs_ *.arj, *.bz2, *.cab, *.gz, *.gzip, *.jar, *.lah, *.lzh, *.rar, *.rpm, *.tar, *.tgz, *.z, *.zip *.aff, *.affc, *.aif, *.aiff, *.au, *.m3u, *.mid, *.mod, *.mp3, *.ra, *.rmi, *.snd, *.voc, *.wav *.asf, *.asx, *.avi, *.lsf, *.lsx, *.m1v, *.mmm, *.mov, *.movie, *.mp2, *.mp4, *.mpa, *.mpe, *.mpeg, *.mpg, *.mpv2, *.qt, *.vdo *.art, *.bmp, *.dib, *.gif, *.ico, *.jfif, *.jpe, *.jpeg, *.jpg, *.png, *.tif, *.tiff, *.xbm Note: This file type defaults to Disallow. *.bat, *.chm, *.class, *.cmd, *.com, *.dll, *.dmg, *.drv, *.exe, *.grp, *.hlp, *.lnk, *.ocx, *ovl, *.pif, *.reg, *.scr, *.shs, *.sys, *.vdl, *.vxd Note: This file type defaults to Disallow. *.acc, *.asp, *.css, *.hta, *.htx, *.je, *.js, *.jse, *.php, *.php3, *.sbs, *.sct, *.shb, *.shd, *.vb, *.vba, *.vbe, *.vbs, *.ws, *.wsc, *.wsf, *.wsh, *.wst *.cfm, *.css, *.htc, *.htm, *.html, *.htt, *.htx, *.idc, *.jsp, *.nsf, *.plg, *.txt, *ulx, *.vcf, *.xml, *.xsf *.cmp, *.eps, *.prn, *.ps Example File Extensions All Other Files Any file extensions that are not included in the other file types 5 In the Action to take for Disallowed Attachments section, select one of the following options: Do nothing Protection sends the to the recipient with no filtering or notification. Deny delivery Protection denies delivery of the Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

74 Define an Attachment Filter Strip the attachment Protection strips the attachment from the and the is sent to the recipient. Text is inserted into the notifying the recipient that an attachment has been stripped. Quarantine the message Protection sends the to quarantine. 6 Click Save or continue to the Filename tab. Filter by Attachment File Name You can create custom filter to filter for specific file names. This filter overrides any conflicting file type policies you may have defined. To define a filter for attachment file name, perform the following steps: 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 Click Filename Policies. The Filename Policies window is displayed. 5 Click New. The New Attachment Filename Policy section is displayed. 6 From the Filter drop-down menu, select one of the following: Is Protection filters for file names that have an exact match to the text in the Value field. For example, if you want to filter for the file name config.exe and no others, you must select Is and then type config.exe in the Value field. For this example,, the Is option has the meaning File name IS config.exe. Contains Protection filters for file names that contain the text in the Value description anywhere within the filename string. For example, if you want to filter for any file that contains config in its name, like postconfig or config.ini, select this option. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 65

75 Define an Attachment Filter Protection Administrator Guide Ends with Protection filters for file names that end with the text in the Value description. For example, if you want to filter for any executable files ending with.exe, select this option. 7 In the Value field, type the name or partial name with which Protection should search incoming . For example, if you want Protection to search for any file containing the text config, type config. 8 From the Action drop-down menu, select one of the following options: Do nothing Protection sends the to the recipient with no filtering or notification. Deny delivery Protection denies delivery of the . Strip the attachment Protection strips the attachment from the and the is sent to the recipient. Text is inserted into the notifying the recipient that an attachment has been stripped. Quarantine the message Protection sends the to quarantine. 9 Ignore the Silent Copy drop-down list. No silent copy will be sent. 10 Click Save to save the new filename filter. 11 Click Save for the policy or continue to the Additional Policies tab to filter for zip file attachments. Filter Zip File Attachments You can create a custom filter for zipped file or compressed file attachments. These policies are ignored unless the Compressed or Archived Files filetype is allowed in the Attachments: File Types window. To define a filter for attachment file name, perform the following steps: 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 Click Additional Policies. The Additional Attachment Policies window is displayed. 66 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

76 Define an Attachment Filter 5 From the Message contains high-risk attachment drop-down menu, select one of the following options: Allow delivery Protection sends the to the recipient with no filtering or notification. Quarantine the message Protection sends the to quarantine. Deny delivery Protection denies delivery of the . This action applies if an has an attachment that is a zipped file and that violates any of the following rules: The zip file itself is too large ( > 500MB). A file contained in the zip file is too large ( > 100MB). The zip file contains too many files ( > 1500 files). The compression rate is too high ( > 95% compressed). The zip file contains too many levels of nesting ( > 3 levels). 6 From the Message contains an encrypted zip attachment drop-down menu, select one of the following options: Allow delivery Protection sends the to the recipient with no filtering or notification. Quarantine the message Protection sends the to quarantine. Deny delivery Protection denies delivery of the . The action applies if an message has an attachment that is a zipped file and is encrypted and password-protected. This format is commonly used to prevent scanning for viruses in zipped files. 7 From the File in zip attachment violates attachment policy drop-down menu, select one of the following options. Attachment policy action The action for the specific policy that was violated will be performed on the entire attachment. If multiple policies were violated, the policies defined in the Attachment Filename Policies subtab override the policies defined in this subtab. Do nothing The is sent to the recipient with no filtering applied. The action applies if an that has an attachment that is a zipped file and the zipped file contains files that violate the previously-defined filters for attachments. Notify Users about Attachment Violations You can direct Protection to send notification s to the recipient and/or sender when an is filtered because it contained an attachment violation. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. 4 Click Notifications. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 67

77 Allow or Deny to or from Specific Addresses Protection Administrator Guide 5 Complete the following fields: Field To the sender when a message is due to an attachment policy violation To the recipient when a message is due to an attachment policy violation Description Select one or more conditions that will cause Protection to send a notification to the sender. Quarantined The that contained an attachment violation was quarantined. Denied delivery The that contained an attachment violation was denied delivery. Stripped The infected attachment was stripped and the sent to the recipient. Select one or more conditions that will cause Protection to send a notification to the recipient. Quarantined The that contained an attachment violation was quarantined. Denied delivery The that contained an attachment violation was denied delivery. Stripped The violating attachment was stripped and the sent to the recipient. 6 Click Save. Allow or Deny to or from Specific Addresses You can define lists of sender addresses, domain names, or IP addresses whose is always delivered to your users, or conversely, whose is always denied delivery. In addition, you can define lists of recipient addresses that are always denied receiving Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

78 Allow or Deny to or from Specific The Sender Allow and Sender Deny lists are used in combination with the user-level Allow and Deny lists that can be defined for specific user accounts. In the case of a conflicting entry (for example, the same address is in the user-level Allow list and the Sender Deny list at the policy set level), the lists defined in these tabs override the user-level lists. The allowed maximum of items for each list is defined at the system level and may vary for different installations of Protection. Allow from a Specific Address You can define a list of sender addresses whose will always be accepted without filtering. The exception is that virus filtering is always applied if licensed for that policy set, unless overridden by the user-level policy configurations. In addition, the userlevel Deny list will override the policy set-level Sender Allow list. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. The Sender Allow window is displayed. 4 In the Add Address field, type the address of a sender whose should be delivered without filtering. The following values are allowed in the list entries: addresses Complete sender address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com) Domain names Complete domain name or partial name with wildcards (for example, domain.com ) IP addresses Complete IP address or partial address with wildcards (for example, or *) Note: CIDR notation is not allowed. Each IP address must be designated separately. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 69

79 Allow or Deny to or from Specific Addresses Protection Administrator Guide 5 Click Add. The address is added to the allowed address box on the right. 6 Repeat steps 4 and 5 for each address you want to add. 7 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. Sender Policy Framework (SPF) You are able to whitelist a specific addess or domain and assign an SPF check to that address. Subsequent mail coming from the whitelisted domain is then checked against SPF records. Should the SPF check fail, the mail is denied. The following conditions apply to an SPF verification: If the record can be verified, then content and spam filtering is skipped for the sender s inbound messages. If the record cannot be verified, then filtering is not skipped for the sender s inbound messages. Note: If a sender on the allow list does not have an SPF record the inbound message is still allowed. Deny from a Specific Address You can define a list of sender addresses whose will always be denied regardless of filtering. This Deny list overrides the user-level Allow list. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. 70 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

80 Allow or Deny to or from Specific The Sender Allow window is displayed. 4 Click Sender Deny. The Sender Deny window is displayed. 5 In the Add Address field, type the address of a sender whose should be denied without filtering. The following values are allowed in the list entries: addresses Complete sender address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com) Domain names Complete domain name or partial name with wildcards (for example, domain.com) IP addresses Complete IP address or partial address with wildcards (for example, or *) Note: CIDR notation is not allowed. Each IP address must be designated separately. 6 Click Add. The address is added to the denied address box on the right. 7 Repeat steps 4 and 5 for each address you want to add. 8 In the If the Sender is on the Sender Deny List section, select one of the following options: Accept and silently discard the message The is accepted, but is discarded without notification. Deny delivery The is denied delivery. 9 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 71

81 Allow or Deny to or from Specific Addresses Protection Administrator Guide Deny to a Specific Recipient You can define a list of recipient user addresses whose incoming will always be denied, regardless of filtering. For example, you can designate that s received to an ex-employee s user account are always denied. received for all alias addresses for the designated user account is also included in the Recipient Shield processing. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. The Sender Allow window is displayed. 4 Click Recipient Shield. The Recipient Shield window is displayed. 5 In the Add Address field, type the address of a recipient whose should be denied. You can type a complete recipient address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com ). Note: The addresses must be defined in the primary Domain. Alias domain names are not allowed. 6 Click Add. The address is added to the recipient address box on the right. 7 Repeat steps 4 and 5 for each address you want to add. 8 In the If the Recipient is on the Recipient Shield List section, select one of the following options: Accept and silently discard the message The is accepted, but is discarded without notification. 72 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

82 Authentication Deny delivery The is denied delivery. Do nothing The is forwarded to the recipient address with no processing applied. 9 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. Save a Copy of an Allow, Deny, or Recipient Shield List You can download the allow or deny list you have created so you can store a copy. To download a copy, perform the following steps. 1 On the Allow, Deny, or Recipient Shield window, click More Options. 2 Click Download [] List. A download window is displayed. Protection automatically creates a Microsoft Excel spreadsheet (*.csv file) containing the address list. You can choose to save the file or open it directly. Add Allow, Deny, or Recipient Shield Addresses with a Batch File 1 Using a text editor, create a text file that contains one address per line, and save it to your computer. 2 On the Allow, Deny, or Recipient Shield window, click More Options. Additional fields are displayed. 3 Click Browse and search for the text file you created. 4 Click Upload [] List. 5 Click Save. Authentication Transport Layer Security Transport Layer Security (TLS) has routinely been supported and is still supported by our Protection system. If a TLS connection can be negotiated between the sender and the recipient MTAs, then the system delivers the over TLS. If a TLS connection CANNOT be established between the sender or the recipient MTA, then the mail transfer November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 73

83 Authentication Protection Administrator Guide agent delivers, via SMTP, without encryption. Therefore, it is recommended that you specify a Sender s domain and/or sub-domain for this policy so that TLS is enforced. Thus, if TLS cannot be established, then the message will not be delivered and a bounce message will be generated to the sender, recipient, or both depending on the Notifications. Note: Enforced TLS requires a negotiation between our mail transfer agent and yours to be successful. You must have TLS turned on at your end to accomodate this transaction. Refer to your MTA software manual on How to enable/turn-on TLS to ensure TLS is implemented in your system prior to setting up your domain lists. From the Policy Set window select Authentication Enforce TLS tab and complete the following steps. Add Domain 6 To enter values into the TLS domain list enter the full address of the Sender/ Recipient s domain and/or sub-domain. NOTE: To enter values into the TLS domain list enter the full address of the Sender/ Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or subdomain must be explicitly specified for enforced TLS. Specifying a Sender/ Recipient's domain doesn't automatically include any sub-domains of that domain. 7 Click the Add» button. The value is added to the list box. NOTE: The maximum number of values allowed in the Add Domain list is specified. This limit is defined at the system level (see the online help for the specific count). Any duplicate or invalid values are discarded automatically. 74 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

84 Authentication More Options Upload Enforced TLS List (appends to existing list): To Upload a file with a predefined list, click the Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced TLS List (be sure to save changes first): To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. 8 Subscribe to Default TLS List By checking the subscription to the TLS default list you will be adding the appropriate Inbound/Outbound Default domain policy to your customized Enforced TLS domain list. The default list can be viewed by clicking the corresponding Inbound/Outbound Default selection under the Policies tab. This option is only available in custom (non-default) policy sets. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Save 9 Click the Save button to save your information. Download To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. Enforced SPF Sender Policy Framework (SPF) can be used by recipients to determine if the messages they receive were sent from someone authorized by the domain owner, which can help detect spoofing. SPF only works when domain owners implement and maintain it voluntarily. To implement SPF, domain owners must create special DNS entries which list the IP addresses that are authorized to send from their domain. recipients must compare an 's source IP address to the IP address in the domain owner's DNS SPF records. If they match, it is reasonable to assume that the message was sent by the domain owner or an authorized third party. Important SPF information: SPF implementation is voluntary and many domain owners have not implemented DNS SPF records, including many well-known commercially used domains. Even those that have implemented SPF might have outdated or inaccurate records, resulting in false positives. The only way to resolve this is to contact the domain owner and ask them to correct the issue. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 75

85 Authentication Protection Administrator Guide Nothing prevents spammers and hackers from implementing SPF, so it is not a reliable spam indicator - Many organizations allow third parties to send mail on behalf of their domain (authorized spoofing). These third parties must be authorized by the domain owner as part of their SPF records in order for recipients to successfully validate the third party messages. Hosted providers often give the same SPF records to all their customers, making it impossible to distinguish one customer from the another, thus reducing usefulness of the technology. Even when SPF is implemented and enforced, it is still possible for spammers to create very convincing spoofed s; therefore, continued user training and caution is advised. Create an Enforced SPF Domain Go to the Authentication Enforced SPF tab and complete the following information to implement an SPF domain. To enter values for the SPF domain list, enter the full address of the Sender domain and/or sub-domain, or use part of the domain using wildcards. Any Sender domain or subdomain must be explicitly specified for enforced SPF. Specifying a Sender domain doesn't automatically include any sub-domains of that domain. Examples of Wildcard use include any of the following: *.example.com example.* mysubdomain.*.* subdomain.*.example.com 1 Click the Add» button. The value is added to the list box. Note: The maximum number of values allowed in the Add Domain list is This limit is defined at the system level. Any duplicate or invalid values are discarded automatically. 2 To remove a value from the list, select it in the list box and click the «Remove button. Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry you want to remove, and then click the «Remove button. 76 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

86 Authentication Note: All entries are removed when clicking the button Remove All. More Options Regardless of Sender Domain From the drop-down lists, select the appropriate SPF action (Deliver, Deny, Tag Subject) for the following criteria: when SPF is available but validation fails when SPF is not available when SPF is available and validation succeeds Note: When the action is tag subject, tags are applied to the end of the subject. The tags are: WARNING: SPF validation failed, SPF verified, WARNING: SPF validation unavailable. Upload Enforced SPF List (appends to existing list): To Upload a file with a predefined list, click the Upload Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced SPF List (be sure to save changes first): To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Enforced DKIM DomainKeys Identified Mail (DKIM) is part of the Authentication suite designed to verify the sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 77

87 Authentication Protection Administrator Guide Create a DKIM Domain Complete the following information to implement a DKIM domain. Add Domain To enter values for the DKIM domain list, enter the full address of the sender domain and/or sub-domain, or use part of the domain using wildcards. Specifying a sender domain does not automatically include any sub-domains of that domain. The following list demonstrates different examples of entries using a wildcard (*). *.example.com example.* mysubdomain.*.* subdomain.*.example.com If the sub-domain is not going to be entered using the wildcard character, the sub-domain must be explicitly defined. 1 Click the Add» button. The value is added to the list box. Note: The maximum number of values allowed in the Add Domain list is This limit is defined at the system level. Any duplicate or invalid values are discarded automatically. 2 To remove a value from the list, select it in the list box and click the «Remove button. Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry you want to remove, and then click the «Remove button. Note: All entries are removed when clicking the button Remove All More Options Regardless of Sender Domain From the drop-down lists, select the appropriate DKIM action (Deliver, Deny, Tag Subject) for the following criteria: 78 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

88 Authentication when a DKIM signature is present but is not valid. when no DKIM signature is present. when a valid DKIM signature is present. NOTE: When the action is tag subject, tags are applied to the end of the subject. The tags are: WARNING: DKIM validation failed, DKIM verified, WARNING: DKIM validation unavailable. Upload Enforced DKIM List (appends to existing list): 3 To Upload a file with a predefined list, click the Upload Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced DKIM List (be sure to save changes first): 4 To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. 5 Click the Save button to save your information. By checking the Subscribe to Default Inbound policy Enforced DKIM list subscription, you will be adding the appropriate Inbound/Outbound Default domain policy to your customized Enforced DKIM domain list. The default list can be viewed by clicking the corresponding Inbound Default selection under the Policies tab. This option is only available in custom (non-default) policy sets. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Authentication Notifications tab November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 79

89 Define the Format and Text of Notifications to Users Protection Administrator Guide Send Notifications 6 Check the box Denied Delivery regarding the heading To the sender when a message is to notify the sender is unable to send their message due to an Authentication violation. 7 Click Save 8 Check the box Denied Delivery regarding the heading To the recipient when a message is to notify the recipient is unable to receive their message due to a Authentication violation 9 Click Save View your selection Click the Notifications Tab in the Policy Set window. Define the Format and Text of Notifications to Users You can configure templates for the notification s that are sent to the sender and/or recipient when an message is filtered for: Viruses Content Attachments Default notification templates are provided for all the notification scenarios. You can change these templates if you wish. One notification template is defined for each combination of the following: Filtering type For viruses, content, or attachments Destination of the notification Sender or recipient Action Deny, strip, or quarantine Variables within a Notification Within the notification s, variables automatically insert content from the system. For example, the variable $(DATE) inserts the date when the notification was sent. Default variables already exist for the default notifications. If you want to use a different variable, you must manually type the variable as shown below and the variables are casesensitive. $(SUBJECT) $(FROM) Inserts a variable that automatically indicates the subject of the that violated the policy. Inserts a variable that automatically indicates the sender s address (From: address) from the that violated the policy. This variable inserts the From: address that is displayed in the Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

90 Define the Format and Text of Notifica- $(SENDER) $(TO) $(DATE) $(REASON) $(ACTION) $(DOMAIN) $(MSG_HEAD ER) $(SIZE) $(POSTMAST ER) Inserts a variable that automatically indicates the sender s address (From: address) from the that violated the policy. This variable inserts the SMTP envelope From: address received from the sending server. Inserts a variable that automatically indicates the recipient s address (To: address) from the that violated the policy. Inserts a variable that automatically indicates the date when the was received that violated the policy. Inserts a variable that automatically indicates the reason why the violated the policy. Inserts a variable that automatically indicates the action that was applied to the that violated the policy. Inserts a variable that automatically indicates the domain that received the that violated the policy. Inserts a variable that automatically indicates the header information from the that violated the policy. Inserts a variable that automatically indicates the size, including attachments, of the that violated the policy. Inserts the contact address configured for the domain. The set of Notifications tabs includes the following subtabs: Notifications Virus Notifications subtab (see window 1) Notifications Content Notifications subtab Notifications Attachment Notifications subtab In addition, each subtab will have a separate Edit area for each of its notification templates. Because all the individual notification templates offer the same functionality, only one set of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that the same features are used to modify the remaining notification templates, the only difference being the combinations of filter type, destinations, and actions. Be sure to modify the navigation and information accordingly. Define the Format and Text of Virus Notifications 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Notifications: Virus window is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 81

91 Define the Format and Text of Notifications to Users Protection Administrator Guide 4 Click on a notification in the Virus Notifications box. 5 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 6 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Subject Body Designates what address is listed as the From: address in the notification . Optionally, you can type variables that insert system information into this content. Designates what address is used if the recipient of the notification clicks the Reply button in his/her application. Optionally, you can type variables that insert system information into this content. Type the text to be used as the subject for the notification template. Optionally, you can type variables that insert system information into this content. Type the text to be used as the body text for the notification template. Optionally, you can type variables that insert system information into this content. 82 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

92 Define the Format and Text of Notifica- 7 Click Save. Define the Format and Text of Content Violation Notifications 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Virus Notifications window is displayed. 4 Click Content. The Content Notifications window is displayed. 5 Click on a notification in the Content Notifications box. 6 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 7 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Subject Designates what address is listed as the From: address in the notification . Optionally, you can type variables that insert system information into this content. Designates what address is used if the recipient of the notification clicks the Reply button in his/her application. Optionally, you can type variables that insert system information into this content. Type the text to be used as the subject for the notification template. Optionally, you can type variables that insert system information into this content. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 83

93 Define the Format and Text of Notifications to Users Protection Administrator Guide Body Type the text to be used as the body text for the notification template. Optionally, you can type variables that insert system information into this content. 8 Click Save. Define the Format and Text of Attachment Violation Notifications 1 Click Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Virus Notifications window is displayed. 4 Click Attachment. The Attachment Notifications window is displayed. 5 Click on a notification in the Attachment Notifications box. 6 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 7 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Designates what address is listed as the From: address in the notification . Optionally, you can type variables that insert system information into this content. Designates what address is used if the recipient of the notification clicks the Reply button in his/her application. Optionally, you can type variables that insert system information into this content. 84 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

94 Define the Format and Text of Notifica- Subject Body Type the text to be used as the subject for the notification template. Optionally, you can type variables that insert system information into this content. Type the text to be used as the body text for the notification template. Optionally, you can type variables that insert system information into this content. 8 Click Save. Authentication The Notifications Authentication subtab allows you to configure a template of how the notification will appear that is sent to the sender and/or recipient. Within the notification s, there are available variables that will automatically insert content from the system. For example, the variable $(DATE) will insert the date when the notification was sent. You must manually type the variables as shown below and the variables are case-sensitive. 9 Highlight the message you wish to review and Click Edit to launch the edit template. Variables within the template include: $(SUBJECT) The Subject field is blank because the message was blocked before the content had been sent. If you wish to have a Subject value for the Notification message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification'. $(FROM) Inserts a variable that automatically indicates the sender's address (From: address) from the that violated the policy. This variable inserts the From: address that is displayed in the . $(SENDER) Inserts a variable that automatically indicates the sender's address (From: address) from the that violated the policy. This variable inserts the SMTP envelope From: address received from the sending server. $(TO) Inserts a variable that automatically indicates the recipient's address (To: address) from the that violated the policy. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 85

95 Define the Format and Text of Notifications to Users Protection Administrator Guide $(DATE) Inserts a variable that automatically indicates the date when the was received that violated the policy. $(REASON) Inserts a variable that automatically indicates the reason why the violated the policy. $(ACTION) Inserts a variable that automatically indicates the action that was applied to the that violated the policy. $(DOMAIN) Inserts a variable that automatically indicates the Domain that received the that violated the policy. $(POSTMASTER) Inserts postmaster (ex. postmaster@domain.com) address for the Domain. Variable syntax requires $({name_of_variable}), where {name_of_variable} is replaced with the predefined variable name (without the curly brackets). Authentication Subject Headers As mentioned, the Subject field in the Authentication Subject Line, the Authentication Header, and the Authentication Notification Message Body will not contain Subject data since the was denied and no data was retrieved. The following examples demonstrate the Subject Field or Subject Notification only displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an empty variable. Subject Line 86 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

96 Disaster Recovery Subject Header Authentication Notification Subject Header Response Disaster Recovery Disaster Recovery allows you to specify what actions to take when cannot be delivered. There are three available options: Defer to domain-based Continuity access control configured under Disaster Recovery Setup Select this option to use the configuration settings from the Disaster Recovery Setup window. Allow users to use the Continuity webmail client Select this option to allow users to use the Continuity webmail client when cannot be delivered. Do not allow users to use the Continuity webmail client Select this option if you do not wish to allow users to use the Continuity webmail client when cannot be delivered. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 87

97 Assign a Group to the Custom Policy Protection Administrator Guide Assign a Group to the Custom Policy To perform this task, you must first create the group of users who are to be assigned to the policy. See Managing Groups in Account Management Administrator Guide. 1 Click Protection Policies. 2 Select the custom policy to which you want to assign a group. 3 Click Group Subscriptions. The Policy Configuration Groups window is displayed. 4 Select the group you want to assign. 5 Click Add. 88 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

98 Create a Custom Outbound Policy 6. Customize Outbound Mail Filters You can customize the default outbound policy for any and each domain, or any and each group, to fit your business needs. Note: Outbound is not filtered for spam. You also can not customize allow or deny lists for outbound . You can, however, copy allow or deny lists from an existing inbound policy. Create a Custom Outbound Policy Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains. 1 Click Protection Policies Outbound Policies link. 2 Click New. The New Policy Set fields are displayed. Field Description Name Description Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy. Enter a description of the new policy set. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 89

99 Configure a Virus Filter Protection Administrator Guide Direction Copy From Copy Sender Allow List Copy Sender Deny List Copy Recipient Shield List Copy ClickProtect Allow List From the drop-down menu, select the direction of , outbound SMTP, for which this policy will be configured. From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields. Select to copy the Sender Allow list from the policy set selected in the Copy From field. Select to copy the Sender Deny list from the policy set selected in the Copy From field. Select to copy the Recipient Shield list from the policy set selected in the Copy From field. Select to copy the ClickProtect Allow list from the policy set selected in the Copy From field. 3 Click Save. The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs. Configure a Virus Filter You configure a virus filter for outbound in the same way as that for inbound . For more information, see Configure a Virus Filter Policy Configure a Content Filter You can create a custom content filter for outbound . You can only set up Content Groups and Notifications. HTML Shield and ClickProtect are not available for outbound . You set up content groups and notifications in the same way as that for inbound . For more information, see Create a Custom Policy. 90 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

100 Configure a Content Filter Encryption for Content Groups Group Names You are able to send regular based on your selected policies but, you may also encrypt messages for a specific Group Name under Content Groups if desired. Select the group name you wish to encrypt, from the Action drop-down list select to have that Group encrypted. More Options If a Customer or Domain subscribes to Encryption, then selecting this option can be used to enforce Encryption if the outbound message contains the word [encrypt]. This word, [encrypt] can reside in the message Subject line or the body of the outbound message. This option can be found under Protection Policies Outbound (default) Content Content Groups. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 91

101 Define an Attachment Filter Protection Administrator Guide Define an Attachment Filter You configure an attachment filter for outbound in the same way as that for inbound . For more information, see Define an Attachment Filter Policy. Define the Format and Text of Notifications to Users You configure notifications for outbound in the same way as that for inbound . For more information, see Define the Format and Text of Notifications to Users Policy. Assign a Group to the Custom Policy You assign a group to a policy for outbound in the same way as that for inbound . For more information, see Disaster Recovery. 92 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

102 Protectionr Administrator Guide Set up Quarantine Reports 7. Managing Quarantine Reports Set up Quarantine Reports When Protection scores and determines that might be problematic, but the is not clearly a security risk, Protection place the into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including: How reports are formatted. How often reports are sent How Spam is filtered What actions users can take on quarantined See the Protection User Guide on how users might manage quarantine reports. To set up quarantine reports for users, see Set up Spam Quarantine Reports. Monitor Users Quarantined is quarantined based the filtering for spam, viruses, content, and attachments, as designated on your domains or groups policies. To monitor quarantined , you can perform the following tasks: Search for Quarantined Interpret the Search Results Sort the Search Results Delete Quarantined Messages Release Quarantined Messages View Quarantines Messages As an administrator, you can also directly access your own quarantined within the Control Console. See Monitor Your Own Quarantine. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 93

103 Monitor Users Quarantined Protectionr Administrator Guide Primary Addresses, Aliases, and Public Domain Addresses Most quarantined s show the primary address as the recipient address. However, if Intelligent Routing is used, quarantined to a public domain address continues to be shown as a public domain address. If an that was sent to an alias address is quarantined, the recipient address is changed to be the associated primary address. Any s released out of any of the quarantine areas are sent to the primary address. Thus, no alias addresses will be listed in these windows. Search for Quarantined To search quarantined , perform the following steps: 1 Click Protection Quarantine. 2 If necessary, click Quarantine Search. 3 Complete any or all of the following fields to define your search: 94 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

104 Protectionr Administrator Guide Monitor Users Quarantined Note: All fields are used in the search. If your search finds a large number of messages, narrow your search by narrowing the scope within one or more fields. Field Description From To Threat Day list Inbound/ Outbound Enter a full sender address. The address must include the recipient name and the domain name, for example joesmith@acme.com. Enter a recipient address. The address must include the recipient name and the domain name. From the drop-down menu, select one of the following: Spam Virus Attachment Content All Threats From the drop-down menu, select the day, from the past week, whose messages you want to see. You can also select All Days. Note: The date of a message is determined by the time, according to the user s timezone, the message was placed in quarantine. From the drop-down menu, select one of the following:. View inbound only View outbound only View inbound & outbound Note: This field is available only if the selected Domain has both inbound and outbound packages associated with it. 4 Click Search. A list of messages is displayed at the bottom of the window. Interpret the Search Results The Search Results section of the Quarantine Search window displays the following information for each message: Date The date the message was quarantined, according to the local timezone of the recipient. From The sender of the message. To The recipient of the message. Subject The subject of the message. Size The size of the message, in kilobytes, including any attachments. Also, a sixth column displays information that varies, depending on the type of threats you searched for: The following table lists the type of information that might be contained in this column. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 95

105 Monitor Users Quarantined Protectionr Administrator Guide Threat Type Selected Column Label Description Virus Virus Displays the type of virus detected in the Spam Spam Score Displays a score that indicates how likely that the is spam. A spam score of 90% % is considered medium likelihood if default settings are used. A spam score of 99% or higher is considered high likelihood if default settings are used. Protection anti-spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework to determine the score. If you specified an additional Realtime Blackhole List (RBL) in the Anti-Spam window of the assigned policy, the RBL can influence the spam score as well. Attachment Attachment Displays the name of an attachment that was included in the message and violates attachment rules (size, file typ, zip file attachments) as defined on the Attachment windows of the assigned policy. If a message contains more than one delinquent attachment, the first attachment found in the message is listed. You can check to see all attachments by opening the message. Content Keyword Displays Content to indicate that the that violated a content policy, as defined in the Content Groups window for the assigned policy. You can see what keywords were violated by opening the message and checking the Status line. All Threats Type Displays the type of threat filtering that the violated. Sort the Search Results You can sort the search results according to any of the columns in the Search Results section. 1 Click on the heading of the column you want to sort. You have the choice of sorting the messages in ascending or descending order of the values in the column. 2 Click Sort Ascending or Sort Descending. 96 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

106 Protectionr Administrator Guide Monitor Users Quarantined 3 To hide columns in the results, move your cursor over the Columns menu item and Select select or deselect the columns you want to display in your sorted list. 4 To move columns around so they are displayed in a different left-to-right sequence, perform the following steps: A B C Place your cursor on the column you want to move. Click and hold the mouse button. Drag the column to a different location. Delete Quarantined Messages Protection deletes each message automatically if the messages stays in quarantine for more than seven days. However, you can immediately delete quarantined listed in the Quarantine Search Results in one of two ways: Highlight each in the list and click Delete. Click Delete All, which deletes all in the Search Results list. Release Quarantined Messages By releasing a quarantined message, you remove the message from quarantine and send the to the mailbox of the recipient s primary address. You can release in one of two ways: Select each you want to release, and click Release. The is removed from quarantine and sent to the recipient mailbox or mailboxes. Select you want to release, and click the Always Allow for User. The is removed from quarantine and sent to the recipient mailbox or mailboxes. This option also adds the sender address of each selected message to the Allow list of the associated recipient. Caution: Releasing s that contained worms or viruses can potentially allow the recipients machines to be infected. View Quarantines Messages Protection allows you to view a quarantined message without risk of infection by any malicious virus or attachments. To view a message in the quarantine: 1 Double-click the message you want to view. The message opens in a new tab with the subject heading. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 97

107 Monitor Users Quarantined Protectionr Administrator Guide 2 Check the for any of the following, depending on the Threat type: If the Threat type is Spam, check the subject line and body of the message, as well as the Status line for the spam score. If the Threat type is Content, check the Status line for the word or words that violated the content filter. If the Threat type is Attachment, check the Attachments list for size and/or type of file or for html code violations. The Content Type is based on the MIME protocol. If the Threat type is Virus, check the Virus list for the viruses found. 3 Note the IP address listed in the message. This address is the last hop the message took prior to delivery to Protection. The IP address can be useful in tracking the path of a message and can help identify spoofed senders. 4 After checking a message, do one of the following: Delete the message as described in Delete Quarantined Messages. 98 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

108 Protectionr Administrator Guide Monitor Users Quarantined Release the message as described in Release Quarantined Messages. Close the message by clicking the X in the tab at the top of the message. Monitor Your Own Quarantine You can check your own messages in quarantine and take the same actions on those messages that you do on other users. To access your own quarantined messages, perform the following steps: 1 Click Protection Quarantine. 2 Click My Spam. Your message quarantine is displayed. 3 Perform any of the following tasks: Search for Quarantined Interpret the Search Results Sort the Search Results Delete Quarantined Messages Release Quarantined Messages View Quarantines Messages November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 99

109 Monitor Users Quarantined Protectionr Administrator Guide 100 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

110 Administer Disaster Recovery Services 8. Set up Disaster Recovery Services Administer Disaster Recovery Services Disaster Recovery Services consists of one of two services: Fail Safe Fail Safe saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Fail Safe delivers the messages. Users cannot access their messages while messages are in Fail Safe only. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days. Continuity Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Continuity delivers the messages. Users can access their messages through a Webbased interface while messages are in Continuity only. Continuity also has unlimited storage capacity and removes messages that have been in Continuity storage for more than 60 days. Set up Spooling for Disaster Recovery 1 Click Protection Setup Disaster Recovery. 2 From the Domain drop-down menu, select the domain you want to set up for Disaster Recovery. 3 In the Configuration Settings section, select one of the following options: Automatic This option automatically spools all incoming when Protection detects a loss of connectivity with your server(s). With this option, you must also specify how long Protection should wait after connectivity is lost to begin spooling. Note: Be aware that it may take several minutes to determine that your inbound server is unavailable. During this time, and during the time delay, received s can be tempfailed if your inbound server is unavailable Manual This option allows you to start and stop Disaster Recovery spooling manually for planned server outages such as server maintenance. When necessary, you then select Start Spooling to initiate manual spooling; and select Stop Spooling to stop it. Note: It may take a few minutes for manual spooling of incoming mail to start and stop. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 101

111 Administer Disaster Recovery Services Protection Administrator Guide 4 If you selected the Manual option, check the Deliver spooled when connectivity is available box to deliver spooled when connectivity to the server(s) is restored. 5 If your service includes Continuity, check the checkbox Allow users to use Continuity to set the default permission for users to get messages through Continuity. This setting applies to the domain. You can override this setting on the Disaster Recovery window under Policies if you have some groups that you don t want to allow access. Set up Notifications of Disaster Recovery You can specify that notifications are ed automatically to designated recipients, typically yourself or other administrators, when the following Disaster Recovery events occur: Automatic spooling has started Automatic unspooling has started Automatic or manual unspooling has completed. 1 Under the Notifications section of the Disaster Recovery Setup window, type, in the Recipient Address field, the address of a person who should receive notification of a disaster recovery event. Note: In order to minimize the possibility that Disaster Recovery notifications cannot be delivered to listed recipients, it is recommended that notifications be sent to addresses associated with cell phones or pagers. 2 Click Add. 3 Repeat steps 1 and 2 for up to three more notification recipients. 102 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

112 9. User-Level Policy Configuration You can modify some aspects of a policy for individual users. For more information, see the following sections in the Account Management Administrator Guide. Personalize Spam Reporting for a User Allow or Deny to a User from Specific Addresses Search the Quarantine of a User View the Activity Summary of a User Users can also manage some aspects of their filtering. See Protection User Guide. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 103

113 104 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

114 Protection Reports 10. System Reports Protection Reports Protection provides a large number of reports with which to monitor your service. Report Traffic Overview Threat: TLS Traffic Encryption Threats: Overview Threats: Viruses Threats: Spam Threats: Content Threats: Attachments Enforced TLS Details Enforced SPF Description Information about all Inbound and Outbound traffic and bandwidth for the designated domain(s) during the selected date or date range. Information about all TLS Inbound and Outbound traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range. Information about all outbound traffic, percentages and bandwidth for the designated domain during the selected date or date range sent out to be encrypted. Information about violations by policy type for the designated domain(s) during the selected date or date range. Information about all Inbound and Outbound s that violated the virus policies for the designated domain(s) during the selected date or date range, Information about s that violated the spam policies for the designated domain(s) during the selected date or date range. Information about s that violated the content keyword policies for the designated domain(s) during the selected date or date range. Information about s that had attachments that violated the attachment policies for the designated Domain(s) during the selected date or date range. Information about all Enforced TLS Inbound and Outbound traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation. The Enforced SPF report displays all Enforced SPF inbound traffic, including the information about number of messages and validations for the designated domains, during a selected time frame. The report also includes a percentage of incoming messages that were denied, validated or unavailable due to an Enforced SPF Policy violation. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 105

115 View an Protection Report Protection Administrator Guide Report ClickProtect: Overview ClickProtect: Click Log Quarantine: Release Overview Quarantine: Release Log User Activity Event Log Audit Trail Inbound Server Connections Disaster Recovery: Overview Disaster Recovery: Event Log Description Information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in s that can be clicked and followed by the user or that can be blocked, depending on the ClickProtect policy configurations for the designated domain(s) during the selected date or date range. Information about Web hyperlinks in s that were clicked by the recipient for the designated domain(s) during the selected date or date range. Information about s that were quarantined and released from all quarantine areas within the Protection for the designated domain(s) during the selected date or date range. Information about s that were released from all quarantine areas within the Protection for the designated domain(s) during the selected date or date range. Information about all Inbound and Outbound traffic and bandwidth for the designated domain(s) during the selected date or date range. Displays messages that have had actions performed based on the content, spam content, virus, or attachment policy definitions. Messages can be sorted per domain, and Inbound direction, Outbound direction or both. Messages that are identified as threats by the Protection are also included. Displays the audit log items for all actions performed by users at Report Manager, or higher level, roles within the Control Console for the designated domain(s) during the selected date or date range, including sign ins and configuration changes. Displays information about the connections made to the Inbound servers during processing Information about s that were spooled and unspooled by the disaster recovery service for the designated domain(s) during the selected date or date range. Displays the event log items for actions performed within the disaster recovery service. Included are actions performed automatically by the Protection and performed manually by the administrator. View an Protection Report To view an Protection Report, perform the following steps: 1 Click Protection Reports. 2 From the Domain drop-down menu, select the domain for which you want the report. The Traffic Overview report is displayed. 106 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

116 View an Protection Report 3 From the Reports drop-down menu, select the report you want. 4 Click the Period field to display the Calendar selector. 5 From the Calendar selector, do one of the following: A Select Today for data on the current day. B Select a specific date, within the last 7 days, to display data only for that date. C Select the name of the month that appears at the bottom of the calendar. D Select a month and date in the drop-down lists. E Position cursor over the week number (to the left of the first date in a week) and click to display data for the entire week beginning with that date. Note: You can select only the current month or click the down arrow at the top of the calendar to select the previous month. You cannot retrieve data from a timeframe beyond the previous month. Change the Graphic Display of the Report You can display some of the information in a report as a bar graph, as a line graph, or as a pie chart. To select a graphic display type, select the appropriate icon on the upper right corner of each graphic, if available. The icons are as follows: This icon displays the graphic as a bar graph. This icon displays the graphic as a line graph. This icon displays the graphic as a solid (filled) line graph. Download a Report To download textual report information into a Microsoft Excel spreadsheet (*.csv), click Download on any report, then follow the instructions. Traffic Overview The Traffic: Overview window displays overview information about the inbound and outbound traffic for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 107

117 View an Protection Report Protection Administrator Guide The following table lists the report items in the report. Report Item Traffic Trends Traffic Summary Bandwidth Trends Description The number of inbound and outbound s for the designated Domain and date range. Green Inbound data Purple Outbound data Information about inbound and outbound traffic for the designated Domain and date range as follows: Inbound Messages Indicates the total number of inbound s received. Average Inbound Messages/Hour Indicates the average number of inbound s received each hour. Outbound Messages Indicates the total number of outbound s sent. Average Outbound Messages/Hour Indicates the average number of outbound s sent each hour. The bandwidths, in kilobytes, used by inbound and outbound for the designated Domain and date range. Green Inbound data Purple Outbound data 108 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

118 View an Protection Report Report Item Bandwidth Summary Description Information about the bandwidth used by inbound and outbound for the designated domain and date range as follows: Inbound Total Bandwidth The total bandwidth used by received inbound s. Average Inbound Message Size The average size of inbound s. Outbound Total Bandwidth The total bandwidth used by sent outbound s. Average Outbound Message Size The average size of sent outbound s. Traffic: Enforced TLS Report The Traffic: TLS Report window displays information about all TLS Inbound and Outbound traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range.. Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month. You can use the Download button to save a copy of the currently displayed report results in spreadsheet format. Report Purpose Identifies Inbound and Outbound messages that were delivered via a TLS connection and any messages that were denied due to an Enforced TLS Policy violation. Traffic Summary TLS Inbound Messages - The total of TLS inbound messages that were processed via a TLS connection. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 109

119 Traffic: Encryption Protection Administrator Guide % Inbound Messages sent via TLS - The percentage of incoming messages processed via a TLS connection Inbound Messages blocked by Enforced TLS - The total of inbound messages blocked by an Enforced TLS policy TLS Outbound Messages - The total of TLS outbound messages that were processed via a TLS connection. % Outbound Messages sent via TLS - The percentage of outgoing messages processed via a TLS connection. Outbound Messages blocked by Enforced TLS - The total of outgoing messages blocked by an Enforced TLS policy. Bandwidth Summary TLS Inbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes. % Inbound Bytes sent via TLS - The percentage of Inbound mail sent via TLS, measured in bytes Outbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes % Outbound Bytes sent via TLS - The percentage of Outbound mail sent via TLS, measured in bytes. Traffic: Encryption The Traffic: Encryption report displays information about all outbound traffic, percentages and bandwidth for the designated domain during the selected date or date range sent out to be encrypted. 110 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

120 Traffic: Encryption Selecting the checkbox for Encryption on both the Create/Edit Customer window and Create/Edit Domain window allows customers to use the Encrypt Message action when working with Outbound policy Content Groups. When the Encrypt Message action is selected for a Content Group, then any message that contains that content is routed to an encryption server and available to the recipient. Encryption is only available for a selected Outbound package. Encryption Summary Outbound Messages blocked by Encryption - The total outbound messages to be delivered for encryption. % Outbound Messages sent via Encryption - The percentage of outgoing messages sent out to be encrypted. Encryption Bandwidth Summary Outbound Total Bandwidth - TThe total bandwidth of outgoing messages sent for encryption. % Outbound Bytes sent via TLS - The percentage of outgoing bytes messages sent out to be encrypted. Threats: Overview The Threats: Overview report displays overview information about violations by policy type for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 111

121 Traffic: Encryption Protection Administrator Guide The following table lists the report items in the report. Report Item Inbound Threat Trends Inbound Threat Summary Description The total number of inbound s that violated each policy type for the designated Domain and date range. Data for each policy type is colorcoded as indicated in the legend below the graphic. Information about the number of inbound s that violated each policy type for the designated Domain and date range. Total Viruses The total number of inbound s that contained known worms and viruses. Infection Rate The percentage of inbound s that contained known viruses vs. the total number of received inbound s. Total Spam Identified The total number of inbound s filtered for potential spam. Spam Volume The percentage of inbound s that were filtered for potential spam. Spam Beacons Detected The total number of spam beacons detected in inbound s. Note that each may contain multiple spam beacons. Content Keyword Violations The total number of inbound s that violated the content keyword policies. Attachment Policy Violations The total number of inbound s that had attachments that violated the attachment policies. 112 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

122 Traffic: Encryption Report Item Outbound Threat Trends Outbound Threat Summary Description The total number of outbound s that violated each policy type for the designated domain and date range. Data for each policy type is color-coded as indicated in the legend below the graphic. Information about the number of outbound s that violated each policy type for the designated Domain and date range as follows: Total Viruses The total number of outbound s that contained known viruses. Infection Rate The percentage of outbound s that contained known viruses vs. the total number of sent outbound s. Content Keyword Violations The total number of outbound s that violated the content keyword policies. Attachment Policy Violations The total number of outbound s that had attachments that violated the attachment policies. Threats: Viruses The Threats: Viruses report displays information about s that violated the virus policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 113

123 Traffic: Encryption Protection Administrator Guide The following table lists the report items in the report. Report Item Virus Volume Trends Description The total number of s that contained known viruses. Green Inbound data Purple Outbound data 114 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

124 Threats: Spam Report Item Virus Detection Summary Top Inbound Viruses Virus Policy Actions Top Outbound Viruses Description Indicates information about the s that contained worms or viruses: Total Viruses Inbound The total number of inbound s that contained known viruses ( infected s ). Inbound Infection Rate The percentage of infected inbound s vs. the total number of received inbound s. Total Viruses Outbound The total number of infected outbound s. Outbound Infection Rate The percentage of infected outbound s vs. the total number of sent outbound s. Disinfected (cleaned) The total number of infected s that had their viruses successfully removed and the s were forwarded to their destinations. Stripped The total number of infected s that had the infected attachments stripped and then were forwarded to their destinations. The most frequently encountered viruses in inbound s, in the order of most frequent to less frequent, and the total number of encounters for each virus. The percentage of policy actions applied to infected s. The most frequently encountered viruses in outbound s, in the order of most frequent to less frequent, and the total number of encounters for each virus. Threats: Spam The Threats: Spam window displays information about s that violated the spam policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 115

125 Threats: Spam Protection Administrator Guide The following table lists the report items in the report. Report Item Spam Volume Trends Description The total number of s that violated spam policies. Green Inbound data Purple Outbound data 116 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

126 Threats: Content Report Item Spam Detection Summary Spam Policy Actions Description Information about the s that violated spam policies: Total Inbound Spam Identified The total number of inbound s that violated spam policies. Inbound Spam Volume The percentage of inbound s that violated spam policies vs. the total number of received inbound s. Spam Beacons Detected The total number of spam beacons detected in s. Note that each may contain multiple spam beacons. RBL The total number of s that were filtered by the Real-time Blackhole List (RBL). DUL The total number of s that were filtered by the Dial-up User List (DUL). RSS The total number of s that were filtered by the Relay Spam Stopper (RSS). Spam Content Group The total number of s that contained keywords from the content groups that were created in the Anti- Spam Content Group subtab; in this example, the group named Viagra. The percentage of policy actions applied to the s that violated spam policies. Threats: Content The Threats: Content window displays information about s that violated the content keyword policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 117

127 Threats: Content Protection Administrator Guide The following table lists the report items in the report. Report Item Content Policy Violation Trends Description The total number of s that violated the content keyword policies. Green Inbound data Purple Outbound data 118 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

128 Threats: Attachments Report Item Top Inbound and Outbound Content Group Violations Content Policy Actions Description Both the Top Inbound Content Group Violations and the Top Outbound Content Group Violations reports measure the number of messages found to violate the top ten inbound / outbound customer content policies for both global policies and custom policies. Information about the s that violated content keyword policies: Credit Card - The total number of s that contained keywords and phrases from the Credit Card predefined content group. Profanity The total number of s that contained keywords from the Profanity content group. Racially Insensitive The total number of s that contained keywords from the Racially Insensitive content group. Sexual Overtones The total number of s that contained keywords from the Sexual Overtones content group. Social Security - The total number of s that contained keywords and phrases from the Social Security predefined content group. Custom Content Groups The total number of s that contained keywords from the content groups that were created in the Current Content Groups window; in this example, HIPPA Compliance. The percentage of policy actions applied to the s that violated content keyword policies. Threats: Attachments The Threats: Attachments window displays information about s that had attachments that violated the attachment policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 119

129 Threats: Attachments Protection Administrator Guide The following table lists the report items in the report. Report Item Attachment Policy Violation Trends Description The total number of s that had attachments that violated the attachment policies. Green Inbound data Purple Outbound data 120 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

130 Enforced TLS: Details Report Item Attachment Summary Attachment Policy Actions Description Information about the s that had attachments that violated the attachment policies: Average Attachment Size The average size of attachments encountered in s. Executables The total number of executables (for example, *.exe or *.com) received as attachments. Scripts The total number of script files received as attachments. Office Documents The total number of Microsoft Office documents (for example, *.doc or *.xls files) received as attachments. Audio The total number of audio files (for example, *.wav or *.mp3 files) received as attachments. Images The total number of graphic files (for example, *.gif or *.bmp files) received as attachments. Compressed Archives The total number of archive files (for example, *.zip or *.tar files) received as attachments. The percentage of policy actions applied to the s that had attachments that violated the attachment policies. Enforced TLS: Details The Enforced TLS Details report displays information about all Enforced TLS Inbound and Outbound traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation. Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month. You can use the Download button to save a copy of the currently displayed report results in a spreadsheet format. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 121

131 Enforced SPF Report Protection Administrator Guide Select your customer to manage. Field Description Customer From the drop-down list select the Customer. (If needed) Domain From the drop-down list select the Domain or All Domains. (If needed) Note: When there are 1000 domains listed in the drop-down a Find button will display to assist the user in locating the correct domain. Depending on how your system is configured, you may run a report for a primary domain, a domain alias, or a public domain. A Public Domain is a registered domain with a public MX record that is used for uniform addresses across multiple primary domains. A public domain name will have the primary domain appended to it with brackets [primary domain], and a Domain Alias is appended with brackets [alias]. The following examples demonstrate this feature: acme.com [acme-denver.com] is the public domain [primary domain] respectively. acme.com [alias] Traffic Summary Enforced TLS Accepted - Inbound Messages - The total number of TLS inbound messages that were processed via an Enforced TLS connection for a given domain. Enforced TLS Accepted - Outbound Messages - The total number of TLS outbound messages that were processed via an Enforced TLS connection for a given domain. Enforced TLS Accepted - Inbound Bandwidth - The quantity of data transferred via Enforced TLS for inbound messages, measured in bytes, for a given domain. Enforced TLS Accepted - Outbound Bandwidth - The quantity of data transferred via Enforced TLS for outbound messages, measured in bytes for a given domain. Enforced TLS Denied - Inbound Messages - The total of incoming messages blocked by an Enforced TLS policy for a given domain. Enforced TLS Denied - Outbound Messages - The total of outgoing messages blocked by an Enforced TLS policy for a given domain. Enforced SPF Report The Enforced SPF report identifies inbound messages that were delivered or denied due to an Enforced SPF Policy violation. 122 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

132 ClickProtect: Overview SPF Report Summary Field Description Top Enforced SPF Denied Domains - The total number of messages, including the top ten defined domains, that were denied by an Enforced SPF policy because their SPF record could not be validated. Note: Data in the report table does not display unless an Enforced SPF policy has been created with a deny action or domains have been added to the list for the Enforced SPF policy. SPF Message Summary - Summarizes in text form the totals and percentages of Enforced SPF s that were successful, unavailable or failed. ClickProtect: Overview The ClickProtect: Overview window displays overview information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in s that can be clicked and followed by the user or that were blocked, depending on the ClickProtect policy configurations. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 123

133 ClickProtect: Overview Protection Administrator Guide The following table lists the report items in the report. Report Item ClickProtect Trends Description The numbers of s that contained hyperlinks and that contained hyperlinks that were clicked by the recipients. Green Total number of s that contained hyperlinks. Purple Number of s that contained hyperlinks that were clicked by the recipients. 124 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

134 ClickProtect: Click Log Report Item ClickProtect Statistics Description Information about the s that contained hyperlinks that were processed by ClickProtect: Messages with links The total number of s that contained hyperlinks. Messages with multiple links The total number of s that contained multiple hyperlinks. Total clicks The total number of times that a recipient clicked a hyperlink in an . Total allowed click throughs The total number of times that a recipient was allowed to access the destination designated in a clicked hyperlink. Total denied click throughs The total number of times that a recipient was prevented from accessing the destination designated in a clicked hyperlink. Number of individual users that clicked The total number of recipients that attempted to click a hyperlink in an . Spam messages with clicks The total number of spam s that contained hyperlinks clicked by recipients. Messages with links on the ClickProtect Allow List The total number of s that contained hyerlinks that were listed on the ClickProtect Allow list. ClickProtect: Click Log The ClickProtect: Click Log window displays information about hyperlinks in s that were clicked by recipients. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 125

135 Quarantine: Release Overview Protection Administrator Guide The following table lists the report items in the report. Report Item Timestamp From To Subject URL Score Description The date, time, and time zone when the hyperlink was clicked in the filtered . The address that sent this ( sender address ). The address to which this was sent ( recipient address ). The text that was in the subject header of this . The URL destination defined in the clicked hyperlink (the URL to where the recipient attempted and/or was successful in clicking through). The spam likelihood score that was assigned to the by Protection. Quarantine: Release Overview The Quarantine: Release Overview displays overview information about s that were quarantined and released from all the quarantine areas within Protection for the designated domain. 126 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

136 Quarantine: Release Overview The following table lists the report items in the report. Report Item Inbound Quarantine Release Trends Inbound Spam Release Summary Description The total number of s that were quarantined and then released in all the quarantine areas. Data for each policy type is color-coded as indicated in the legend below the graphic. Information about the s that were quarantined as potential spam and then released. Total Spam Identified The total number of quarantined s that were identified as potential spam. Total Spam Released The total number of s released from the spam quarantine. Release Percent The percent of s released from the spam quarantine vs. the total number of s that were quarantined as potential spam. Total # of individuals The total number of user accounts that had s released from the spam quarantine. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 127

137 Quarantine: Release Log Protection Administrator Guide Report Item Inbound Virus Release Summary Inbound Content Release Summary Inbound Attachment Release Summary Description Information about the s that were quarantined because of viruses and then released. Total Viruses Identified The total number of viruses detected in incoming s that were quarantined. Total Virus Released The total number of s released from the virus quarantine. Release Percent The percent of s released from the virus quarantine vs. the total number of s that were quarantined because of viruses. Total # of individuals The total number of user accounts that had s released from the virus quarantine. Information about the s that were quarantined because of content and then released. Total Content Policy Violations The total number of quarantined s that violated content policies. Total Content Released The total number of s released from the content quarantine. Release Percent The percent of s released from the content quarantine vs. the total number of s that was quarantined because of content. Total # of individuals The total number of user accounts that had s released from the content quarantine. Information about the s that were quarantined because of attachments and then released. Total Attachment Policy Violations The total number of quarantined s that violated attachment policies. Total Attachment Released The total number of s released from the attachment quarantine. Release Percent The percent of s released from the attachment quarantine vs. the total number of s that were quarantined because of attachments. Total # of individuals The total number of user accounts that had s released from the attachment quarantine. Quarantine: Release Log The Quarantine: Release Log displays detailed information about s that were released from all the quarantine areas within Protection for the designated domain. 128 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

138 Quarantine: Release Log The following table lists the report items in the report. Report Item Display Type From To Subject Release Date Size Additional Feature Description Designates which type of quarantine release events to display. All Events Displays release events for all the quarantines. Spam Displays release events for the spam quarantine. Attachments Displays release events for the attachment quarantine. Content Displays release events for the content quarantine. Viruses Displays release events for the virus quarantine. The reason why this was quarantined. Spam violated spam policies. Virus contained a known virus. Attach s attachment violated the attachment policies. Content contained content that violated the content policies, including keywords and HTML. The address that sent this ( sender address ). The address to which this was sent ( recipient address ). The text that was in the subject header of this . The date, time, and time zone when this was released from quarantine in Protection. The total file size of this , including all attachments. Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 129

139 View Details of Log Items Protection Administrator Guide View Details of Log Items You can view detailed information about a log item when the cursor is positioned over it. The specific information differs depending on which report you are viewing. The following table lists the report items in the report. Report Item Type Subject To Sender IP From Released by Quarantine Size Description The reason why the was quarantined. Spam was quarantined because it violated spam policies. Viruses was quarantined because it violated virus policies. Attachments was quarantined because it violated attachment policies. Content was quarantined because it violated content policies. The contents of the Subject line of the . The address to which this was addressed ( recipient address ). The IP address of the server that sent the . The address from which this was sent ( sender address ). The user account of the user who released the from the quarantine. Depending on the reason why the was quarantined, this description indicates the specific reason why the was quarantined: Score Indicates the spam likelihood score that was assigned to the . Attachment Type Indicates the name of the attachment that caused the to be quarantined. Virus Indicates the name of the virus that caused the to be quarantined. Content Keyword Indicates the specific content keyword that caused the to be quarantined. The total file size of the , including attachments. 130 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

140 User Activity Report Item Release Date Quarantine Date Timestamp Details Actions Server Registered on Status Preference Domain(s) d The date, time, and time zone when the was released from the quarantine. The date, time, and time zone when the was quarantined. The date, time, and time zone when the logged item was processed (for example, when an was processed by Protection. Additional information about the logged item (for example, the name of the virus in the ). The action that was performed on the . The name or IP address of the inbound server. The DNS Authorized Name Server where the inbound server is registered. The status of the inbound server. Description The preference level assigned to the inbound server. The domains that are using this inbound server in Protection. User Activity The User Activity report displays the user accounts that have received the most inbound s and have sent the most outbound s for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 131

141 User Activity Protection Administrator Guide The following table lists the report items in the report. Report Item Description Top Inbound Users area Addresses Messages Size The recipient addresses that received the most inbound , in order of volume. The total number of s received by each address. The size of the largest , including attachments, received by each address. Top Outbound Users area Addresses Messages Size The sender addresses that sent the most outbound , in order of volume. The total number of s sent by each address. The size of the largest , including attachments, sent by each address. 132 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

142 Event Log Event Log The Event Log displays the event log items for actions performed for s that were determined to violate content, spam content, virus, or attachment policies for the designated Domain and date range, including actions performed automatically by Protection and performed manually by the users. The following table lists the report items in the report Report Item Display Description Designates which set of event log items to display. All Events Displays event log items for actions performed for all the quarantines. Attachments Displays only event log items for actions performed on s that had attachments that violated the attachment policies. Content Displays only event log items for actions performed on s that violated the content policies. Spam Keyword Displays only event log items for actions performed on s that violated the spam content keyword policies. Viruses Displays only event log items for actions performed on s that contained known viruses. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 133

143 Audit Trail Protection Administrator Guide Report Item Direction Type Timestamp From To Subject Details Action Additional Feature Description Designates whether event log items for inbound s or outbound s are displayed. Inbound Only Designates that only inbound s are display. Outbound Only Designates that only outbound s are displayed. Inbound & Outbound Designates that both inbound and outbound s are displayed. The type of policy that the filtered violated. The date, time, and time zone when the action was performed on the filtered . The address that sent this ( sender address ). The address to which this was sent ( recipient address ). The text that was in the subject header of this . The reason for the action (for example, if the contained a virus, the virus name is shown). The action that was applied to the . Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item. Audit Trail The Audit Trail report displays the audit log items for all actions performed by users of Report Managers or higher level roles within the Control Console for the designated domain and date range, including user names and configuration changes. 134 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

144 Inbound Server Connections The following table lists the report items in the report Report Item Timestamp column Domain column Details column Description The date, time, and time zone when the action was performed in the Control Console. The domain where the action was performed. A description of the action that was performed, including the role and user account of the user that performed the action. Inbound Server Connections The Inbound Server Connections report displays information about the connections made to the inbound servers (a.k.a. Customer MTAs) during processing. This report may be useful in determining down times or connection issues. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 135

145 Inbound Server Connections Protection Administrator Guide The following table lists the report items in the report. Report Item Display Volume Trends For Connection Volume Trends for All Servers Overall Failure Rate Total Successes Total Failures Server:Port Description Designate which inbound server(s) to display. All Servers Display information for all the inbound servers configured for the selected Domain. Inbound Server Display information about the selected inbound server only. The total number of successful and unsuccessful connections to the designated server(s). Green Indicates successful connections. Purple Indicates failed connection attempts. Optionally, select one of the graphic display type icons to change the appearance of the graph. The percentage of connection failures to the designated server(s). The total number of successful connections to the designated server(s). The total number of unsuccessful attempts to connect to the designated server(s). The server address and port being reported. 136 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

146 Disaster Recovery: Overview Report Item Failure Rate % Success Fail Description The percentage of connection failures to this server and port. The total number of successful connections to this server and port. The total number of unsuccessful attempts to connect to this server and port. Disaster Recovery: Overview The Disaster Recovery: Overview report displays information about s that were spooled and unspooled by the disaster recovery service, which can be either FailSafe or Continuity. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 137

147 Disaster Recovery: Event Log Protection Administrator Guide The following table lists the report items in the report. Report Item Disaster Recovery Trends Messages Disaster Recovery Summary - Messages Disaster Recovery Trends Bytes Disaster Recovery Summary Bytes Description The total number of spooled and unspooled s processed by the disaster recovery service over the designated time period. Optionally, select one of the graphic display type icons to change the appearance of the graph. The numbers of s processed by the disaster recovery service. Spooled Messages Indicates the number of s that were spooled, either automatically or manually. Unspooled Messages Indicates the number of s that were unspooled, either automatically or manually. The amount of spool storage used by spooled and unspooled s processed by the disaster recovery service over the designated time period. Optionally, select one of the graphic display type icons to change the appearance of the graph. Details of the file size of spooled and unspooled s processed by the disaster recovery service over the designated time period. Spooled Bytes Indicates the amount of spool storage used by spooled s. Unspooled Messages Indicates the amount of spool storage freed by unspooled s. Disaster Recovery: Event Log The Disaster Recovery: Event Log displays the event log items for actions performed within the disaster recovery service, which can be either FailSafe or Continuity. Actions include those performed automatically by Protection and those performed manually by the users. 138 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

148 Administer MSP Connector The following table lists the report items in the report. Report Item Timestamp Event Initiated By Description The date, time, and time zone when the action was performed in disaster recovery. The event log items for disaster recovery actions performed for the designated domain and date range. The responsible party that performed the disaster recovery action. If an action was manually performed, indicates the role and user account of the person who performed the action. Administer MSP Connector Managed Service Platform (MSP) Connector enables the delivery of traffic and threat data directly to your ConnectWise network performance dashboards. The MSP Connector will only push data from the previous calendar month to the ConnectWise dashboard. All data will be kept for two calendar months. For example, in July, customers would be able to view data from both May and June. Customers who also subscribe to the ConnectWise network automation services will be able to obtain a quick, at-a-glance view of their monthly Protection traffic and threat data directly through the ConnectWise dashboard, without having to log into the Control Console. To utilize the MSP Connector capabilities, you should: Configure your ConnectWise information on the Configuration window. Select the domains needed to push your data to ConnectWise. Enable Exception Notification if you wish to receive csv. files reporting data. Create a distribution list for your domains. NOTE: To utilize this functionality the user must have ConnectWise 7.2 and an MSP Integration Add-On. Configure the MSP Connection To configure the MSP connection to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. The Configuration window is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 139

149 Administer MSP Connector Protection Administrator Guide 2 Check the box to enable the ConnectWise integration 3 Click the SSL: Enable to ensure your information is encrypted through Secure Socket Layer. NOTE: When SSL is disabled, a warning message displays. 4 In the Site field, type your ConnectWise access site. 5 In the Company ID field, type your ConnectWise Company ID. 6 In the Integrator Username field, type your ConnectWise Integrator Username. 7 In the Integrator Password field, type your Integrator Password for ConnectWise. Note: Click the Change Password button to update or change your Integrator Password information to match your Integrator Password to ConnectWise. 8 In the Time Zone drop-down menu, select the time zone on which to base the timestamp for the ConnectWise instances. 9 Click Test to make sure the connection works. 10 Click Save. 140 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

150 Administer MSP Connector Add Domains to the MSP Connection To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Domains. The Domains window is displayed. 3 To find one or a few domains out of a large number of domains, type the name of the domain you wish to find in the Filter field. 4 Click Filter. 5 In the Available Domains column, check all domains whose information is to be pushed to ConnectWise. 6 Click Add to move them to the Selected Domains column. Note: Clicking Add All selects all domains, even those not displayed due to pagination. Add All is disabled if there is an active filter for available domains. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 141

151 Administer MSP Connector Protection Administrator Guide Remove Domains from the MSP Connection To remove domains from the MSP connection, select the domain(s) you want to remove, and click Remove. Note: Clicking Remove All will remove the domains listed even those not displayed due to pagination. The Remove All button is disabled if there is an active filter for selected domains. Turn on Exception Notifications for the MSP Connection To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Notifications. 3 Click the Exceptions Notifications: Enable checkbox to turn on notifications. 142 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

152 Administer MSP Connector 4 From the Exception Notification Distribution drop-down menu, select the distribution list to receive an MSP Connector Exception report via . The Exception Report is a.csv file, sent out at approximately 12:00 A.M. MT, which includes all failures that occurred in the last 24 hours. Failures may include one of the following: Failed - authentication Failed - connection Failed - invalid Company ID Failed - invalid Solution Name Failed - rejected Failed - unknown 5 Click Save. The following figure displays an example of a MSP Connector Exception report View an MSP Connector Audit Report To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Audit Report. A list of Audit Reports is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 143

153 Administer MSP Connector Protection Administrator Guide The Status column lists the status of attempts to pass data to ConnectWise. 3 Double-click a report to view the details of the report. The details of the audit reports are displayed. 144 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

154 Administer MSP Connector November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 145

155 Administer MSP Connector Protection Administrator Guide The following table lists the report items in the report Report Item Status Description The following table defines the possible reports status in the Audit Report and the suggested actions to correct the status. Completed - X domains succeeded Status Definitions Partially Completed - X of Y domains failed No action required. Suggested Actions Domains failed because they may not have been provisioned on the ConnectWise side. Failed - authenticatio n Failed - connection Failed - invalid Company ID Failed - invalid Solution Name Failed - rejected Failed - unknown Username, password, or site is invalid; check information on the ConnectWise side. ConnectWise server was moved ConnectWise server was offline ConnectWise network potentially down Company ID may have changed on the ConnectWise side Contact Support. Domains failed because they may not have been provisioned on the ConnectWise side. Contact Support Domain Spam removed Viruses Removed Account Messages The customer's domain. The total number of inbound messages detected as medium or high-likelihood spam for the previous calendar month. The total number of messages with known viruses (infected s) for the previous calendar month. The total number of messages successfully delivered to the receiving MTA for the previous calendar month. 146 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

156 Administer Performance Reports Report Item Total Messages Spam Removed Viruses Removed Account Messages Total Messages Description The total number of messages processed for the previous calendar month. Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages. The total number of inbound messages detected as medium or high-likelihood spam starting from the beginning of the current calendar year through the date the report was generated. The total number of messages with known viruses (infected s) starting from the beginning of the current calendar year through the date the report was generated. The total number of messages successfully delivered to the receiving MTA starting from the beginning of the current calendar year through the date the report was generated. The total number of messages processed starting from the beginning of the current calendar year through the date the report was generated Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages. Download an Audit Report You can download an Audit Report in the form of a.csv file by clicking Download. Administer Performance Reports Performance Reports are pdf files, delivered only via , that provide graphs and charts that visually present statistical information regarding your Protection. Your Performance Report information can be set to report weekly and/or monthly data. You may copy this statistical report for your company's use. Note: Performance Reports are also available for Web Protection Service. The report period for weekly reports is 12:00 a.m. Monday until 11:59 p.m. Sunday. The report period for monthly reports is the first day of the month at 12:00 a.m. until the last day of the month at 11:59 p.m. Some of the data within this report is subject to variables such as: Time zone settings Message delivery timing (may be briefly queued) Quarantine releases Reporting period November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 147

157 Administer Performance Reports Protection Administrator Guide To administer Performance Reports, perform the following steps: 1 If necessary, click Account Management Customers Distribution Lists to set up a distribution list to which you want to sent the reports. For more information, see the online Help or Create a Distribution List for Protection Status Messages and Performance Reports in Account Management Administrator Guide. 2 Click Account Management Customers Performance Reports. The Customer Performance Reports window is displayed. 3 From the Deliver To drop-down menu, select the distribution list containing the recipient(s) for the Performance Reports. 4 From the Time Zone drop-down menu, select the time zone for the Performance Reports. 5 Click either or both of the Frequency checkboxes to specify how often a report is sent and what data is included: Weekly The report is sent at the beginning of the week and shows data for the previous week, from Monday through Sunday. Monthly The report is sent at the beginning of the month and shows data for the previous month, from the first day through the last day of the month. 6 Click Save. Note: You can also click Send Now to immediately the Performance Report from the last reporting period to the distribution list. Performance Report Descriptions The following tables reflect either weekly or monthly reports depending on the customer s request. 148 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012