Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010

Transcription

1 Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010 Implementation Guide Symantec Information Foundation

2 Symantec Mail Security for Microsoft Exchange Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version Legal Notice Copyright 2010 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation 350 Ellis Street Mountain View CA USA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

6 To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 3 Chapter 1 Chapter 2 Introducing Symantec Mail Security for Microsoft Exchange About Symantec Mail Security for Microsoft Exchange Server 2007/Server What's new in Mail Security Components of Mail Security How Mail Security works What you can do with Mail Security Manage your Exchange environment using policies Scan your Exchange server for risks and violations Protect against threats Keep your protection up-to-date Identify spam Filter undesirable message content and attachments Apply X-headers to messages for archiving Manage outbreaks Quarantine infected message bodies and attachments Monitor Mail Security events Generate reports Send notifications when a threat or violation is detected Manage single and multiple Exchange servers Where to get more information about Mail Security Installing Symantec Mail Security for Microsoft Exchange Before you install Software component locations About security and access permissions System requirements Server system requirements Console system requirements Installation options Installing Mail Security on a local server... 37

8 8 Contents Installing the Mail Security console About installing Mail Security on remote servers Silently installing Mail Security using an automated installation tool About installing Mail Security in a Microsoft Cluster About installing Mail Security on a Veritas Cluster Server Post-installation tasks Implementing SSL communications Accessing the Mail Security console About using Mail Security with other antivirus products Setting scanning threads and number of scan processes Uninstalling Mail Security Removing the Mail Security resource instance from the Veritas Cluster Server Chapter 3 Activating licenses About licensing How to activate a license If you do not have a serial number Obtaining a license file Installing license files If you want to renew a license Chapter 4 Managing your Exchange servers About managing your Exchange servers Deploying settings and changes to a server or group How to manage servers and server groups Logging onto servers Configuring Symantec Mail Security for Exchange 2010 on DAG setup Modifying or viewing server or server group settings Viewing the status of a server Creating a user-defined server group Adding servers to a group Moving a server to another user-defined server group Synchronizing group settings to a server Restoring default settings to a server or group Removing a server from group management Removing a server group Exporting and importing settings Modifying the port and communication properties of a server... 87

9 Contents 9 Chapter 5 Quarantining messages and attachments About the quarantine Forwarding quarantined items to the Quarantine Server Establishing local quarantine thresholds Viewing the contents of the local quarantine How to release messages from the local quarantine Releasing messages from the local quarantine by Releasing messages from the local quarantine to a file Deleting items from the local quarantine Chapter 6 Protecting your server from risks About protecting your server from risks How Mail Security detects risks Configuring threat detection Configuring security risk detection Configuring file scanning limits Configuring rules to address unscannable and encrypted files Chapter 7 Identifying spam About spam detection How Mail Security detects and processes spam Configuring whitelists How to detect spam using Symantec Premium AntiSpam About registering Symantec Premium AntiSpam through an ISA server Configuring your proxy server to download spam definition updates Configuring Symantec Premium AntiSpam to detect spam Chapter 8 Filtering content About filtering content About default content filtering rules About creating a content filtering rule Configuring the conditions of a content filtering rule Specifying the users and groups to which the rule applies Specifying who to notify if a content filtering rule is violated Configuring rule actions What you can do with content filtering rules Enabling or disabling content filtering for auto-protect scanning

10 10 Contents Prioritizing content filtering rules Deleting a content filtering rule Specifying inbound SMTP domains Refreshing the Active Directory group cache How to enforce attachment policies Blocking attachments by file name Configuring multimedia file detection Configuring executable file detection Managing match lists About DOS wildcard style expressions About regular expressions Chapter 9 Scanning your Exchange servers for threats and violations About the types of scanning that you can perform How Mail Security scans messages on Exchange Server 2007/2010 roles How Mail Security offloads Mailbox server scanning for Exchange Server 2007/ How Mail Security optimizes scanning performance for Exchange Server 2007/ Configuring auto-protect scanning Configuring background scanning Configuring advanced scanning options for auto-protect and background scanning About manual scans Configuring the manual scan parameters Performing a manual scan Stopping a manual scan Viewing manual scan results About scheduling a scan Creating a scheduled scan Editing a scheduled scan Configuring scheduled scan options Enabling a scheduled scan Deleting a scheduled scan Configuring notification settings for scan violations Chapter 10 Managing outbreaks About outbreak management About the criteria that defines an outbreak About outbreak triggers

11 Contents 11 Best practices for managing outbreak conditions Enabling outbreak management Configuring outbreak triggers Configuring outbreak notifications Clearing outbreak notifications Chapter 11 Logging events and generating reports About logging events Viewing the Mail Security Event log Specifying the duration for storing data in the Reports database Purging the Reports database About logging performance counters to the MMC Performance console About report templates About report output formats Creating or modifying a Summary report template Creating or modifying a Detailed report template Deleting a report template What you can do with reports Configuring the initial set up of the report consolidation feature Generating a consolidated report Generating a report on demand Accessing a report Printing a report Saving report data Deleting a report Resetting statistics Chapter 12 Keeping your product up to date Monitoring your version support status About keeping your server protected About setting up your own LiveUpdate server Configuring a proxy server to permit LiveUpdate definitions How to update definitions Updating definitions on demand Scheduling definition updates About enhancing performance when updating definitions Distributing definitions to multiple servers

12 12 Contents Appendix A Using variables to customize alerts and notifications About alert and notification variables Appendix B Troubleshooting Why a file triggers the Unscannable File Rule Reducing the incidence of malformed MIME false positives Common error messages Resolving installation issues Index

13 Chapter 1 Introducing Symantec Mail Security for Microsoft Exchange This chapter includes the following topics: About Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010 What's new in Mail Security Components of Mail Security How Mail Security works What you can do with Mail Security Where to get more information about Mail Security About Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010 Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010 (Mail Security), a member of the Symantec Information Foundation product family, is a complete, customizable, and scalable solution that scans that passes through or resides on the Microsoft Exchange server. Mail Security protects your Exchange server from the following: Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks) Security risks (such as adware and spyware)

14 14 Introducing Symantec Mail Security for Microsoft Exchange What's new in Mail Security Unwanted content Unwanted file attachments Unsolicited messages (spam) Mail Security also lets you manage the protection of one or more Exchange servers from a single console. See What you can do with Mail Security on page 19. The Exchange environment is only one avenue by which a threat or security risk can penetrate a network. For complete protection, ensure that every computer and workstation is protected by an antivirus solution. See About using Mail Security with other antivirus products on page 63. What's new in Mail Security Table 1-1 lists the new and the enhanced features in Mail Security. Table 1-1 Feature New and enhanced features Description Support for Exchange Server 2010 Mail Security supports Exchange Server 2010 on the following roles: Edge Transport Hub Transport Mailbox Addition of a Global Group for Exchange Server 2010 Global Group consists of all the servers that are managed through Mail Security console. When you configure and apply Global Group settings, the changes are propagated to all the servers in all the groups. Changes that are made at the Global Group level overwrites group settings of all individual and user-defined servers.

15 Introducing Symantec Mail Security for Microsoft Exchange What's new in Mail Security 15 Table 1-1 Feature New and enhanced features (continued) Description Support for manual and scheduled scan for Exchange 2010 Support for filtering contents in Exchange 2010 Troubleshooting installation issues with common error dialog Manual scans run on-demand and scan public folders and mailboxes. Scheduled scans run unattended usually at off-peak periods. All policies apply to manual and to scheduled scans, except antispam. You can specify which file folders and mailboxes to scan during a manual or scheduled scan. You can also specify the content filtering rules that you want to enable for the manual or scheduled scan. Mail Security provides comprehensive content filtering for messages and attachment content. It supports more than 300 attachment types. Mail Security lets you create the content filtering rules that apply to SMTP inbound and outbound mails and the Exchange Information Store. Content filtering rules let you filter messages for attachment names, attachment content, specific words, phrases, subject lines, and senders or recipients. Mail Security provides pre-cooked match list and let you define your own matchlist. You can also set content filtering rules for attachment size. Web links are provided in the product installer that assist and guide you to troubleshoot the failures that are encountered during installation. These links provide more information about the failure or a similar failure and the resolution steps and recommendations.

16 16 Introducing Symantec Mail Security for Microsoft Exchange What's new in Mail Security Table 1-1 Feature New and enhanced features (continued) Description Performance improvements Through Antispam processing Mail Security 6.5 has a provision to reduce the processing time that is required for AntiSpam processing. The Fastpass feature conserves resources by providing a temporary exemption from spam scanning for senders with a demonstrated history of sending no spam messages. Thus senders with the best local reputation are exempted from spam scanning. Mail Security automatically collects local sender reputation data to support Fastpass determinations and regularly re-evaluates the senders that are granted a pass. By turning off performance counters for logging Mail Security 6.5 lets you configure performance counters for logging. By default, this counter is enabled. However, to improve Mail Security's scanning performance, these performance counters for logging can be turned off by adding following registry key and setting its value to 1. Registry key for 32-bit platform: HKEY_LOCAL_MACHINE\SOFTWARE\ Symantec\SMSMSE\6.5 \Server\TurnOffPerfCounters Registry key for 64-bit platform: HKEY_LOCAL_MACHINE\SOFTWARE \Wow6432Node\Symantec\SMSMSE\6.5\ Server\TurnOffPerfCounters Restart Mail Security service after setting this registry key. Note: Mail Security 6.5 does not support Windows 2000 and Exchange Server 2000.

17 Introducing Symantec Mail Security for Microsoft Exchange Components of Mail Security 17 Components of Mail Security Table 1-2 lists the components of Mail Security. Table 1-2 Component Product components Description Location on the product CD Symantec Mail Security for Microsoft Exchange LiveUpdate Administration Utility This software protects your Exchange servers from threats (such as viruses and denial-of-service attacks), security risks (such as adware and spyware). It also detects spam messages and unwanted attachments. This utility lets you configure one or more intranet FTP, HTTP, or LAN servers to act as internal LiveUpdate servers. LiveUpdate lets Symantec products download program and definition file updates directly from Symantec or from a LiveUpdate server. For more information, see the LiveUpdate Administrator documentation on the Mail Security product CD in the following location: \DOCS\LUA\ \SMSMSE\Install\ \ADMTOOLS\LUA\

18 18 Introducing Symantec Mail Security for Microsoft Exchange Components of Mail Security Table 1-2 Component Symantec Central Quarantine Product components (continued) Description This utility lets Mail Security forward infected messages and messages that contain certain types of violations from the local quarantine to the Central Quarantine, which acts as a central repository. For more information, see the Symantec Central Quarantine Administrator's Guide on the Mail Security product CD in the following location: \DOCS\DIS\CentQuar.pdf Location on the product CD \ADMTOOLS\DIS Mail Security for Microsoft Exchange Management Pack This component lets you integrate Symantec Mail Security for Microsoft Exchange events with Microsoft Operations Manager 2005 (MOM). Pre-configured Computer Groups, Rule Groups, and Providers are automatically created when you import the management pack. These rules monitor specific Symantec Mail Security for Microsoft Exchange events in the Windows Event Log and the Windows Performance Monitor. \ADMTOOLS\Mgmt_Pack For more information, see the Symantec Mail Security for Microsoft Exchange Management Pack.

19 Introducing Symantec Mail Security for Microsoft Exchange How Mail Security works 19 How Mail Security works Mail Security can scan messages and their attachments to detect the following: Risks Risks are comprised of threats and security risks Threats Threats include viruses, worms, and Trojan horses See Configuring threat detection on page 101. Security risks Security risks include adware, spyware, and malware See Configuring security risk detection on page 104. Spam See About spam detection on page attachment violations Content filtering rule violations See About filtering content on page 127. Mail Security takes the actions that you specify in the respective policies when a violation is detected. See Manage your Exchange environment using policies on page 20. Mail Security contains a decomposer that extracts container files so that they can be scanned. The decomposer continues to extract container files until it reaches the base file or until it reaches its extraction limit. If the decomposer reaches the set limit before the base file is reached, the scanning process stops. Mail Security then logs the violation to the specified logging destinations, and the file is handled according to Unscannable File Rule. See Configuring rules to address unscannable and encrypted files on page 108. What you can do with Mail Security Mail Security lets you do the following: Manage your Exchange environment using policies Scan your Exchange server for risks and violations Protect against threats Keep your protection up-to-date Identify spam

20 20 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security Filter undesirable message content and attachments Apply X-headers to messages for archiving Manage outbreaks Quarantine infected message bodies and attachments Monitor Mail Security events Generate reports Send notifications when a threat or violation is detected Manage single and multiple Exchange servers Manage your Exchange environment using policies Mail Security scans messages and their attachments for violations to policies. A policy is a set of rules designed to detect potential risks to your Microsoft Exchange mail system. Mail Security contains the following policies: General Antivirus Antispam Contains rules controlling scanning limits, exceptions, and outbreak management Contains rules for detecting threats in messages and attachments with viruses, virus-like characteristics, or security risks, such as adware or spyware Contains rules for the following: Detecting spam Allowing specified senders to bypass antispam scanning Specifying recipients whose messages are not scanned for spam Content Enforcement Contains rules for filtering inappropriate content in message bodies and attachments. Also contains file filtering rules and match lists that let you detect and block messages by file name and file type. Scan your Exchange server for risks and violations You can keep your server protected by performing any of the following types of scans:

21 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security 21 Auto-protect scans When enabled, auto-protect scanning runs constantly and detects threats and violations in real-time. Auto-protect scanning applies to all policies, except antispam detection. Antispam scanning occurs continuously, in real-time as traffic flows through your Exchange server. Auto-protect scans apply to everything on the Exchange server (that is, items in all public folders and mailboxes and messages that are routed by Microsoft Exchange). See Configuring auto-protect scanning on page 178. Manual scans Manual scans run on-demand and scan public folders and mailboxes. All policies apply to manual scans, except antispam. Antispam scanning occurs continuously, in real-time as traffic flows through your Exchange server. You can specify which file folders and mailboxes to scan during a manual scan. You can also specify the content filtering rules that you want to enable for the manual scan. See About manual scans on page 182. Scheduled scans Scheduled scans run unattended, usually at off-peak periods. All policies apply to scheduled scans, except antispam. Antispam scanning occurs continuously, in real-time as traffic flows through your Exchange server. You can specify which file folders and mailboxes to scan during a scheduled scan. You can also specify the content filtering rules that you want to enable for the scheduled scan. See About scheduling a scan on page 186. Background scanning Background scanning is a scan of the message store. You can perform background scanning during off-peak periods to enhance performance. See Configuring background scanning on page 178. Protect against threats When Mail Security detects a security risk or a violation during a scan, it takes the action that you specify for that policy. For example, when a threat is detected, Mail Security takes the action that you specify in the Antivirus Settings policy. See About the types of scanning that you can perform on page 171. Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, and worms) to identify new risks. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. When Mail Security scans for

22 22 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security threats, it searches for these signatures. Definition files are downloaded using LiveUpdate or Rapid Release. See About keeping your server protected on page 228. Mail Security also uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. See Configuring threat detection on page 101. Keep your protection up-to-date Mail Security relies on up-to-date information to detect and eliminate risks. One of the most common reasons computers are vulnerable to attacks is that definition files are out-of-date. Symantec regularly supplies updated definition files. Using LiveUpdate, Mail Security connects to a Symantec server over the Internet and automatically determines if definitions need to be updated. If they do, the definition files are downloaded to the proper location and installed. If you need a quicker response for emerging threats, you can enable Rapid Release to get the most current definitions that are available. If your organization has both front-end and back-end Exchange servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and certified Live Update definitions on the back-end mailbox servers. See About keeping your server protected on page 228. See About using Mail Security with other antivirus products on page 63. You must have a valid license to update definitions. See About licensing on page 67. Identify spam Spam is unsolicited bulk , which most often advertises messages for a product or service. It wastes productivity, time, and network bandwidth. Symantec Premium AntiSpam provides continuous updates to the premium antispam filters to ensure that your Exchange server has the most current spam detection filters that are available. See How to detect spam using Symantec Premium AntiSpam on page 114.

23 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security 23 See Configuring whitelists on page 113. You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam. See About licensing on page 67. Filter undesirable message content and attachments Mail Security lets you filter undesirable content using the following features: Content filtering rules Mail Security lets you create content filtering rules that apply to SMTP inbound and SMTP outbound mail and the Exchange information store. Content filtering rules let you filter messages for attachment names, attachment content, specific words, phrases, subject lines, and senders. Mail Security takes the action that you specify in the rule when it detects a violation. See What you can do with content filtering rules on page 149. File filtering rules Mail Security lets you use file filtering rules to filter messages based on attached file names or file types, such as multimedia or executable files. Mail Security uses file filtering rules to enforce attachment policies. Mail Security provides the following pre-defined file filtering rules: File Name Rule, Multimedia File Rule, and Executable File Rule. These rules let you block attachments by file name and type. You can customize the File Name Rule by associating it with a match list to block attachments with specific names included in the match list. Mail Security handles file filtering violations according to the action that you configure for the rule. Mail Security can notify administrator and senders (internal and external) of file filtering violations. You can customize the notification message. See How to enforce attachment policies on page 153.

24 24 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security Match lists Mail Security uses match lists to filter messages and attachments for specific words, terms, and phrases. In order to implement a match list, you must associate it with a content or file filtering rule. When the rule is applied to scan messages, it also scans for the terms in the match list. Mail Security provides pre-configured match lists for use with the File Name Rule or with content filtering rules. You can create new match lists and delete or edit words in an existing match list. Match lists support literal strings, DOS wildcard-style expressions, or regular expressions. See About regular expressions on page 166. See About DOS wildcard style expressions on page 165. See Managing match lists on page 162. You can also use match lists to help manage outbreaks. See About outbreak management on page 195. Apply X-headers to messages for archiving Mail Security lets you apply X-headers to messages that contain content filtering rule violations or are spam or suspected spam. The X-headers can be used by Symantec Enterprise Vault to search for and retrieve messages that are archived in the vault. Enterprise Vault is a data warehouse that provides secure, centralized archiving and retrieval of information. Note: X-headers can only be applied to SMTP transported messages. X-headers cannot be applied to messages that are scanned in the message store. Mail Security provides default X-headers that are commonly used by Enterprise Vault. You can modify the default X-headers, or you can create your own. You can apply up to 25 X-headers for a single violation. When a message triggers one or more violations and the disposition for any of the violations is to delete the message, no X-headers are applied. For example, a message is identified as spam, and the disposition is to reject the message. No X-header is applied to the message.

25 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security 25 Table 1-3 describes how Mail Security handles multiple content filtering violations based on where the violations occur within the message. Table 1-3 How X-headers are applied for multiple violations Scenario Which X-headers are applied Examples Multiple violations in different parts of a message Mail Security applies X-headers for each rule that is violated for each message part. Message parts include: Message body Subject Sender Attachment name Attachment content A single message violates a content filtering rule for message body and a separate content filtering rule for subject. Mail Security applies the X-headers that you specify for the message body rule and the X-headers that you specify for the subject rule. In this example, the message can have up to 50 X-headers applied to it (up to 25 X-headers for the message body violation and up to 25 X-headers for the subject violation). Multiple violations for the same message part When a message triggers multiple violations for the same message part, Mail Security applies only the X-headers that you specify for the first rule that is triggered. A message triggers violations for two different attachment content rules. Mail Security only applies the X-headers for first rule that was violated. Note: X-headers are applied to the message even when the disposition is to delete the attachment but not the message body. See Processing spam messages on page 118. See About creating a content filtering rule on page 129. Manage outbreaks An outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit. Mail Security lets

26 26 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can also select an action to take when an outbreak is detected, such as the following: Delete the entire message Delete the attachment or message body Quarantine the attachment or message body Log the event Add Tag to the beginning of the subject line You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Mail Security to send notifications and alerts in the case of an outbreak. See About outbreak management on page 195. Quarantine infected message bodies and attachments Mail Security for Microsoft Exchange includes a local quarantine that can store infected message bodies and attachments that are detected during scans. You can configure Mail Security to quarantine threats and security risks, and file filtering violations in the local quarantine. Quarantined items that contain threats can be forwarded to the Symantec Central Quarantine, if it is installed. The Symantec Central Quarantine program is available on the Mail Security product CD. See About the quarantine on page 89. Monitor Mail Security events Mail Security logs events to the Windows Application Event Log. You can view events that are logged to the Windows Application Event Log from the console. See Viewing the Mail Security Event log on page 204. Mail Security logs extensive report data on threats, security risks, violations, spam, and server information to the reports database. You can use this data to generate summary or detailed reports based on different subsets of the data. See About logging events on page 203. See Creating or modifying a Summary report template on page 210. See Creating or modifying a Detailed report template on page 215.

27 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Mail Security 27 Generate reports Mail Security collects and saves scan data on your Exchange servers. You can create reports from the data, which gives you a history of risk detection activity and filtering violations. You can create a report for an individual server, or you can create a single Summary report that consolidates data for all of the servers in a server group. See Configuring the initial set up of the report consolidation feature on page 219. Report templates let you define a subset of the raw report data that is collected by Mail Security for a single server. Report templates can include different categories or combinations of security-related statistics. You can create different report templates to describe different subsets of the raw report data. After you create a report template, you use it to generate reports. Mail Security provides two pre-configured report templates that you can modify. You can also create your own report templates. When you create or modify a report template, Mail Security provides a wizard to guide you through the configuration process. The types of report templates that you can create are as follows: Summary See Creating or modifying a Summary report template on page 210. Detailed See Creating or modifying a Detailed report template on page 215. Send notifications when a threat or violation is detected Mail Security provides several options for notifying administrators, internal senders, and recipients of threats and violations. Mail Security lets you define the conditions in which to send an alert. You can also customize the alert message text for each alert condition that you define. See Configuring rules to address unscannable and encrypted files on page 108. See Configuring threat detection on page 101. See Configuring notification settings for scan violations on page 192. Manage single and multiple Exchange servers Mail Security can protect one or more Exchange servers. If your organization has multiple Exchange servers, you can manage all of the servers from the same console that you use to manage a single server. By switching between server view and group view, you can manage the configuration settings for individual servers,

28 28 Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Mail Security a logical grouping of servers (such as all front-end servers), or all servers in a specific location. See About managing your Exchange servers on page 73. Where to get more information about Mail Security Mail Security includes a comprehensive help system that contains conceptual, procedural, and context-sensitive information. Press F1 to access information about the page on which you are working. If you want more information about features that are associated with the page, select a More Information link in the Help page, or use the Table of Contents, Index, or Search tabs in the Help viewer to locate a topic. You can visit the Symantec Web site for more information about your product; the following online resources are available: Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration /licensing/els/help/en/help.html Provides product news and updates Provides access to the Threat Explorer, which contains information about all known threats

29 Chapter 2 Installing Symantec Mail Security for Microsoft Exchange This chapter includes the following topics: Before you install System requirements Installation options Post-installation tasks Uninstalling Mail Security Before you install Ensure that you meet all system requirements before you install Mail Security. Select the installation plan that best matches your organization's needs, and ensure that you have met the pre-installation requirements. See System requirements on page 34. See Installation options on page 36. See Uninstalling Mail Security on page 65. Install Mail Security on all of the following server roles in your organization: Edge Transport servers, if available Hub Transport servers Mailbox servers

30 30 Installing Symantec Mail Security for Microsoft Exchange Before you install You must uninstall and reinstall the product if you change the server role on which Mail Security is installed. Mail Security automatically installs custom transport agents when you install the product on Hub Transport or Edge Transport servers. The Mail Security transport agents consist of an antispam transport agent and an antivirus transport agent. By default, the Mail Security transport agents are installed with a lower priority than the Exchange transport agents. If you modify your transport agent priorities, ensure that the Mail Security transport agents remain a lower priority than the Exchange transport agents. Do the following before you install the product: If you are running Symantec Brightmail AntiSpam on the same server on which you want to install Mail Security, you must uninstall Symantec Brightmail AntiSpam before you install Mail Security. It is recommended that you not run Mail Security on the same server as Symantec Brightmail AntiSpam. If you are using the tools feature of Symantec AntiVirus Corporate Edition, you must uninstall the feature before you install Mail Security. The tools feature of Symantec AntiVirus is not compatible with Mail Security or Microsoft Exchange. If you are running any antivirus software that is on the server on which you want to install Mail Security, you must disable it before you install Mail Security. After installation but before you re-enable the antivirus protection, configure your other antivirus programs to exclude certain folders from scanning. See About using Mail Security with other antivirus products on page 63. Log on as a Windows domain administrator to install Mail Security components correctly. See Software component locations on page 31. Modify your screen resolution to a minimum of 1024 x 768. Mail Security does not support a resolution less than 1024 x 768. Configure the default receive connector for the Exchange Hub Transport server to permit connections from anonymous users. Before you install Mail Security on Exchange 2010 mailbox role, you must specify a domain user account. The domain user account must fulfill the following criteria. Mail Security uses the domain user account as a service account and this account must have a mailbox. The user must be a member of Organization Management group under the Microsoft Exchange Security Groups Organizational Unit.

31 Installing Symantec Mail Security for Microsoft Exchange Before you install 31 By default, Organization Management group is a member of the local Administrators group on all the exchange servers in the organization. If not, then add the user to the local Administrators group. You may use different user account for installations of Mail Security on other Exchange 2010 mailbox servers within that domain for better performance. When the user updates the password, the same password must be provided to the Mail Security Service on all Exchange 2010 mailbox role servers. Note: While installing Mail Security on local Exchange 2010 Mailbox server, in the Logon Information screen, specify the domain user credentials in the User name and Passwordfields. Mail Security provides this user account Application Impersonation and Logon as service rights. Ensure that the following IIS Role Service components are installed when you install Mail Security on Windows Server 2008 for Exchange 2010 and 2007 servers. This installation is applicable for both remote installation and local installation. Application Development - ASP.NET Security - Windows Authentication Management Tools - IIS management console, IIS 6 Scripting Tools Software component locations Table 2-1 lists the default locations in which Mail Security installs software components. Table 2-1 Software component locations Component Mail Security program files Quarantined items in encrypted format Note: Configure all antivirus file system scanners to exclude the quarantine directory from scanning. The system scanners might try to scan and delete Mail Security files that are placed in the quarantine directory. Reporting data Location C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Quarantine C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Reports

32 32 Installing Symantec Mail Security for Microsoft Exchange Before you install Table 2-1 Component Software component locations (continued) Location Data files for reports that are generated Report templates Match list files Allowed senders files and Symantec Premium AntiSpam configuration files C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Reports\<report name> C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Reports\Templates C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \MatchLists C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \SpamPrevention Location where Mail Security scans items Note: Configure all antivirus products that scan files to exclude the Temp directory from scanning. The system scanners might try to scan and delete Mail Security files that are placed in the Temp directory during the scanning process. C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Temp Dynamic-link libraries for Symantec Premium AntiSpam Manual and scheduled scan mailbox configuration data Configuration files for allowed and blocked senders for Symantec Premium AntiSpam Component logs for Symantec Premium AntiSpam Statistical information on the effectiveness of Symantec Premium AntiSpam rules C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \bin C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \Config C:\Program Files (x86)\symantec\ SMSMSE\6.5\Server \etc C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \logs C:\Program Files (x86)\ Symantec\SMSMSE\6.5\ Server \stats

33 Installing Symantec Mail Security for Microsoft Exchange Before you install 33 Table 2-1 Component Console files Software component locations (continued) Location C:\Program Files (x86)\ Symantec\CMaF\2.1 Component to update virus definitions Definitions License files C:\Program Files (x86)\ Symantec\LiveUpdate Windows Server 2003 (x64) - C:\Program Files (x86)\common Files\Symantec Shared\SymcData\virusdefs32 C:\ProgramData\Symantec Shared\Licenses This license file location only applies to Windows Server C:\Program Files (x86)\ Common Files\Symantec Shared\Licenses Verity content extraction component Mail Security Web service components Content filtering rules Scan job configuration C:\Program Files (x86)\ Symantec\ SMSMSE\6.5\Server\ Verity\bin C:\Program Files (x86)\symantec\cmaf\2.1\ bin C:\Program Files (x86)\symantec\ SMSMSE\6.5\Server \Policies C:\Program Files (x86)\symantec\ SMSMSE\6.5\Server \ScanJobs About security and access permissions Mail Security automatically creates the following user groups and assigns them access when you install the product:

34 34 Installing Symantec Mail Security for Microsoft Exchange System requirements SMSMSE Admins Permits read and write access to all Mail Security components and features. Users in this group can change settings for Mail Security through the console. The user who installs Mail Security is automatically added to the SMSMSE Admins group. SMSMSE Viewers Permits read-only access to Mail Security components and features. Users in this group cannot change settings for Mail Security. Users can view reports, event logs, and settings through console-only installations. See Installing the Mail Security console on page 41. System requirements The user groups are domain-wide for Active Directory. You can use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to change membership in the groups. Users must be designated in one of the SMSMSE user groups to access the product. For example, administrators who are not in one of the SMSMSE user groups are not granted access to Mail Security. Adding a user to the SMSMSE Admins group does not automatically grant the user Windows Local Administrator, Windows Domain Administrator, or Exchange administrator rights. Security is also set for the Mail Security registry key and file folders during the security set-up process. You must have administrator access to the local servers and domain administrator rights for the security set-up to proceed. Ensure that you meet the appropriate system requirements for the type of installation that you are performing. See Installation options on page 36. Server system requirements You must have domain administrator-level privileges to install Mail Security. The server system requirements are as follows:

35 Installing Symantec Mail Security for Microsoft Exchange System requirements 35 Operating system The operating system requirements for Microsoft Exchange 2010 are as follows: Windows Server 2008 with SP2 (64-bit) Standard or Enterprise Edition Windows Server 2008 R2 (64-bit) Standard or Enterprise Edition The operating system requirements for Microsoft Exchange 2007 are as follows: Windows Server 2008 with SP1or later (64-bit) Standard or Enterprise Edition Windows Server 2003 with SP2 (64-bit) Standard or Enterprise Edition Windows Server 2003 R2 (64-bit) Standard or Enterprise Edition Exchange platform Minimum system requirements Exchange Server 2007 SP1/SP2 Exchange Server 2010 x64 architecture-based processor that supports Intel Extended Memory 64 Technology (Intel EM64T) x64 architecture-based computer with AMD 64-bit processor that supports AMD64 platform Only for Exchange 2007 Mailbox server role, Exchange Server MAPI client and Collaboration Data Objects GB of memory for Mail Security besides the minimum requirements for the operating system and Exchange. Approximately 4GB or more of memory is required. 500-MB disk space is required for Mail Security. This space does not include disk space required for items such as quarantined messages and attachments, reports, and log data..net Framework version 2.0 MDAC 2.8 or higher DirectX 9 or higher Microsoft Internet Information Services (IIS) Manager Only for Exchange Server 2010, Microsoft.NET Framework 3.5 and Microsoft Windows Powershell 2.0 Ensure that the components.net Framework, MDAC, and DirectX are installed before you install Mail Security. Adobe Acrobat Reader is not a requirement to install and run Mail Security. However, it is required to view the reports that are generated in.pdf format. You can download Adobe Acrobat Reader from See Installing Mail Security on a local server on page 37. See Silently installing Mail Security using an automated installation tool on page 47.

36 36 Installing Symantec Mail Security for Microsoft Exchange Installation options See About installing Mail Security on remote servers on page 43. See About installing Mail Security in a Microsoft Cluster on page 48. Console system requirements You can install the Mail Security console on a computer on which Mail Security is not installed. The console system requirements are as follows: Operating system Windows Server 2003/R2/SP2 Windows XP Windows Vista Windows Server 2008/R2/SP2 Standard and Enterprise Edition Windows 7 Minimum system requirements 512 MB RAM 162 MB available disk space This does not include the space required for items such as quarantined messages and attachments, reports, and log data..net Framework version 2.0 Microsoft Internet Information Services (IIS) Manager Ensure that.net Framework is installed before you install Mail Security. Adobe Acrobat Reader is not a requirement to install and run the Mail Security Console. However, it is required to view the reports that are generated in.pdf format. You can download Adobe Acrobat Reader from See Installing the Mail Security console on page 41. Installation options Use any of the following installation procedures, depending on the type of installation that you want to perform: Local server You can install or upgrade Mail Security on a local computer that is running the Microsoft Exchange server. See Installing Mail Security on a local server on page 37. Remote server You can install Mail Security on remote servers through the product console. See About installing Mail Security on remote servers on page 43.

37 Installing Symantec Mail Security for Microsoft Exchange Installation options 37 Console You can install the product console on a computer that is not running Mail Security. This lets you manage your servers from any computer that has access to your Exchange servers. See Installing the Mail Security console on page 41. Silent/automated installation Microsoft cluster server Veritas cluster server You can install Mail Security using automated installation tools. See Silently installing Mail Security using an automated installation tool on page 47. You can install Mail Security in a Microsoft Cluster environment. See About installing Mail Security in a Microsoft Cluster on page 48. You can install Mail Security in a Veritas cluster environment. See About installing Mail Security on a Veritas Cluster Server on page 53. Installing Mail Security on a local server Ensure that you have met the system requirements before you begin the installation process. See System requirements on page 34. Note: Symantec automatically installs MSXML 6.0 during installation if the installer does not detect this component. You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on the computer on which you want to install Mail Security. Computers must support 8dot3 formatted filenames for all NTFS file systems. To install Mail Security on a local server, do the following:

38 38 Installing Symantec Mail Security for Microsoft Exchange Installation options Begin the installation process You can use the installation wizard to guide you though the installation process of selecting the product installation folder location and the type of installation that you want to perform. You can choose to retain your existing settings or use the new default settings if you are upgrading from a prior version of Mail Security. When Mail Security detects a prior version of the product, it automatically uninstalls the prior version and then installs the new version. Configure additional setup options and confirm settings Install your licenses You can specify if you want to automatically restart the Exchange Transport Service after installation, specify the Web service set-up values, designate an notification address and SMTP server address, and review your setup configurations. You can install your licenses during installation. See About licensing on page 67. If you install a valid license, Mail Security lets you perform a LiveUpdate to obtain the most current definitions. See About keeping your server protected on page 228. To begin the installation process 1 Insert the Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the product CD. 2 Click Install Symantec Mail Security for Microsoft Exchange. 3 In the InstallShield welcome panel, click Next. 4 Click Next until you reach the License Agreement panel. 5 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. You must accept the terms of the license agreement for the installation to continue.

39 Installing Symantec Mail Security for Microsoft Exchange Installation options 39 6 In the Existing Settings panel, select one of the following: Retain existing settings Retains the existing settings that are supported for migration to the new version. This is the default setting. Install with default settings Installs the product with the default settings, as if you were installing Mail Security for the first time. This panel only appears if you are upgrading from a prior version of Mail Security. 7 In the Destination Folder panel, do one of the following: To install the product in the default location, click Next. The default directory is as follows: C:\Program Files (x86)\symantec\ To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam, you cannot install the product to a directory whose name contains high ASCII characters. 8 In the Setup Type panel, click Complete, and then click Next. 9 In the Symantec AntiVirus Corporate Edition Users warning dialog box, click OK. To configure additional setup options 1 In the Exchange Transport Service Reset Options panel, click Next to accept the default setting to automatically restart the Exchange Transport Service after installation. If you choose not to automatically restart the Exchange Transport Service after installation, you must do so manually. Otherwise, Mail Security will not function properly. 2 In the Web Service Setup panel, do one of the following: Click Next to accept the default values. Modify the following settings, and then click Next:

40 40 Installing Symantec Mail Security for Microsoft Exchange Installation options IP/Name By default, the computer name resolves to the primary external network identification card (NIC). You can also use an IP address. The IP address validates the availability of the port. Port # By default, port 8081 is the port number for the Web service that is used by Mail Security. A different default port number appears if port 8081 is being used by another application. Use a port number that is not used by another application if you change the port number. You should not use port 80. Port 80 is the port number that is used by the default Web service, which is hosted by IIS. 3 In the Notification Address panel, do one of the following to specify the address from which notifications are sent and to which notifications to the administrator are sent: Click Next to accept the default value. The default value is: Administrator Modify the originator address, and then click Next. The Edge Transport server does not have access to Active Directory, so abbreviated addresses cannot be resolved. If you are installing Mail Security on the Edge Transport server role, type a fully qualified address (for example, user@mycompany.com). You can modify the address after installation is complete. See Configuring notification settings for scan violations on page In the SMTP Server Host panel, specify the SMTP server address for sending messages. If you are installing Mail Security on a Mailbox server only, you must specify a SMTP Transport server address. The Hub Transport server and Edge Transport server contain an SMTP transport that can receive . The default server address is as follows: localhost. 5 In the Setup Summary panel, review the information, and then click Next. If you need to make any modifications, click Back to return to the appropriate panel. 6 In the Ready to Install the Program panel, click Install. To install a license and update definitions 1 In the Install Content License File panel, do one of the following:

41 Installing Symantec Mail Security for Microsoft Exchange Installation options 41 To install a license file Do the following: Click Browse, locate the license file, and then click Open. Click Install, and in the confirmation dialog box, click OK. Click Next. To install a license file later through the console Click Skip, and then click Next. See About licensing on page In the LiveUpdate panel, do one of the following: To perform a LiveUpdate Click Yes, and then click Next. In the LiveUpdate Options window, click Start. When LiveUpdate is complete, click Close. To perform a LiveUpdate at a later time Click No, and then click Next. See About keeping your server protected on page 228. This panel only appears if you installed a valid license. 3 Click Finish. The option Show the readme file is checked by default. The Readme file contains information that is not available in the product documentation. A Mail Security icon is placed on the computer desktop when installation is complete. 4 In the User Credential Refresh Required panel, click OK. 5 Log off and log on again. See Post-installation tasks on page 57. Installing the Mail Security console The Mail Security console is a Windows application. The console lets you manage local and remote installations of Mail Security from a single computer. You can install and use the console on a computer on which Mail Security is not installed. This lets you manage Mail Security from a convenient location. Ensure that you meet the system requirements before you install the console. See Console system requirements on page 36.

42 42 Installing Symantec Mail Security for Microsoft Exchange Installation options A Mail Security icon is placed on the computer desktop when installation is complete. To install the Mail Security console 1 Insert the Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the Mail Security product CD. 2 Click Install Multiserver Console. If the installation program detects that you have Windows XP or that there is no version of the Exchange server installed, the installation program defaults to console only installation options. 3 Click Next until you reach the License Agreement panel. 4 In the License Agreement panel, check I accept the Terms in the license agreement, and then click Next. 5 In the Destination Folder panel, do one of the following: To install the product in the default location, click Next. The default destination directory is as follows: C:\Program Files (x86)\symantec\ To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory whose name contains high ASCII characters. 6 Click Next until you reach the Notification Address panel. 7 In the Notification Address panel, do one of the following to specify the address from which notifications are sent and to which notifications to the administrator are sent: Click Next to accept the default value. The default value is: Administrator Modify the originator address, and then click Next. The Edge Transport server does not have access to Active Directory, so abbreviated addresses cannot be resolved. If you are installing Mail Security on the Edge Transport server role, type a fully qualified address (for example, user@mycompany.com). You can modify the address after installation is complete.

43 Installing Symantec Mail Security for Microsoft Exchange Installation options 43 See Configuring notification settings for scan violations on page In the Setup Summary panel, review the information, and then click Next. If you need to make any modifications, click Back to return to the appropriate panel. 9 Click Finish. The option Show the readme file is checked by default. The Readme file contains information that is not available in the product documentation. 10 In the User Credential Refresh Required panel, click OK. 11 Log off and log on again. See Post-installation tasks on page 57. About installing Mail Security on remote servers After you install Mail Security on a local server or install the console, you can install the Mail Security server component on remote servers. Review the pre-installation information and system requirements before you install the product on remote servers. See Before you install on page 29. See System requirements on page 34. To install Mail Security on remote servers, do the following: Customize installation settings, if needed. Remote servers are installed with default installation settings. If you want to customize the installation settings and apply them to a remote server, you can add the custom features to the vpremote.dat file. See Customizing remote server installation settings on page 43. Install Mail Security on remote servers. See Installing Mail Security on a remote server on page 46. Note: Installing Mail Security remotely on cluster servers is not recommended for Exchange 2007 cluster, but is supported on Exchange 2010 DAG setup. Customizing remote server installation settings There may be cases in which you want to customize the installation of Mail Security on a remote Exchange server. For example, you might want to change the following settings:

44 44 Installing Symantec Mail Security for Microsoft Exchange Installation options Installation location Default address for notifications Stop/start of IIS Table 2-2 lists the remote customization options that you can modify. Table 2-2 Remote customization options Property Description Default value Optional value ADDRESS= Serves as the address of the domain administrator for the Address of sender and Administrator and others to notify Notification/Alert settings. N/A ( address of domain administrator) EXISTING SETTING GROUP= Controls whether to retain a previous version's settings or apply the default settings of the new version. Retain Restore IIS_RESET Controls whether to stop and restart Microsoft Exchange Transport Service during installation. This setting is only available if the Exchange Transport Service is installed. Yes No INSTALLDIR= Serves as the default product installation directory. \Program Files (x86)\symantec\ CMaF\2.1\ (Any valid path) PORTNUMBER= Serves as the port that is used by the product for Web services (Any valid port) SMSMSE_SMTP_ SERVER_HOST Serves as the host through which notifications are sent using SMTP. localhost (Any valid host) CONSOLE_ONLY Specifies that installation should be for the console only. 0 Set to 1 to perform a console installation.

45 Installing Symantec Mail Security for Microsoft Exchange Installation options 45 Table 2-2 Remote customization options (continued) Property Description Default value Optional value REMOTEINSTALL Controls whether the console appears during installation. 0 Set to 1 to perform a silent installation. Note: Do not set to 1 to perform silent installation on Exchange 2010 mailbox server role. REINSTALLMODE Controls the mechanism for re-install. N/A Set to voums to perform a silent installation. REINSTALL Controls what features to install during re-install. ALL Set to 1 to perform a silent installation. Warning: The following entry should not be changed: {setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=ALL REINSTALLMODE=voums REINSTALL=ALL }. You can append the entry. For example, setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL PORTNUMBER=1010 To customize remote server installation settings 1 Locate the folder that contains the Mail Security console files. The default location is as follows: \Program Files (x86)\symantec\cmaf\2.1\bin\products\smsmse\6.5\remote Install Files\vpremote.dat 2 Using WordPad or a similar tool, open the following file: vpremote.dat 3 Insert one or more properties by doing the following: Type a space after the previous or existing entry inside the quotation marks. Type the new property. The property portion of each entry is case sensitive. Type the value immediately after the = sign with no space.

46 46 Installing Symantec Mail Security for Microsoft Exchange Installation options The values are not case sensitive. For example, to specify a silent installation, the entry would appear as follows: {setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=1 } Installing Mail Security on a remote server During remote installation, the Windows Login screen prompts you to provide administrator or domain user credentials. The domain user must fulfill all pre-requisites before installing on a remote server. See Before you install on page 29. When installation is complete, a Mail Security icon is placed on the computer desktop. You should not use the remote installation procedures if you are installing the product on cluster server nodes. See About installing Mail Security in a Microsoft Cluster on page 48. To install Mail Security on a remote server 1 In the console on the toolbar, click Assets. 2 In the Asset Management window, in the sidebar under Tasks, click Install/Upgrade server(s). 3 In the Select Server(s) window, in the Servers and server groups list, highlight one or more servers and click the >> command icon. 4 Under Server options, check Keep installation files on server(s) to maintain the installation files on the server. 5 Check Send group settings to apply group settings. If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server. 6 Click OK, and then click Close. Note: Remote install must be performed from the computer which is part of the same domain. See Post-installation tasks on page 57.

47 Installing Symantec Mail Security for Microsoft Exchange Installation options 47 Silently installing Mail Security using an automated installation tool Mail Security supports installing the product using automated installation tools, such as Microsoft Systems Management Server. Ensure that you have met the system requirements before you perform a silent installation. See System requirements on page 34. You can modify certain installation properties to configure Mail Security installations, or you can provide command line properties during manual or automated installation using an automated installation tool. Modify the installation properties for Mail Security in the following file: \Program Files (x86)\symantec\cmaf\2.1\bin\products\smsmse\6.5\remote Install Files\vpremote.dat Table 2-2 lists the customization options that you can modify. To silently install Mail Security using an automated installation tool 1 Copy the installation media in its entirety to the location from which installation will be launched. For example: xcopy [Drive]:\*.* /s [DestinationDrive] 2 Do one of the following: Launch setup.exe using the following command to initiate a silent installation: [DestinationDrive]:\setup.exe /v NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL /s Launch the MSI file using the following command: msiexec.exe /I [DestinationDrive]:\x64\Symantec Mail Security For Microsoft Exchange.msi NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL To silently install Mail Security using an automated installation tool on Exchange Copy the installation media in its entirety to the location from which installation will be launched. For example: xcopy [Drive]:\*.* /s [DestinationDrive] 2 Do one of the following: Launch setup.exe using the following command to initiate a silent installation:

48 48 Installing Symantec Mail Security for Microsoft Exchange Installation options [DestinationDrive]:\setup.exe /v NOT_FROM_ARP=1 REINSTALLMODE=voums REINSTALL=ALL SMSMSE_RBAC_USERNAME=<username> SMSMSE_RBAC_PASSWORD=<password> /q" Launch the MSI file using the following command: msiexec.exe /I [DestinationDrive]:\x64\Symantec Mail Security For Microsoft Exchange.msi NOT_FROM_ARP=1 SMSMSE_RBAC_USERNAME=<username> SMSMSE_RBAC_PASSWORD=<password> /q Note: On Exchange 2010 mailbox role, do not set REMOTEINSTALL=1 for silent install. About installing Mail Security in a Microsoft Cluster You can install Mail Security on the following types of Microsoft cluster configurations (these configuration types have different installation setups): Single Copy Clusters (SCC) See About installing Mail Security on a Single Copy Cluster node on page 49. Clustered Continuous Replication (CCR) See Installing Mail Security on a Clustered Continuous Replication cluster on page 52. Note: Mail Security only supports clustering when the product is installed on a Mailbox server role. Install Mail Security individually on each node of the cluster when you install it in a cluster environment. The remote installation feature should not be used. Do the following to install Mail Security in a cluster environment: Ensure that your environment meets the pre-installation requirements. See Considerations before you install on a Microsoft Exchange cluster on page 49. Install Mail Security using the procedures for your cluster configuration. See About installing Mail Security on a Single Copy Cluster node on page 49. See Installing Mail Security on a Clustered Continuous Replication cluster on page 52. Configure the cluster resource if you are using a single copy cluster configuration only.

49 Installing Symantec Mail Security for Microsoft Exchange Installation options 49 See Configuring the cluster resource on page 50. Considerations before you install on a Microsoft Exchange cluster Table 2-3 describes the items that you should consider before you install Mail Security in a cluster environment. Table 2-3 Configuration Single copy cluster Cluster installation considerations Considerations Mail Security must be installed on all active and passive nodes of a cluster. Only one Clustered Mailbox Server (CMS) can run on any cluster node at any time. If two CMSs try to run on the same node, the results are undefined. Ensure that the following requirements are met before you install Mail Security on an Exchange cluster with one or more passive nodes: There must be an available passive node to fail to. Multiple failovers are supported only if multiple passive nodes are available. Mail Security must be installed with the same configuration and in the same locations on all nodes of the cluster. Mail Security checks for the presence of a cluster environment during installation. You are prompted to register a cluster resource DLL (SMSMSEClusterResource.dll) if the installation is running in a cluster environment. This DLL must be registered on only one of the cluster nodes. Mail Security runs on all of the nodes (even passive nodes) immediately after installation. After the first instance of the cluster resource is configured, the service runs on only the active node(s). Clustered continuous replication You do not need to configure a cluster resource for this type of cluster. About installing Mail Security on a Single Copy Cluster node You can install Mail Security on Exchange servers that are running Microsoft Single Copy Cluster.

50 50 Installing Symantec Mail Security for Microsoft Exchange Installation options Mail Security settings are stored in the registry and local hard drive of each individual server. The settings are duplicated on the hard drive of the shared storage that is used as a dependency for the Mail Security resource each time settings are changed. The passive node checks for settings on the shared hard disk storage any time the active node goes down and control transfers to the passive node. The settings are then downloaded to the passive node (which is now active) and applied. Mail Security is Microsoft cluster aware and does not require any specific settings prior to installing the product on a cluster with one or more passive nodes. Mail Security requires its own cluster resource. You must use IP addresses or names of the Clustered Mailbox Server nodes instead of the actual server IP addresses or names for managing Mail Security through the console. When the CMS group and Mail Security cluster resource move from one node to another, the following items are not transferred: Virus definitions and spam rules Report database and generated reports Spam statistics Mailbox and public folder lists The Mail Security quarantine is stored on the shared storage. Exclude the quarantine from all antivirus scanning. Settings are copied to the shared storage when you deploy your changes. Ensure there is sufficient room on the volume for the Mail Security shared settings and quarantine. Configure LiveUpdate to perform regularly scheduled updates on each node in the cluster to ensure that your definitions stay current. Definitions are updated and stored locally, not on the shared storage. Configuring the cluster resource Create a new resource after Mail Security is installed on each node of the cluster. This resource provides high availability by monitoring and controlling Mail Security. Create the resource in each Clustered Mailbox Server group. You must add the cluster service account to the SMSMSE Admins Group before the cluster service is restarted on the cluster nodes. The cluster service must be restarted on all the nodes of the cluster before the SMSMSE Resource is brought online. If it is not, the SMSMSE Resource may not start. For more information about how to add a cluster service to a group, see your Microsoft server documentation. See About security and access permissions on page 33.

51 Installing Symantec Mail Security for Microsoft Exchange Installation options 51 The Mail Security service on all nodes is stopped and service startup is changed to manual as the Mail Security resource is created. This occurs because the service is running under the control of the Mail Security cluster resource. The Mail Security cluster resource is responsible for all of the following tasks: Handling cluster events Saving Mail Security settings for each Clustered Mailbox Server to shared storage Retrieving settings from shared storage and making them active on a given cluster node Managing the Mail Security service To configure the cluster resource 1 On the Windows taskbar, click Start > Programs > Administrative Tools > Cluster Administrator. 2 Select the CMS group and launch the New Resource Wizard. 3 Name the resource. You must assign a unique name to each resource. 4 Select Mail Security for Microsoft Exchange as the resource type, and then click Next. 5 Choose the nodes for which the resource is being created, and then click Next. The nodes must be the same as those on which CMS can operate. 6 Choose the dependencies for this resource. The required dependencies are as follows: Physical Disk Resource (disk on which the settings are saved) CMS Network Name resource 7 Repeat steps 2 through 6 for each CMS server group. To configure the cluster resource on Windows 2008 Server 1 On the Windows taskbar, click Start > Programs > Administrative Tools > Failover Cluster Management. 2 Right click the CMS group and select Add a resource > More resources > Add Symantec Mail Security for Microsoft Exchange. 3 Select Mail Security for Microsoft Exchange as the resource type. 4 Choose the dependencies for this resource. The required dependencies are as follows:

52 52 Installing Symantec Mail Security for Microsoft Exchange Installation options Physical Disk Resource (disk on which the settings are saved) CMS Network Name resource 5 To set dependencies and nodes, right click the resource and select Properties. 6 Under the Dependencies tab, add Physical Disk Resource and CMS Network Name Resource. 7 Under the Advanced Policies tab, select the nodes for which the resource is being created The nodes must be the same as those on which CMS can operate. 8 Select Apply and OK. 9 Repeat steps 2 through 8 for each CMS server group. Installing Mail Security on a Clustered Continuous Replication cluster You can install Mail Security on a Clustered Continuous Replication cluster. To install Mail Security on a Clustered Continuous Replication cluster 1 Log on to a node using an Administrator account that is a member of the Domain and Local Admin groups. 2 Insert the Mail Security product CD into the CD-ROM drive. The installation directory should be on a local node (non-shared drive). 3 In the Web Service wizard, type the IP address of the externally accessible network card of the current node (if not already present). The Virtual Server IP address, the cluster IP address, or name of the node are invalid entries. 4 Repeat steps 2 and 3 to install Mail Security on the remaining node. 5 Restart the cluster service after you install Mail Security on each node of the cluster. 6 Add each node to asset management so that you can manage the node from the console. Mail Security does not automatically detect the nodes in a cluster. Nodes must be added to asset management using their IP address. See Adding servers to a group on page 82. See Configuring the cluster resource on page 50. See Post-installation tasks on page 57.

53 Installing Symantec Mail Security for Microsoft Exchange Installation options 53 About installing Mail Security on a Veritas Cluster Server Mail Security is integrated with the active/passive Veritas Cluster Server environment. When you install Mail Security, the product detects that it is being installed in a Veritas Cluster Server environment. The product automatically registers a cluster resource with the Veritas Cluster Server. The corresponding Mail Security cluster agent does the following: Monitors the Mail Security service Stops and restarts the service, as necessary Ensures that the product settings and quarantine data are copied to the SMSMSE folder on the shared storage Mail Security supports the following Veritas Cluster Server configurations: Active/passive N-to-1 Active/passive N+1 Active/passive N-to-N Some considerations about using the Veritas Cluster Server with Mail Security are as follows: Mail Security does not support active/active Veritas Cluster Server configurations Upgrades from Mail Security 5.0 to Mail Security 6.0 and 6.5 are not supported on a Veritas Cluster Server configuration Mail Security does not support Veritas Cluster Server on Exchange Mail Security supports Veritas Cluster Server versions 5.0 with the latest service patch, and 5.1. Before you install on a Veritas Cluster Server Consider the following before you install Mail Security on a Veritas Cluster Server: Ensure there is sufficient room on the volume for the Mail Security shared settings and quarantine. Settings are copied to the shared storage when you deploy your changes. Exclude the quarantine from all scanning. The Mail Security quarantine is stored on the shared storage. Install Mail Security on all of the nodes in the cluster. You are prompted to register the resource on only one node.

54 54 Installing Symantec Mail Security for Microsoft Exchange Installation options Use an IP address to specify the computer since the name of the server is usually used when installing to a cluster. If you are using IP addresses, use the IP address of the computer and not the IP address of the cluster or virtual server. Install Mail Security on each of the passive nodes first. Then failover an active node to a passive node and install Mail Security on it. Repeat this process until you install Mail Security on all of the active nodes and passive nodes. This process lets you install the product cleanly on all of the nodes. Uninstallation of the product should be handled the same way. See Uninstalling Mail Security on page 65. You can install Mail Security in any of the following types of Veritas Cluster Server environments: Local clusters Campus/metropolitan clusters Replicated data clusters Wide area clusters Global clusters Configure LiveUpdate to perform regularly scheduled updates on each node in the cluster to ensure that your definitions stay current. Definitions are updated and stored locally, not on the shared storage. You should not use the remote installation procedures when you are installing the product on cluster server nodes. Configuring Mail Security in the Exchange Service Group Do the following to properly configure Mail Security in the Exchange Service Group: Create a MountV resource. Create a mount resource if you are using NetApps. Create a Mail Security resource. Specify dependencies. Bring the resources online. Note: You do not need to cluster the Symantec Mail Security Utility service. The Mail Security cluster agent does not monitor the Symantec Mail Security Utility service.

55 Installing Symantec Mail Security for Microsoft Exchange Installation options 55 Figure 2-1 diagrams the typical Mail Security resource type, resource instance, and resource dependency with other resources within the Exchange service group. Figure 2-1 Resource dependencies SMSMSEVCSClusterResource-Instance SMSMSEVCSClusterResource Lanman- ExchangeServiceGrp Lanman MountV SMSMSEMountV- Instance IP- ExchangeServiceGrp NIC- ExchangeService Grp IP NIC VMDg VMDg- ExchangeServiceGrp For more information, see the Veritas Cluster Server documentation. To create a MountV resource 1 Add a new MountV resource. MountV resource is an option in the Resource Type list. 2 Type a name for the resource.

56 56 Installing Symantec Mail Security for Microsoft Exchange Installation options 3 Assign the following resource attributes: MountPath VolumeName VMDGResName The drive letter or the folder name of the volume that you created The volume name that you created The name of the volume manager diskgroup resource on which the MountV resource depends 4 Ensure that the resource is not set to "Critical." This ensures that the Exchange service group will not failover to another node if either of the resources fail during setup. To create a Mail Security resource 1 Add a new SMSMSEVCSClusterResource. SMSMSEVCSClusterResource is an option in the Resource Type list. 2 Type a name for the resource. 3 Assign the following resource attributes: LanmanResName MountResName The resource name of the Lanman resource that exists in the Exchange service group The resource name of the MountV that you created 4 Ensure that the resource is not set to "Critical." This ensures that the Exchange service group will not failover to another node if either of the resources fail during setup. To specify dependencies Create the following dependencies: SMSMSEVCSClusterResource is a parent to the MountV resource that you created. SMSMSEVCSClusterResource is a parent to the Lanman resource. The MountV resource that you created is a parent to the VMDg resource.

57 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks 57 To bring the resources online 1 Enable the MountV resource that you created. 2 Set the resource back to "Critical," if desired. 3 Online the MountV resource on the active Exchange node. 4 Enable the SMSMSEVCSClusterResource. 5 Set the resource back to "Critical," if desired. 6 Bring the SMSMSEVCSClusterResource on the active Exchange node online. 7 Save and close the configuration. Creating the shared storage volume Create the shared storage volume after you install Mail Security on all of the nodes in a cluster using the Veritas Enterprise Administrator. See your Veritas Cluster Server documentation for more information about the Veritas Enterprise Administrator. To create a shared storage volume 1 In the Veritas Enterprise Administrator, create a new volume for Mail Security data as part of the existing clustered Exchange Disk Group. This shared storage volume needs enough space to contain product settings and quarantine data. 2 Assign the volume a drive letter or a New Technology File System (NTFS) folder name and a volume name. Post-installation tasks A drive letter or NTFS folder name and the volume name are necessary to create a MountV resource. After you install Mail Security, you can perform the following post-installation tasks: Implement SSL communications. See Implementing SSL communications on page 58. Install license files if they were not installed during setup. See About licensing on page 67. Update definitions if a LiveUpdate was not performed during setup. See About keeping your server protected on page 228. Access the Mail Security console.

58 58 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks See Accessing the Mail Security console on page 60. Configure other antivirus products that are on the same computer as Mail Security. See About using Mail Security with other antivirus products on page 63. Configure the number of scanning threads and scan processes, if necessary. See Setting scanning threads and number of scan processes on page 64. Implementing SSL communications You can configure Mail Security to use Secure Sockets Layer (SSL) communications by using a valid server certificate. You can create your own server certificate using Microsoft Certificate Services 2.0 or request one from a certificate authority. After you implement SSL, you must enable SSL from the console and specify the SSL port for each server. See Modifying the port and communication properties of a server on page 87. To install a server certificate 1 On the computer on which Mail Security is installed, on the Windows menu, click Start > Administrative Tools > Internet Information Services (IIS) Manager. 2 In the server list, expand the folder for the server that is hosting Mail Security. 3 In the Web sites folder, right-click Symantec Mail Security for Microsoft Exchange, and then click Properties. 4 Under Secure communications, select the Directory Security tab, and click Server Certificate. 5 Follow the instructions in the Web server Certificate wizard to install the server certificate. To implement SSL communications 1 Ensure that a valid server certificate is installed. See To install a server certificate on page Under Secure Communications, select the Directory Security tab, and click Edit. 3 In the Secure Communications dialog box, check Require secure channel (SSL), and then click OK. 4 On the Web Site tab, under Web site identification, in the IP Address text box, type the IP address of the Mail Security server.

59 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks 59 5 In the SSL Port text box, type the port to use for SSL communications. 6 Click OK to close the Mail Security Properties window. To implement SSL communications on Windows 2008 Server 1 On the local computer, ensure that a valid server certificate is installed in Trusted Root Certification Authorities. See To install a server certificate on page Click Start > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Web sites folder, right-click Symantec Mail Security for Microsoft Exchange, click Edit Bindings and select Add. 4 From the drop-down list, select https and All Unassigned for Type and IP addresses respectively. 5 In the SSL Port text box, type the port number, for instance, 8082, to use for SSL communications. Note: To avoid port conflict, do not use the ports used by exchange server, like TCP port 80 and SSL port From the SSL certificate, select the certificate installed and restart the Symantec Mail Security for Microsoft Exchange Web site. 7 In the right pane, double-click Authentication and ensure that Windows Authentication and ASP.NET Impersonation are enabled. 8 From the Web sites folder, select Symantec Mail Security for Microsoft Exchange. In the right pane, double-click SSL Settings, check Require SSL and Require 128-bit SSL. 9 Click Apply to apply the changes. To implement SSL communications on client computer 1 Export the server certificate from the server and install it to the client computer where Mail Security console is installed in Trusted Root Certification Authorities. 2 Open the Certificatesnap-in and ensure that the certificate resides in Trusted Root Certification Authorities. 3 On the Mail Security console, click the Assets tab and click Add server(s) to add a server.

60 60 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks 4 Right click on the server added, click Properties. Provide the SSL port number configured on the server. 5 Check the UseSSL checkbox, and click OK. You can now connect to the server from the console using the SSL connection. Accessing the Mail Security console You can access the Mail Security console from the Windows Start menu or from your desktop. You must have the appropriate administrator or viewer rights to open the console. If you do not, the following error message appears: "You either have insufficient permissions to access this application or your user credentials are not refreshed. Try logging off and logging in again to reload the user credentials. You either have insufficient permissions to access this application or your user credentials are not refreshed. Try logging off and logging in again to reload the user credentials." You can only access servers that are running Mail Security 6.5 from the Mail Security 6.5 console. See About security and access permissions on page 33. To access the Mail Security console Do one of the following: On the desktop, click the SMSMSE 6.5 icon. On the Windows menu, click Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console. See About the Mail Security console on page 60. About the Mail Security console Figure 2-2 shows the Mail Security console.

61 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks 61 Figure 2-2 Mail Security Server Home page view Menu bar Tool bar Primary navigation bar Content area Figure 2-3 shows additional console elements.

62 62 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks Figure 2-3 Additional console elements List pane Sidebar Preview pane Resizing bars About the primary navigation bar Management operations are grouped into the following categories on the primary navigation bar: Home Lets you view server status, recent activities, and violations statistics Policies Lets you create and configure sets of rules that are implemented by specific scans Monitors Lets you configure notification addresses and quarantine settings and monitor quarantine data and events Scans Lets you create, configure, schedule, and run scans Reports Lets you view and print data collected by Mail Security Admin Lets you update definitions, configure system settings, and install licenses

63 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks 63 Refreshing the console You might periodically need to refresh the console to view changes or updated statuses. To refresh the console 1 On any page in the console, click F5. 2 Click OK to log onto the current asset group. This message only appears if you are not logged onto the current asset group. See Logging onto servers on page 76. About using Mail Security with other antivirus products If you are using Mail Security version or lower and you have Symantec AntiVirus Corporate Edition installed on the same computer as Mail Security, configure Symantec AntiVirus to perform definition updates. Warning: Disable Rapid Release in Mail Security if you intend to update definitions through Symantec AntiVirus Corporate Edition. See About keeping your server protected on page 228. Configure your other antivirus programs to exclude certain folders from scanning. If another antivirus program scans the Exchange directory structure or the Mail Security processing folder, it can cause false-positive threat detection, unexpected behavior on the Exchange server, or damage to the Exchange databases. For information about how to prevent Symantec AntiVirus from scanning the Exchange directory, go to the following Symantec knowledge base article : ?Open&src=w See Components of Mail Security on page 17. See About keeping your server protected on page 228. If you are using Mail Security version 6.5 and you have Symantec AntiVirus Corporate Edition or Symantec Endpoint Protection (SEP) installed on the same computer as Mail Security, configure Symantec AntiVirus or SEP to perform definition updates. For Exchange Server 2007/2010, you must also configure Mail Security to perform definition updates.you can also use LiveUpdate Administrator to perform definition updates for both the products. See About setting up your own LiveUpdate server on page 230.

64 64 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks Setting scanning threads and number of scan processes Mail Security lets you set the number of VSAPI scanning threads and the number of scan processes to control scanning speed and performance. The default is configured using the following formula: (number of processors) x Accept the default unless you have a compelling reason to do otherwise. Mail Security considers a hyper-threaded processor as more than one processor. For example, if you have a dual hyper-threaded processor on your computer, Mail Security calculates the number of scanning processes as follows: Number or processors (4 ) x = 9 When the load is heavy, all nine scanning processes are scanning messages. Increasing the number of scan processes can consume a lot of memory If the server has few resources. This could severely impact the performance of your Exchange server. Configure the number of scan processes based on the actual number of physical processors if you have a hyper-threaded processor on your computer. For example, if you have a dual hyper-thread processor, configure the number of scan processes as follows: Number of physical processors (1) x 2 +1 = 3 Note: If you are using Intel Xeon processors, you must set this value using the formula based on the number of physical processors, instead of the number reported by the operating system. To set scanning threads and number of scan processes 1 In the console on the primary navigation bar, click Admin. 2 In the sidebar under Views, click System Settings. 3 In the Number of VSAPI scanning threads box, type the number of threads to use for VSAPI scanning. The default value is 3. 4 In the Number of scan processes box, type the number of scan processes. The default is configured during installation using the formula 2 times the number of processors plus 1. 5 On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75.

65 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Mail Security 65 Uninstalling Mail Security When you uninstall Mail Security in a clustered environment, you are prompted to unregister the Mail Security resource DLL that was configured during install. This needs to be done only one time and can be done on any of the cluster nodes. See Removing the Mail Security resource instance from the Veritas Cluster Server on page 65. Stop Microsoft Internet Information Service (IIS) before you uninstall the product. This ensures that all of the files that are installed with the product are removed. To stop Microsoft IIS 1 On the Windows menu, click Start > Administrative Tools > Services. 2 In Services window, right-click IIS Admin Service and select Stop. 3 Close the Stop Other Services window. To uninstall Mail Security 1 On the server on which Mail Security is installed, on the Windows menu, click Start > Control Panel. 2 In the Windows Control Panel, click Add or Remove Programs. 3 Click Symantec Mail Security for Microsoft Exchange, and then click Remove. 4 In the confirmation dialog box, click Yes. 5 In the Information dialog box, click OK to confirm that you have stopped IIS. 6 When the uninstallation is complete, click OK. After you uninstall Mail Security, the users you added and the groups to which you assigned them will remain in the Active Directory. You can remove them manually in the Active Directory. Removing the Mail Security resource instance from the Veritas Cluster Server Before you uninstall Mail Security from the nodes in the cluster, you must remove the Mail Security instance and the MountV resource from the Veritas Cluster Server. You must remove the Mail Security shared storage volume to remove the data on the shared storage. You perform the following tasks from the Veritas Cluster Explorer and the Veritas Enterprise Administrator. See your Veritas Cluster Server documentation for more information about using these tools.

66 66 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Mail Security To remove the Mail Security instance from the Veritas Cluster Server 1 In the Veritas Cluster Explorer, take the SMSMSEVCSClusterResource instance offline on all of the cluster nodes. This ensures that Mail Security stops running in the background. 2 Unlink all of the dependencies from the instance of the SMSMSEVCSClusterResource. 3 Delete the instance of the SMSMSEVCSClusterResource from the Exchange Service Group. To remove the MountV resource from the Veritas Cluster Server 1 In the Veritas Cluster Explorer, unlink the Mail Security MountV (or Mount resource, if you are using NetApps) from its dependencies. 2 Delete the resource from the Exchange Service Group. To remove data from the shared storage volume 1 In the Veritas Enterprise Administrator, mount the Mail Security shared storage volume. 2 Delete the Mail Security volume. This removes the shared volume and frees up the space in shared storage. 3 Uninstall Mail Security from each node in the cluster. See Uninstalling Mail Security on page 65.

67 Chapter 3 Activating licenses This chapter includes the following topics: About licensing How to activate a license If you want to renew a license About licensing Key features for Symantec Mail Security, which include definition updates and Symantec Premium AntiSpam, are activated by a license. When a license expires or no license is installed, limited functionality is available. To regain product functionality when your license expires, you must renew and reactivate your license subscription. Table 3-1 describes the licenses that are required. Table 3-1 License Content license Symantec Mail Security Licenses Description A content license is required to update Symantec software with the latest associated content (such as new definitions) through LiveUpdate and Rapid Release. A valid content license enables your servers to stay protected. When the content license is missing or invalid, you cannot download definition updates to keep protection current. See About keeping your server protected on page 228.

68 68 Activating licenses How to activate a license Table 3-1 License Symantec Mail Security Licenses (continued) Description Symantec Premium AntiSpam license This license is required to enable Symantec Premium AntiSpam. Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. When the Symantec Premium AntiSpam license is missing or invalid, Symantec Premium AntiSpam does not function. See How to detect spam using Symantec Premium AntiSpam on page 114. Definition updates and updates to Symantec Premium AntiSpam are limited to the period of time that is specified by the license. The start and end dates of the license period depend on the terms of your license agreement. See If you want to renew a license on page 71. You must install one license file on each server that is running Symantec Mail Security or on each member of an Exchange cluster. You cannot replicate license files. Note: For Exchange Server (32-bit), if you are upgrading from versions 4.x and above and for Exchange Servers 2007 and 2010, if you are upgrading from versions 6.x and above, existing licenses are automatically recognized and need not be reinstalled. See If you want to renew a license on page 71. You can view the status of your license on the Home page of the Mail Security console. How to activate a license Symantec issues a serial number when you purchase Mail Security. If you are upgrading from a previous version of the product and you have an active maintenance contract, Symantec issues an upgrade voucher with a alpha-numeric code. Register the serial number or upgrade code to receive a license key for the associated license file. License keys are delivered in a Symantec license file (.slf). The serial number is provided on a license certificate, which is mailed separately and arrives in the

69 Activating licenses How to activate a license 69 same time frame as your software. For security reasons, the license certificate is not included in the Mail Security software distribution. See If you want to renew a license on page 71. License activation involves the following process: Obtain a license file from Symantec To request a license file, you must have the license serial number or upgrade voucher code. After you complete the registration process, Symantec sends you the appropriate license file by . See Obtaining a license file on page 69. Install the license file Install the license file on each server on which you run Mail Security or on each node of a cluster. See Installing license files on page 70. If you do not have a serial number Obtaining a license file Your license certificate or upgrade voucher, which contains the number for the license that you have purchased, should arrive within three to five business days of when you receive your software. Contact Symantec Customer Service at or your reseller to check the status of your order if you do not receive the license certificate or upgrade voucher. Contact Symantec License Administration if you have lost your license certificate or upgrade voucher. See Where to get more information about Mail Security on page 28. You must have the serial number or upgrade voucher code to request a license file and to register for support. See If you do not have a serial number on page 69. The license file that Symantec sends to you is contained within a.zip file. The.slf file that is contained within the.zip file is the actual license file. Ensure that your inbound environment permits.zip message attachments. If you purchased multiple types of licenses but registered them separately, Symantec sends you a separate license file for each license. You must install each license file separately. If you registered multiple licenses at the same time, Symantec sends you a single license file that contains all of your licenses. Warning: License files are digitally signed. If you try to edit a license file, it will corrupt the file and render it invalid.

70 70 Activating licenses How to activate a license Installing license files To obtain a license file 1 In a Web browser, type the following address: Your Web browser must use 128-bit encryption to view the site. 2 If a Security Alert dialog box appears, click OK. 3 Follow the procedures on the Symantec Licensing Web site to register your license and request your license file. Symantec sends you an message that contains the license file in an attachment. If the message does not arrive within two hours, an error might have occurred. Try again to obtain the license file through the Symantec Web site. If the problem continues, contact Symantec Technical Support. See Where to get more information about Mail Security on page 28. Install the license file on each server on which Mail Security is installed. Install the license file on each cluster node if you are running in a cluster configuration. You can install your license file during product installation or in the console. Mail Security issues periodic messages in the Event Log to notify you that your license is invalid or expired until a valid license is properly installed. You can view the status of your license on the Home page of the console. See Installation options on page 36. The procedures for installing license files vary for a local server installation and a remote server or server group. To install license files to a local server 1 In the console on the primary navigation bar, click Admin. 2 In the sidebar under Views, click Licensing. 3 In the content area, do one of the following: In Step 3, under Enter path to the license file, type the fully qualified path to the license file. You can specify a mapped drive or Universal Naming Convention (UNC) path to the file if the license file does not reside on the same computer. Click Browse, select the license file, and then click Open.

71 Activating licenses If you want to renew a license 71 You can locate the file using My Network Places if the license file does not reside on the same computer. 4 Click Install. To install license files to a remote server or server group 1 In the console on the toolbar, click Change. 2 In the Select Asset window, select a server or server group from the menu. 3 Click Select. 4 On the primary navigation bar, click Admin. 5 In the sidebar under Views, click Licensing. 6 In the content area, do one of the following: In Step 3, under Enter path to the license file, type the fully qualified path to the license file. You can specify a mapped drive or UNC path to the file if the license file does not reside on the same computer. Click Browse, select the license file, and then click Open. You can locate the file using My Network Places if the license file does not reside on the same computer. 7 Click Install. If a server within a server group is already licensed, the license file is reapplied. The license file with the latest expiration date is applied. If you want to renew a license Content updates and spam definition updates are not applied when a server has an expired license or when the license is missing or invalid. A missing or invalid license can leave your server vulnerable to attacks. Renew your Maintenance Agreement to receive content updates when your license expires. The process for license renewal, which is specific to how you purchased your software, is as follows:

72 72 Activating licenses If you want to renew a license If you purchased Mail Security through the Symantec Value or Elite Enterprise Licensing programs Contact your administrator, reseller, or Symantec account manager to determine whether your Maintenance Agreement has been renewed and if new licenses are available. After your Maintenance Agreement is renewed, you receive new serial numbers that you can register to obtain your new license files. If you purchased Mail Security Small Business Edition To find more information about license renewal on the Internet, go to the following URL:

73 Chapter 4 Managing your Exchange servers This chapter includes the following topics: About managing your Exchange servers Deploying settings and changes to a server or group How to manage servers and server groups About managing your Exchange servers Mail Security can simplify the management of one or more Microsoft Exchange servers across your organization. You can create server groups that have a common purpose and, therefore, require the same protection. By grouping servers, you can apply a common set of protection settings once, rather than repeatedly to each server. The reduction in configuration time and maintenance costs can be considerable in a large network with multiple servers that perform similar roles. You can configure settings for each server individually. You can use the following groups to configure and manage multiple servers:

74 74 Managing your Exchange servers About managing your Exchange servers Global Group The Global Group consists of all of the servers that you manage through the Mail Security console. The changes are propagated to all servers in all groups when you configure and apply Global Group settings. Changes that are made at the Global Group level overwrite all individual server and user-defined server group settings. Mail Security provides the following Global Groups: Global Group - Exchange 2003 All Exchange 2003 servers belong to the Global Group - Exchange No other exchange server group other than Exchange 2003 Server is supported in this group. Global Group - Exchange 2007 All Exchange 2007 servers belong to the Global Group - Exchange No other exchange server group other than Exchange 2007 Server is supported in this group. Global Group - Exchange 2010 All Exchange 2010 servers belong to the Global Group - Exchange No other exchange server group other than Exchange 2010 Server is supported in this group. Global Groups include servers that are added to user-defined groups as well as servers that are added to multi-server management control but are not assigned to a specific server group. You cannot create or delete Global Groups. User-defined server group(s) A user-defined server group is a grouping of servers that have common roles and, therefore, require similar configurations. You can create a user-defined server group and configure settings for the group to simplify server management. For example, a server group might be all of the mail servers that are used by a department (for example, marketing) or the physical location of a group of mail servers (for example, third floor servers in Building A). A managed server can only belong to one user-defined group. See Moving a server to another user-defined server group on page 83. See Viewing the status of a server on page 81. Settings for an individual server are stored by that server. Mail Security saves the settings for groups in the following default file location: \Program Files (x86)\symantec\cmaf\2.1\settings\groups The associated files are automatically deleted when you delete a group.

75 Managing your Exchange servers Deploying settings and changes to a server or group 75 Deploying settings and changes to a server or group Mail Security lets you make changes to multiple pages before you apply those settings. When the Deploy changes icon on the toolbar is active, it indicates that you have made changes that you need to apply. You can manage change deployment using the following toolbar icons: Deploy changes Deploys your changes. If you are in the server view, deploys your changes to the server. If you are in the group view, deploys your changes to each server in the group and to the group settings. Discard changes Deploy all settings Cancels pending changes. When you cancel pending changes, settings are returned to their configuration as of the last time changes were successfully deployed. If changes are pending, applies pending changes to the group settings, and then pushes out the group settings to all of the servers in the group. If no changes are pending, pushes out the group settings to all of the servers in the group. Note: Any configuration settings that were made to an individual server within the group are overwritten. This option is only available in group view. After you deploy your changes, the Operation Status window indicates whether changes were successfully applied. To deploy pending changes to a server or group 1 In the console on the toolbar, click Deploy changes. 2 In the Pending changes window, click Deploy changes. 3 In the Operation Status window, click Close when the operation is complete. To apply pending changes (if any) and deploy group settings to each server in the group 1 In the console on the toolbar, click Deploy all settings. The Deploy all settings icon is only enabled in group view. 2 In the confirmation dialog box, click OK. 3 In the Operation Status window, click Close when the operation is complete.

76 76 Managing your Exchange servers How to manage servers and server groups To cancel pending changes 1 In the console on the toolbar, click Discard changes. 2 In the confirmation dialog box, click OK. How to manage servers and server groups Logging onto servers You can manage servers and server groups doing any of the following: Logging onto servers Modifying or viewing server or server group settings Viewing the status of a server Creating a user-defined server group Adding servers to a group Moving a server to another user-defined server group Synchronizing group settings to a server Restoring default settings to a server or group Removing a server from group management Removing a server group Exporting and importing settings Modifying the port and communication properties of a server Mail Security must log onto a server to check its status or apply settings to the server. By default, Mail Security automatically logs onto all of your managed servers when you open the console. You might experience a delay when you open the console while Mail Security logs onto the managed servers. The length of the delay depends on the number of managed servers that you have. If you frequently open the console to view settings or to make changes without applying them, you can disable the automatic log on feature. When you disable the automatic log on feature, the console opens more quickly. If you disable the automatic log on feature, Mail Security logs onto your servers in the following ways:

77 Managing your Exchange servers How to manage servers and server groups 77 Single server Mail Security logs onto a single server when you do any of the following: Open the console when a single server is the current asset. Select a single server as the current asset. See Modifying or viewing server or server group settings on page 80. Server group (user-defined server groups and Global Groups) Mail Security logs onto all of the servers in the current asset list when you do any of the following: Manually refresh the console. See Refreshing the console on page 63. Apply settings to a server group. Mail Security logs onto all of the servers in a group when you apply settings to that group. If you apply settings to a user-defined server group, Mail Security logs onto all of the servers in the user-defined group. If you apply settings to a Global Group, Mail Security logs onto all of the servers in the Global Group. Mail Security also logs onto all of the servers in the user-defined groups within that Global Group. For example, assume you have Global Group - Exchange and Global Group - Exchange Within Global Group - Exchange , you have user-defined groups named ServersEast and ServersWest. If you apply settings to Global Group - Exchange , Mail Security logs onto all of the servers in the ServersEast group and the ServersWest group. Mail Security does not log onto any of the servers in the Global Group - Exchange Another example assumes that you apply settings to the ServersEast group. Mail Security logs onto all of the servers in the ServersEast group. But Mail Security does not log onto any of the servers in the ServersWest group. See Deploying settings and changes to a server or group on page 75. See About managing your Exchange servers on page 73.

78 78 Managing your Exchange servers How to manage servers and server groups To log onto servers when you open the console 1 In the console on the toolbar, click Assets. 2 In the Asset Management window in the Assets box, check Automatically connect to the servers in the current group on startup. Mail Security logs onto all of the servers that you have listed in the Assets box every time you open the console. This option is enabled by default. 3 Click Close. To log onto servers when you apply settings or refresh the console 1 In the console on the toolbar, click Assets. 2 In the Asset Management window in the Assets box, uncheck Automatically connect to the servers in the current group on startup. Mail Security only logs onto a server when you apply settings to that server or when you view or modify the settings of that server. 3 Click Close. Configuring Symantec Mail Security for Exchange 2010 on DAG setup You must follow the configurations recommended for Exchange Server 2010 on Database Availability Group (DAG) setup. From the SMSMSE console, under Assets, create a new group for exchange 2010 DAG servers. Add all DAG member servers to the new group. Create and apply the same security policies to every server in the group to ensure that all the mailboxes have the same SMSMSE settings in case a database failover occurs. Note: Create separate groups for each DAG if there are multiple DAG groups. Also set up a quarantine server on each DAG group from the SMSMSE console so that quarantine data is available in case any DAG member server is completely unavailable. See Forwarding quarantined items to the Quarantine Server on page 90.

79 Managing your Exchange servers How to manage servers and server groups 79 Changing password of the domain user account For every installation of Mail Security on Exchange 2010 in the mailbox role, the user credentials must be updated whenever the password of the domain user account is changed. Note: The password must be changed before it expires or select the Password never expires option for the user account. To change password in Service Control Manager 1 From the Windows taskbar, click Start >Programs > Administrative Tools > Services. 2 Right-click Symantec Mail Security for Microsoft Exchange and select Stop to stop the SMSMSE service. 3 Click Start >Programs >Administrative Tools > Services. 4 Right-click Symantec Mail Security for Microsoft Exchange and select Properties. 5 From the Log On tab, enter new password and select Apply to change the password. 6 Start the SMSMSE service. Changing the domain user account used by Mail Security service You must manually change the domain user account used by Mail Security service every time you install Mail Security on Exchange 2010 mailbox server. To change the domain user account 1 From the Windows taskbar, click Start >Programs > Administrative Tools > Services. 2 Right-click Symantec Mail Security for Microsoft Exchange and select Stop to stop the SMSMSE service. 3 Click Start >Programs > Microsoft Exchange Server 2010 > Exchange Management Shell. 4 Remove the RBAC right by typing the following command from the Exchange Management Shell. remove-managementroleassignment SMSMSE_RBAC_domainname\username 5 Click Start >Programs > Administrative Tools > Active Directory Users and Computers.

80 80 Managing your Exchange servers How to manage servers and server groups 6 On the left pane, select Microsoft Exchange Security Groups >Organization Management. 7 Right-click Properties. 8 From the Member tab, select the user you want to remove and click Remove. 9 Click Start >Programs > Administrative Tools > Local Security Policy. 10 On the left pane, select Local Policies >User Rights Assignment. 11 On the right pane, select Log on as a Service and right-click Properties. 12 Select the user you want to remove and click Remove. 13 Assign the RBAC right to the new user by typing the following command from the same Exchange Management Shell: new-managementroleassignment -name SMSMSE_RBAC_domainname\username -role ApplicationImpersonation -user <username> 14 Click Start >Programs > Administrative Tools > Active Directory Users and Computers. 15 On the left pane, select Microsoft Exchange Security Groups >Organization Management. 16 Right-click Properties, from the Member tab, select the user you want to add and click Add. You must ensure that the user is a member of the Local Administrators Group. 17 On the left pane, select Local Policies >User Rights Assignment. 18 On the right pane, select Log on as a Service, select the user you want to add and click Add. 19 Go to Start >Programs > Administrative Tools > Services. 20 Right-click Symantec Mail Security for Microsoft Exchange and select Properties. 21 From the Log On tab, enter the new user's credentials and click Apply to apply the settings. 22 Start the SMSMSE service. Modifying or viewing server or server group settings Mail Security lets you manage one or more servers from a single console. The Server/group box on the toolbar indicates the server or group that is currently selected. The settings that you make and deploy are applied to that server or group.

81 Managing your Exchange servers How to manage servers and server groups 81 See Deploying settings and changes to a server or group on page 75. You can view and modify the settings of a different server or group by selecting the server or group in the Select Asset window. To modify or view server or server group settings 1 In the console on the toolbar, click Change. 2 In the Select Asset window, select the server or group whose settings you want to modify or view. 3 Click Select. Viewing the status of a server Mail Security provides server status information on the Home page. You can view more detailed information about the status of a server on the Monitors > Server Status page. The server status details appear in the Server Status preview pane. If you are in a group view, the Server Status list contains all of the servers in the group. The first time that you access the Server Status in a group view, you must refresh the page to view the list of servers. If are in a single server view, the Server Status list contains just the server that you selected. To view the status of a server 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Server Status. 3 In the Server Status list pane, select the server whose status you want to view. If you are in a server view, the server is already selected. 4 Press F5 to refresh the list. Refreshing the list might take several minutes for a large group. Creating a user-defined server group If your network contains a large number of Exchange servers, create user-defined groups. Add servers to your user-defined groups that have a common purpose and, therefore, require the same protection This lets you administer all of your servers that run Mail Security on a group basis.

82 82 Managing your Exchange servers How to manage servers and server groups To create a server group 1 In the console on the toolbar, click Assets. 2 In the Asset Management window, in the sidebar under Tasks, click New group. 3 In the New Group window, under Group Name, type a name for the user-defined server group. 4 Under Global Group, click the drop-down menu, choose a Global Group - Exchange 2007 and 2010, and then click OK. 5 Click Close. Adding servers to a group You can add servers to the Global Group or to a user-defined server group within a Global Group. Group servers together that have a common purpose and, therefore, require the same protection. By adding a server to a group, you can apply a common set of protection settings once, rather than repeatedly to each server. In a large network with multiple servers that perform similar roles, the reduction in configuration time and maintenance costs can be considerable. Mail Security automatically detects the Exchange servers that are within your domain. Identify servers outside of your domain and nodes in a cluster by their name or IP address. You can install Mail Security on servers that you are adding to a server group. All servers must be running Mail Security 6.5 to be managed from the console. Note: Exchange 2007 Servers must be grouped with other Exchange 2007 Servers, likewise for Exchange 2010 Servers. Groups having Exchange 2007/2010 Servers and Exchange 2003 Servers are not supported. See Installation options on page 36. To add servers to a group 1 In the console on the toolbar, click Assets. 2 In the Asset Management window, in the sidebar under Tasks, click Add server(s).

83 Managing your Exchange servers How to manage servers and server groups 83 3 In the Add Server(s) window, under Management group, do one of the following: To select an existing group Click Select group, select the existing group in which you want to add the server, and then click OK. To create a new group In the Group box, type the name of the new server group that you want to create. 4 Under Servers to add, do one of the following: In the Available servers list, select one or more servers, and then click the >> command icon. In the Server name or IP box, type the server name or IP address of the server that you want to add, and then click the >> command icon. Use the full address and domain when Mail Security is installed on an Edge Transport server because Mail Security does not have access to Active Directory from this role. 5 Under Server options, in the TCP port number box, type the TCP port number for the server or group of servers that you want to add. The default port number is The port number must be the same for all servers that you want to add. The port number and SSL setting must be identical for the console to communicate with the server. See Modifying the port and communication properties of a server on page Check Send group settings to apply group settings to the newly added server. If unchecked, existing server settings are retained, and future changes that are made to the server group are applied to the server. 7 Check Install SMSMSE to install Mail Security to the newly added server. 8 Check Keep installation files on server(s) to maintain the installation files on the server. 9 Click OK, and then click Close. Moving a server to another user-defined server group You can move a server from one user-defined group to another user-defined group. You can choose to retain the server's settings or apply the settings of the new group.

84 84 Managing your Exchange servers How to manage servers and server groups If you have already created the user-defined group to which you want to move the server and you do not want to apply the group's settings, you can move the server by dragging it to the group. Use the Move Server window to create a new user-defined group, move multiple servers, or apply group settings to the newly added server. To drag a server to another user-defined server group 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. 3 Select the server that you want to move and drag it into the new server group. 4 In the confirmation dialog box, click OK. 5 Click Close. To move a server to another user-defined server group using the Move Server window 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. 3 Do one of the following: Select the server that you want to move, and then under Tasks, click Move server. Right-click on the server that you want to move, and then click Move server. 4 In the Move Server window, do one of the following: Select the user-defined server group to which you want to add the server. In the Select a group or add a new group box, type the name of a new user-defined server group. 5 Click Send group settings to server to apply the settings of the targeted user-defined server group to the server. 6 Click OK, and then click Close.

85 Managing your Exchange servers How to manage servers and server groups 85 Synchronizing group settings to a server Settings on a particular server might not be synchronized with its server group settings. This can occur, for example, if a server is configured in the server view. To synchronize group settings to a server 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, under Assets, select the server to which you want to apply group settings. 3 In the sidebar under Tasks, click Send group settings to server. This applies the settings of the server group to the selected server. 4 In the Operation Status window, click Close when the operation is complete. 5 In the Asset Management window, click Close. Restoring default settings to a server or group You can restore all of the settings for a server or group to their initial, default settings. Restoring default settings also deletes any custom content filtering rules, match lists, report templates, and scheduled scans that you have created. It does not delete existing reports. Close and reopen the Mail Security console to see the updated settings. To restore default settings to a server or group 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, under Assets, select the server in which you want to restore the Mail Security default settings. 3 In the sidebar under Tasks, click Reset to factory defaults. 4 In the Reset to factory defaults confirmation dialog box, click OK. 5 In the Operation Status window, click Close when the operation is complete. 6 In the Asset Management window, click Close. Removing a server from group management Removing a server from group management does not uninstall Mail Security from the server. Mail Security continues to provide protection. However, you can no longer manage a server through the Mail Security console when you remove it from the Global Group.

86 86 Managing your Exchange servers How to manage servers and server groups To remove a server from group management 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, under Assets, in the Global Group - Exchange 2007 list, select one or more servers that you want to remove. 3 In the Asset Management window, under Assets, in the Global Group - Exchange 2010 list, select one or more servers that you want to remove. 4 In the sidebar under Tasks, click Remove server. 5 In the confirmation dialog box, click OK. 6 Click Close. Removing a server group Remove a server group when it is no longer needed. The server group settings are retained on the servers that are in the group until new settings are applied. If you remove a user-defined server group, the servers that belong to the group can be managed through the Global Group. Note: Global Groups cannot be removed. To remove a server group 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, under Assets, select the group that you want to remove. 3 In the sidebar under Tasks, click Remove group. 4 In the confirmation dialog box, click OK. 5 Click Close. Exporting and importing settings Mail Security provides a feature that lets you export the settings for a server or group to an.xml file. This lets you save the settings as a backup file or import the settings to another computer. You can view the setting configurations in the console when you import settings. However, the settings are not applied until you deploy them. You can only deploy settings for Symantec Premium AntiSpam if the computer on which you are importing the settings has a valid Symantec Premium AntiSpam license.

87 Managing your Exchange servers How to manage servers and server groups 87 You can only export setting configurations, not data such as items in the Event Log. Deploy pending changes before you export settings. To export settings 1 In the console on the menu bar, click File > Export. 2 In the confirmation dialog box, click OK. 3 In the Select the file to save exported settings window, choose the location where you want to save the file. 4 In the File name box, type the file name. 5 Click Save. 6 In the Operation Status window, click Close when the operation is complete. To import settings 1 In the console on the menu bar, click File > Import. 2 In the confirmation dialog box, click OK. 3 In the Select an SMSMSE settings file window, locate the file that you want to import. 4 Click Open. 5 In the console on the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Modifying the port and communication properties of a server You can change the Transmission Control Protocol (TCP) port if the default port (8081) is being used. You can change the TCP after the server is added to management control. If you change the port number, use a number that is not in use by another program or service. You can also specify whether to use Secure Socket Layer (SSL) for communication between the console and a server. See Implementing SSL communications on page 58. To modify the port and communication properties of a server 1 In the console on the menu bar, click Assets. 2 In the Asset Management window, under Assets, select a server. 3 In the sidebar under Tasks, click Server properties. 4 In the Properties window, in the Port number box, type the new port number. The default port number is 8081.

88 88 Managing your Exchange servers How to manage servers and server groups 5 Check Use SSL to use SSL for communication between the console and server. 6 Click OK, and then click Close.

89 Chapter 5 Quarantining messages and attachments This chapter includes the following topics: About the quarantine Forwarding quarantined items to the Quarantine Server Establishing local quarantine thresholds Viewing the contents of the local quarantine How to release messages from the local quarantine Deleting items from the local quarantine About the quarantine Mail Security provides the following options for quarantining messages: Local quarantine You can choose to send infected messages and attachments to the local quarantine when you configure Mail Security policies. You can also configure policies to quarantine messages that trigger violations. See Establishing local quarantine thresholds on page 91. See Viewing the contents of the local quarantine on page 93. See Deleting items from the local quarantine on page 96.

90 90 Quarantining messages and attachments Forwarding quarantined items to the Quarantine Server Quarantine Server You can forward infected files that are in the local quarantine to the Symantec Quarantine Server, if one has been set up on your network. Mail Security forwards infected files to the Quarantine Server at 60 minute intervals. Files that are sent to the Quarantine Server are then forwarded to Symantec for analysis in real-time using HTTPS communications. Symantec automatically distributes updated definitions to the Quarantine Server when they are available. The Quarantine Server is a component of Symantec AntiVirus Central Quarantine. Mail Security supports version 3.4 or later of the Symantec AntiVirus Central Quarantine Server. Version 3.4 is provided on the Mail Security CD in the following location and must be installed separately: \ADMTOOLS\DIS See the Symantec Central Quarantine Administrator's Guide for more information about the Symantec AntiVirus Central Quarantine, which is located on the product CD in the following location: \DOCS\DIS\CentQuar.pdf Note: Files that contain non-viral threats, are unscannable, or violate content or file filtering rules are not forwarded to the Quarantine Server. Forwarding quarantined items to the Quarantine Server You can configure Mail Security to forward local quarantine events to the Quarantine Server, if you have the Quarantine Server installed. You can only forward events that contain threats to the Quarantine Server. To forward quarantined items to the Quarantine Server 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Quarantine Settings. 3 In the content area, under Quarantine Server, check Sendquarantineditems to Quarantine Server. 4 Check DeletelocalquarantineditemsafterforwardingtoQuarantineServer to remove items from the local quarantine. 5 In the Server Address box, type the IP address of the Quarantine Server. 6 In the Server Port box, type the port number for the Quarantine Server.

91 Quarantining messages and attachments Establishing local quarantine thresholds 91 7 In the Network Protocol list, click the drop-down menu and select the appropriate network protocol. 8 On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Establishing local quarantine thresholds You can specify the thresholds for the local quarantine and how you want Mail Security to respond when a threshold is met. When you establish the quarantine thresholds for the local quarantine, you can specify the following limits: Maximum number of items The maximum number of messages or attachments stored in the quarantine Maximum size of quarantine Retain items in quarantine The maximum file size (in megabytes or gigabytes) of the quarantine The maximum number of days to retain a message or attachment in the quarantine You can also specify the actions that you want Mail Security to take when a threshold is met. To establish local quarantine thresholds 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Quarantine Settings. 3 In the content area, under Quarantine Thresholds, check Maximum number ofitems to limit the number of quarantined items, and then type the maximum number of messages or attachments to retain in the quarantine. This item is checked by default. The default value is To limit the maximum size of the quarantine, do the following: Check Maximum size of quarantine. This item is checked by default Type the maximum size of the quarantine. The default value is 500. Click the drop-down menu and select MB or GB.

92 92 Quarantining messages and attachments Establishing local quarantine thresholds The default value is MB. 5 Check Retain items in quarantine to limit how long an item is quarantined, and then type the number of days. The default value is 90. To specify an action to take when a quarantine threshold is met 1 In the console on the primary navigation bar, click Monitors 2 In the sidebar under Views, click Quarantine Settings 3 Under When a threshold is met, check Notify Administrator to send notification messages to an administrator list. See Configuring notification settings for scan violations on page Check Notify others to send notification messages to additional people. 5 In the Notify others box, type the addresses of the people to whom you want notifications sent. Separate addresses with commas. 6 Check Delete oldest items to remove items that reach a threshold. This option is not enabled by default. If Delete oldest items is not checked and a quarantine size threshold is reached, the event is logged. Mail Security sends a notification to the recipients that are specified on the Quarantine Settings page. 7 Under Administrator Notification, in the Subject Line box, type your subject line text. The default text is: Administrator Alert: The Symantec Mail Security Quarantine has exceeded a set limit. 8 In the Message Body box, type the administrator notification message body. The default text is: You should manage the Quarantine to remove files or change the Quarantine settings. Details: %details%. You can use variables in the message body. See About alert and notification variables on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75.

93 Quarantining messages and attachments Viewing the contents of the local quarantine 93 Viewing the contents of the local quarantine You can view the contents of the local quarantine for a server. You must be in the server view. See Modifying or viewing server or server group settings on page 80. Table 5-1 lists the information that is found in the Quarantine list pane. Table 5-1 Item Time encrypted Recipient Sender Message part Location Rule violated Quarantine Id Sent to QServer Quarantined file summary information Description Date and time when Mail Security intercepted and encrypted the file Intended recipient(s) of the message Address of the sender of the message Part of the message that was sent to the quarantine Location where the file was intercepted Policy or rule that was violated Alpha-numeric identifier that Mail Security assigns to the quarantined file Whether the file was sent to the Quarantine Server When you select an item in the Quarantine, details about the message (and attachments, if any) appear in the preview pane. Table 5-2 lists the detailed information that is shown in the preview pane. Table 5-2 Item Time encrypted Attachment Name Quarantined file detailed information Description Date and time when Mail Security intercepted and encrypted the file Name of the attachment that triggered the violation If the message body triggered the violation, this entry is: Message Body. Rule violated Location Policy or rule that was violated Location where the file was intercepted

94 94 Quarantining messages and attachments How to release messages from the local quarantine Table 5-2 Item Sender Recipient(s) Sent to QServer Virus Name Quarantined file detailed information (continued) Description Address of the sender of the message Intended recipient(s) of the message Whether the file was sent to the Quarantine Server Name of the virus, if a virus was detected To view the contents of the local quarantine 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Quarantine. This option is not available in group view. 3 In the list pane, click an item to view the item's details. The data appears in the preview pane. 4 Press F5 to refresh the display. How to release messages from the local quarantine You can release messages from the local quarantine by using the following options: Releasing messages from the local quarantine by Releasing messages from the local quarantine to a file Note: Messages that are released from the quarantine are rescanned for threats. If your virus policy is to quarantine threats, Mail Security returns the message to the quarantine. Messages that are released from the quarantine are not filtered for spam and content filtering rules. Releasing messages from the local quarantine by You can send quarantined files to specified destinations by . When you release a file from the quarantine by , you remove it from the quarantine. The released is then sent with revised sender information to the recipients specified in the "to" box. Rather than being sent from the original sender's address, it is sent from the account that you specify on the Notification

95 Quarantining messages and attachments How to release messages from the local quarantine 95 Settings page. The is not delivered to the recipients specified in the "cc" or "bc" boxes. See Configuring notification settings for scan violations on page 192. To release messages from the quarantine by 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Quarantine. This option is not available in group view. 3 Do one of the following: In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all. 4 In the sidebar under Tasks, click Release by mail. 5 In the Releasing item(s) by mail window, select from the mail options that Mail Security provides. Mail Security provides the following mail options: Send to original intended recipient(s) Send to administrators Sends the message to the original intended recipient(s). Sends the message to administrators. List administrators' addresses in the Administrators box. Separate multiple addresses with commas. Send to the following Sends the message to alternate recipients. List recipients' addresses one per line in the Alternate recipients box. 6 Click OK. 7 In the Operation Status window, click Close when the operation is complete.

96 96 Quarantining messages and attachments Deleting items from the local quarantine Releasing messages from the local quarantine to a file You can move quarantined messages to a folder for review or analysis. The folder is in the following location: \Program Files (x86)\symantec\smsmse\6.5\server\quarantine\release The file location cannot be modified. To release messages from the quarantine to a file 1 In the console on the primary navigation bar, click Monitors. 2 Under Views, click Quarantine. This option is not available in group view. 3 Do one of the following: In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselectall. 4 In the sidebar under Tasks, click Release to file (Save). 5 In the Releasing to file and delete dialog box, select one of the following: Yes No Cancel Removes the item from the quarantine after it has been saved to the Release folder Keeps the item in the quarantine after it has been saved to the Release folder Cancels the file release operation 6 In the confirmation dialog box, click OK. 7 In the Operation Status window, click Close when the operation is complete. Deleting items from the local quarantine You can delete one or more items from the quarantine at a time. To delete items from the quarantine 1 In the console on the primary navigation bar, click Monitors. 2 In the sidebar under Views, click Quarantine.

97 Quarantining messages and attachments Deleting items from the local quarantine 97 3 Do one of the following: In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to remove. To select multiple items, press CTRL and select the items that you want to delete. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all. 4 In the sidebar under Tasks, click Delete.

98 98 Quarantining messages and attachments Deleting items from the local quarantine

99 Chapter 6 Protecting your server from risks This chapter includes the following topics: About protecting your server from risks Configuring threat detection Configuring security risk detection Configuring file scanning limits Configuring rules to address unscannable and encrypted files About protecting your server from risks Mail Security can detect risks in all major file types (for example, Windows, DOS, Microsoft Office Word, and Microsoft Office Excel files). Table 6-1 describes the risks against which Mail Security protects your Exchange server. Table 6-1 Risk Threats Risks that can threaten your Exchange server Description Mail Security detects viruses, worms, and Trojan horses in all major file types. See Configuring threat detection on page 101.

100 100 Protecting your server from risks About protecting your server from risks Table 6-1 Risk Risks that can threaten your Exchange server (continued) Description Mass-mailer worms Mail Security detects that an message is a mass-mailer worm. It automatically deletes the infected message and any attachments. See Configuring threat detection on page 101. Denial-of-service attacks Mail Security protects your network from file attachments that can overload the system and cause denial-of-service attacks. This includes container files that are overly large, that contain large numbers of embedded, compressed files, or that are designed to maliciously use resources and degrade performance. You can impose limits to control how Mail Security handles container files to reduce your exposure to denial-of-service threats. See Configuring file scanning limits on page 107. Security risks Mail Security detects security risks, such as adware, dialers, hack tools, joke programs, remote access programs, spyware, and trackware. See Configuring security risk detection on page 104. Mail Security also helps you detect and block other potential risks from entering your network, such as unscannable and encrypted container files. See Configuring rules to address unscannable and encrypted files on page 108. When a risk is detected, the incident is logged to the locations that you specify. You can also configure Mail Security to issue alerts when risks are detected or when an outbreak occurs. See About logging events on page 203. See About outbreak management on page 195. How Mail Security detects risks Mail Security uses the following tools to detects risks: Definitions Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, worms) to identify new threats. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. Mail Security searches for these signatures when it scans for threats.

101 Protecting your server from risks Configuring threat detection 101 Heuristics Mail Security uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. Bloodhound technology is capable of detecting upwards of 80 percent of new and unknown executable file threats. Container file decomposer Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only message bodies and attachments that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a message or attachment is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file. Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer attempts to extract container files until it reaches the base file or until it reaches its extraction limit. If the decomposer reaches the set limit before the base file is reached, the scanning process stops. Mail Security then logs the violation to the specified logging destinations, and the file is handled according to the Unscannable File Rule. Configuring threat detection To configure threat detection, do the following: Enable threat detection scanning Mail Security detects viruses, worms, and Trojan horses in all major file types. Antivirus scanning must be enabled for Mail Security to detect threats. Threat detection scanning applies to all types of scans. See About the types of scanning that you can perform on page 171. Set the Bloodhound detection level Mail Security uses Bloodhound technology to supplement the detection of threats by signature. You can customize your level of protection against new threats, from zero protection to a high level of protection. A high level of protection increases protection of your network; however, server performance might be affected. At lower levels of protection, an unknown threat might escape detection, but the trade-off with server performance decreases. In most cases, the default (Medium) setting is appropriate. See How Mail Security detects risks on page 100.

102 102 Protecting your server from risks Configuring threat detection Enable mass-mailer worm-infected message detection Mail Security detects that an message is a mass-mailer worm or virus when this feature is enabled. If Mail Security detects that an message is a mass-mailer worm or virus, it deletes the infected message and any attachments. Mail Security does not send notifications after deleting a mass-mailer worm or virus message and any attachments. When the mass-mailer detection feature is not enabled, an infected mass-mailer message is treated the same as an infected message. Modify default threat detection rules, as needed Mail Security provides default antivirus rules, which are always enabled. You can modify these rules. To configure threat detection 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antivirus, click Antivirus Settings. 3 In the content pane under Antivirus Settings, check Enable virus scanning. Virus scanning is enabled by default. 4 In the Bloodhound detection list, select one of the following using the drop-down menu: Off Low Medium Disables Bloodhound detection. Optimizes server performance, but might not detect potential threats. Provides a balance between threat detection and server performance. The default setting is Medium. High Increases the detection of threats, but might impact server performance. 5 Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages. This feature is enabled by default.

103 Protecting your server from risks Configuring threat detection In the Rules table, select any of the following rules to view or modify them in the preview pane: Basic Virus Rule Applies to messages or attachments that contain threats that can be repaired. This option is always enabled. Unrepairable Virus Rule Applies to messages or attachments that contain threats that cannot be repaired. This option is always enabled. Security Risk Rule Applies to messages that contain security risks, such as adware or spyware. See Configuring security risk detection on page 104. This option is enabled by default. The settings for the rule that you select appear in the preview pane. 7 In the preview pane, in the Action to take list, select the action to take when a threat is detected using the drop-down menu. 8 In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file contained %violation% and was %action%. You can use variables in your customized text. See About alert and notification variables on page Check one or more of the following to send notifications about the detection: Notify administrators Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Administrator Alert: Symantec Mail Security detected %violation% Default Message body text: Location of the infected item: %location% Sender of the infected item: %sender% Subject of the message: %subject% The attachment(s) "%attachment%" was %action% for the following reasons: %information% This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule%

104 104 Protecting your server from risks Configuring security risk detection Notify internal sender Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address Default Message body text: %subject% Recipient of the message: %recipient% Notify external sender Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address Default Message body text: Subject of the message: %subject% Recipient of the message: %recipient% See About alert and notification variables on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Configuring security risk detection Mail Security can detect security risks. Security risks are programs that do any of the following: Provide unauthorized access to computer Compromise data integrity, privacy, confidentiality, or security Present some type of disruption or nuisance These programs can put your employees and your organization at risk for the following: Identity theft or fraud by logging keystrokes Capture of and instant messaging traffic Theft of personal information such as passwords and login identifications Security risks can be introduced into your computer unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license

105 Protecting your server from risks Configuring security risk detection 105 agreement from another software program related to or linked in some way to the security risk. Enable the Security Risk Rule for Mail Security to detect security risks. Table 6-2 lists the categories of security risks that Mail Security detects. Table 6-2 Category Adware Security risk categories Description Stand-alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the user's knowledge. Adware might monitor browsing habits for advertising purposes. It can also deliver advertising content. Hack tools Programs used to gain unauthorized access to a user's computer. For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses. Dialers Joke programs Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome. For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it. Remote access programs Spyware Trackware Programs that let a remote user to gain access to a computer over the Internet to gain information from, attack, or alter the host computer. Stand-alone programs that can secretly monitor computer activity and detect passwords and other confidential information and then relay the information back to a remote computer. Stand-alone or appended applications that trace a user's path on the Internet and relay the information to a remote computer.

106 106 Protecting your server from risks Configuring security risk detection To configure security risk detection 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antivirus, click Antivirus Settings. 3 In the content area, in the Rules table, on the Security Risk Rule row, click the box under the Status column, and then select Enabled from the drop-down menu. This rule is enabled by default. 4 In the preview pane, in the Action to take list, use the drop-down menu to select the action to take when a security risk is detected. 5 In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file contained %violation% and was %action%. You can use variables in your customized text. See About alert and notification variables on page Check one or more of the following to send notifications about the detection: Notify administrators Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Administrator Alert: Symantec Mail Security detected %violation% Default Message body text: Location of the infected item: %location% Sender of the infected item: %sender% Subject of the message: %subject% The attachment(s) "%attachment%" was %action% for the following reasons: %information% This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule% Notify internal sender Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address Default Message body text: %subject% Recipient of the message: %recipient%

107 Protecting your server from risks Configuring file scanning limits 107 Notify external sender Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address Default Message body text: Subject of the message: %subject% Recipient of the message: %recipient% See About alert and notification variables on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Configuring file scanning limits Mail Security imposes limits on file extraction. These limits protect against denial-of-service attacks that are associated with overly large or complex container files that take a long time to decompose. These limits also enhance scanning performance. Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule. See Configuring rules to address unscannable and encrypted files on page 108. To configure file scanning limits 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under General, click Scanning Limits. 3 In the content area, in the Maximum scan time (in seconds) box, type the maximum time that Mail Security can spend extracting a single container file. You can enter a value from 10 to The default value is In the Maximum archive scan depth (number of levels) box, type the maximum number of nested levels of files that are decomposed within a container file. You can enter a value from 1 to 50. The default value is 10.

108 108 Protecting your server from risks Configuring rules to address unscannable and encrypted files 5 In the Maximum size of one extracted file (in MB) box, type the maximum file size, in megabytes, for individual files in a container file. You can enter a value from 1 to The default value is In the Maximum total size of all extracted files (in MB) box, type the maximum size, in megabytes, of all extracted files. You can enter a value from 1 to The default value is In the Maximum number of files extracted box, type the maximum allowable number of files to be extracted. You can enter a value from 1 to The default value is On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Configuring rules to address unscannable and encrypted files A file that cannot be scanned can put your network at risk if it contains a threat. Mail Security provides the following default rules to address unscannable and encrypted files: Unscannable File Rule Mail Security must be able to decompose and scan a container file to detect risks. An unscannable container file is a file that contains a threat that could pose a risk to your network. An unscannable file is one that exceeds a scanning limit, is a partial container file, or that generates a scanning error. You can specify how you want Mail Security to process container files that cannot be scanned. The default setting for the Unscannable File Rule is to quarantine the file and replace it with a text description. Encrypted File Rule Infected files can be intentionally encrypted. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure how you want Mail Security to process encrypted container files to protect your network from threats. The default setting for the Encrypted File Rule is to log the violation only. These rules are always enabled. To configure rules to address unscannable and encrypted files 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under General, click Exceptions.

109 Protecting your server from risks Configuring rules to address unscannable and encrypted files In the list pane, select one of the following rules that you want to view or modify: Unscannable File Rule Encrypted File Rule 4 In the preview pane, in the Action to take list, use the drop-down menu to select the action to take when a violation is detected. 5 In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file was unscannable and was %action%. You can use variables in your customized text. See About alert and notification variables on page Check one or more of the following to send notifications about the detection: Notify administrators Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Administrator Alert: Symantec Mail Security detected a message with an unscannable attachment or body Default Message body text: Location of the message: %location% Sender of the message: %sender% Subject of the message %subject% The attachment(s) "%attachment%" was %action%. This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule% Notify internal sender Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected unscannable content in a message sent from your address Default Message body text: Subject of the message: %subject% Recipient of the message % recipient% Notify external sender

110 110 Protecting your server from risks Configuring rules to address unscannable and encrypted files Click the down arrow and then type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows: Default Subject line text: Symantec Mail Security detected unscannable content in a message sent from your address Default Message body text: Subject of the message: %subject% Recipient of the message %recipient% See About alert and notification variables on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75.

111 Chapter 7 Identifying spam This chapter includes the following topics: About spam detection Configuring whitelists How to detect spam using Symantec Premium AntiSpam About spam detection Mail Security protects your servers from unwanted messages, such as spam. Spam is usually defined as junk or unsolicited from a third party. The spam message sender has no discernible relationship with all or some of the message recipients. Often times, the message headers are forged or altered to conceal the origination point of the sender. Spam is not only an annoyance to users and administrators, it is also a serious security concern. Spam can be used to deliver viruses, Trojan horses, and in phishing attempts. In addition, high volumes of spam can create denial-of-service conditions in which servers are so overloaded that legitimate and network traffic are unable to get through. Mail Security can detect if an incoming message is spam with a high level of accuracy. You can adjust antispam detection by specifying domains that are automatically permitted to bypass antispam scanning. See Configuring whitelists on page 113. Spam detection is only available on Mail Security when it is installed on Edge Transport or Hub Transport server roles. You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam. See About licensing on page 67.

112 112 Identifying spam About spam detection How Mail Security detects and processes spam When antispam detection is enabled, Mail Security analyzes SMTP messages for key characteristics of spam. It weighs its findings against characteristics of legitimate messages. When you enable antispam detection, Mail Security stamps messages with a SCL value when the following conditions are true: Mail Security determines that the message is spam, suspected spam, or suspected and the message meets an SCL threshold. The "Assign SCL value to message" option is enabled. The SCL Junk Folder Threshold in Microsoft Exchange 2007/2010 works with the SCL value that is stamped on an message to determine the destination of the message. When the SCL value is not set, Exchange sends all messages with a SCL value to the user's Junk folder. When the message has a SCL value that is higher than the SCL Junk Folder Threshold, Exchange sends the message to the user's Junk folder. If the SCL value is lower than or equal to the SCL Junk Folder Threshold, the message is routed to the user's Inbox. When you enable antispam detection, Mail Security stamps messages with a spam confidence level (SCL) value. The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an message to determine the destination of the message. When the SAT value is not set, Exchange sends all messages with a SCL value to the user's Junk folder. If the SAT value is set and a message has a SCL value that is higher than the SAT threshold, Exchange sends the message to the user's Junk folder. If the SCL value is lower than or equal to the SAT value, the message goes into the user's Inbox. See About spam confidence level values on page 113. Note: Mail Security scans all SMTP messages regardless of the mail flow direction. You can configure your Hub Transport internal SMTP servers to include the IP addresses or range of IP address of your internal servers. messages that are sent from these servers bypass whitelisting and spam processing, which enhances scanning performance. See your Microsoft documentation for more information about how to configure the Hub Transport server to designate internal servers.

113 Identifying spam Configuring whitelists 113 About spam confidence level values Exchange assigns a spam confidence level (SCL) value to messages. Spam confidence level values range from -1 to 9. Microsoft Exchange reserves the value of -1. If the message is assigned a value of -1, the message bypasses antispam scanning. Messages that are determined to be spam are assigned a SCL value of 1 (extremely low likelihood that the message is spam) to 9 (extremely high likelihood that the message is spam). Mail Security detects the SCL value when it scans a message at the Edge Transport role or Hub Transport role. If you enable the "Assign SCL value to message" option, Mail Security reassigns the SCL value that was assigned by Exchange with the value that you specify. Mail Security does not replace or modify any X-header values assigned by Exchange. When the Mailbox server receives the message, it compares the SCL value of the message to the SCL Junk Folder Threshold that is stored in Active Directory. Messages that exceed the SCL Junk Folder Threshold are sent to the users' Junk folder. The SCL Junk Folder Threshold is set to 8 by default. You can view or modify the SCL Junk Folder Threshold value using Windows PowerShell. Configuring whitelists For more information, see the Microsoft documentation. See Processing spam messages on page 118. You can enable and populate the following whitelists to minimize false positives: Allowed Senders Unfiltered Recipients Lets you list the sender domains that are permitted to bypass antispam scanning Lets you list the addresses to which inbound s are permitted to bypass antispam scanning If the Allowed Senders and Unfiltered Recipients lists are both enabled, Mail Security processes the Allowed Senders list first. messages that are permitted to bypass antispam scanning are still scanned for risks and file filtering violations.

114 114 Identifying spam How to detect spam using Symantec Premium AntiSpam To configure whitelists 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Whitelist. 3 In the content area, under Allowed Senders, check Bypass spam detection for messages sent from the following. 4 In the and domain addresses box, type the domains and addresses (one per line) that are permitted to bypass spam detection. Domain names must begin with (at symbol) or an asterisk before the at symbol (for or *@mail.com). You can use DOS wildcard characters. See About DOS wildcard style expressions on page Under Unfiltered Recipients List, check Bypass spam detection for messages sent to the following. 6 In the Fully qualified addresses box, type the fully qualified addresses (one per line) to which messages are permitted to bypass spam detection. You can list up to 50 addresses. 7 On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. How to detect spam using Symantec Premium AntiSpam Symantec Premium AntiSpam provides continuous updates to the premium antispam filters to ensure that your Exchange server has the most current spam detection filters that are available. Updates to the premium antispam service are handled automatically through the Symantec Premium AntiSpam service and not through LiveUpdate. You must have an active Internet connection and permit outbound secure HTTP traffic through your firewall (port 443). Manually register the service if your connection uses an HTTP proxy. After Symantec Premium AntiSpam is registered and enabled, spam rules are continually downloaded from Symantec. Mail Security checks for updates every minute and receives new rule sets every minutes. See About registering Symantec Premium AntiSpam through an ISA server on page 115.

115 Identifying spam How to detect spam using Symantec Premium AntiSpam 115 See Configuring your proxy server to download spam definition updates on page 115. About registering Symantec Premium AntiSpam through an ISA server Symantec Premium AntiSpam requires the ability to communicate by HTTPS (Port 443). If your connection uses an HTTP proxy, manually register the service so that spam rules can be automatically downloaded from Symantec. To register Symantec Premium AntiSpam through an ISA server that is filtering traffic for your Exchange server, do one of the following: If the ISA server is installed on the same computer as the Exchange server, create a Host Based protocol rule to allow Any Request for the HTTPS protocol and HTTPS server protocols. If the ISA server is installed on a different computer from the Exchange server, create a Host Based protocol rule that specifically allows traffic for the IP Address of the Exchange server for the HTTPS protocol and HTTPS server protocols. Configuring your proxy server to download spam definition updates Mail Security checks for updates to antispam filters every minute and receives new rule sets every minutes. Configure your proxy server to permit updates. To configure your proxy server to download spam definition updates 1 Open the command prompt window by clicking Start > Programs > Accessories > Command Prompt. 2 At the command prompt, change directories to the Mail Security installation directory. The default directory is: \Program Files (x86)\symantec\smsmse\6.5\server 3 Type the following: register -c SpamPrevention\bmiconfig.xml -l Spam Prevention\SPAlicense.slf -p <proxyserver:proxyport> where <proxyserver:proxyport> is the IP address of your proxy server and the port. Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder. 4 On the Windows Start menu, click Start > Run. 5 In the Run dialog box, type the following: regedit

116 116 Identifying spam How to detect spam using Symantec Premium AntiSpam 6 Click OK. 7 In the Registry Editor window, in the left pane, browse and locate the following folder: HKEY-LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Licensing\ 8 Do one of the following: If the file SPARunRegister does not exist In the right pane, right-click on any blank space, and select New > DWORD Value. In the name box, type: SPARunRegister If the file SPARunRegister exists In the right pane, right-click on the file, and select Modify. In the Edit DWORD Value dialog box, in the Value data box, change the value to 0, and then click OK. 9 Save the file and close the Registry Editor window. Configuring Symantec Premium AntiSpam to detect spam Before you configure Symantec Premium AntiSpam, ensure that you have done the following: If you have an ISA server, register Symantec Premium AntiSpam through the ISA server. See About registering Symantec Premium AntiSpam through an ISA server on page 115. Configure your proxy server to permit downloads for Symantec Premium AntiSpam. See Configuring your proxy server to download spam definition updates on page 115. Install the Symantec Premium AntiSpam license. See About licensing on page 67. Configure the following settings to detect and handle spam:

117 Identifying spam How to detect spam using Symantec Premium AntiSpam 117 Reputation service Symantec monitors sources to determine how much of the messages that are sent from those sources is legitimate. from those sources can then be blocked or allowed based on the source's reputation value as determined by Symantec. Symantec uses the following lists to filter your messages: Open Proxy list Contains IP addresses that are either open proxies that are used by spammers or 'zombie'computers that are co-opted by spammers Safe list Contains IP addresses from which virtually no outgoing is spam Suspect list Contains IP addresses from which virtually all of the outgoing is spam These lists work like antispam rules but do not create delays like those that can occur with third-party lists. these lists do not require any additional setup procedures. Suspected spam threshold Symantec calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, it is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately. You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam. See About licensing on page 67. To configure Symantec Premium AntiSpam to detect spam 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Settings. 3 In the content area, under Symantec Premium AntiSpam Settings, check Enable Symantec Premium AntiSpam. 4 Under Reputation Services, check any of the following lists that you want to use: Open proxy list Safe list Suspect List is enabled by default and cannot be disabled. 5 Under Spam Scoring, select whether you want messages flagged as suspected spam.

118 118 Identifying spam How to detect spam using Symantec Premium AntiSpam 6 Under Spam Threshold, in the Lower spam threshold box, type the suspected spam threshold level if you choose to identify suspected spam. You can enter a value between 25 and 89. The default value is On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Processing spam messages You can configure Mail Security to reject or accept spam messages. You can also configure whether you want Mail Security to log spam events to the specified logging destinations. See About logging events on page 203. If you configure Mail Security to reject spam messages, then a spam message is not accepted by the SMTP server for delivery. The connection is closed and no error message is sent to the SMTP service that sent the message. If you configure Mail Security to accept spam messages, you can specify the following message delivery options: Prevent the message from being sent to the intended recipient. Deliver the spam message to an alternate recipient. Add your customized subject line text to the message. Add one or more X-headers to the message. See Apply X-headers to messages for archiving on page 24. Assign a SCL value to the message. See About spam confidence level values on page 113. To reject spam messages 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions. 3 In the content area, under Spam Messages, under If message is Spam, check Reject the message. 4 Check Log to log spam messages to the specified logging destinations. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75.

119 Identifying spam How to detect spam using Symantec Premium AntiSpam 119 To accept spam messages 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions. 3 In the content area, under Spam Messages, under If message is Spam, check Accept the message. 4 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving spam messages. 5 Check Deliver to alternate recipient to send spam messages to a different recipient, and type the address to which spam messages are delivered. You can only enter one address. 6 Check Add to subject line to prepend the subject line of spam messages, and in the subject line box, type your customized text. The default text is Spam. 7 Check Add X-header(s) to add one or more X-headers to messages that trigger the violation, and then do any of the following: Add an existing X-header Do the following: Click Add X-header. In the X-header name column, use the drop-down menu to select the X-header that you want to use. You can modify the existing X-header by clicking on the text and typing the new content. In the X-header value column, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~

120 120 Identifying spam How to detect spam using Symantec Premium AntiSpam Create a new X-header Do the following: Click Add X-header. In the X-header box, type the name of the X-header. You can type up to 127 characters. The name must begin with "x-" or X-". The following characters are not supported in X-header names:,. ; < > :? / = ( )[ ;~ In the X-header box, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~ Remove an existing X-header Do the following: Select the X-header that you want to remove by clicking to the left of the X-header name column. Click Delete X-header(s). 8 Check Assign SCL value to message to assign a SCL value to spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 9. See About spam confidence level values on page Check Log to log spam messages to the specified logging destinations. Spam messages are identified in the Windows Event Log as information or events. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Processing suspected spam messages that exceed a SCL threshold If you are using a mail screening tool, you can configure Mail Security to reject or accept suspected spam messages that exceed a SCL threshold. Assign the SCL threshold for which the Suspected Spam and SCL settings apply.

121 Identifying spam How to detect spam using Symantec Premium AntiSpam 121 You can log all spam events to the specified logging destinations. See About logging events on page 203. You can specify how you want Mail Security to process messages that are identified as suspected spam and that exceed the SCL threshold that you specify. If you configure Mail Security to reject spam messages, then a spam message is not accepted by the SMTP server for delivery. The connection is closed and no error message is sent to the SMTP service that sent the message. If you configure Mail Security to accept suspected spam messages that exceed the threshold, you can configure the following message delivery options: Prevent the message from being sent to the intended recipient. Deliver the spam message to an alternate recipient. Add your customized subject line text to the message. Add one or more X-headers to the message. See Apply X-headers to messages for archiving on page 24. Re-assign the SCL value of the message. See About spam confidence level values on page 113. To reject suspected spam messages that exceed a SCL threshold 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions. 3 In the content area, under Suspected Spam and SCL, in the "If message is Suspected Spam and SCL is" list, select the SCL value threshold. You can choose a value from >0 to >8. The default value is >5. 4 Check Reject the message. 5 Check Log to log suspected spam messages to the specified logging destinations. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. To accept suspected spam messages that exceed a SCL threshold 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions.

122 122 Identifying spam How to detect spam using Symantec Premium AntiSpam 3 In the content area, under Suspected Spam and SCL, in the "If message is Suspected Spam and SCL is" list, select the SCL value threshold. You can choose a value from >0 to >8. The default value is >5. 4 Check Accept the message. 5 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. 6 Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient. 7 Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. 8 Check Add X-header(s) to add one or more X-headers to messages that trigger the violation, and then do any of the following: Add an existing X-header Do the following: Click Add X-header. In the X-header name column, use the drop-down menu to select the X-header that you want to use. You can modify the existing X-header by clicking on the text and typing the new content. In the X-header value column, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~

123 Identifying spam How to detect spam using Symantec Premium AntiSpam 123 Create a new X-header Do the following: Click Add X-header. In the X-header box, type the name of the X-header. You can type up to 127 characters. The name must begin with "x-" or X-". The following characters are not supported in X-header names:,. ; < > :? / = ( )[ ;~ In the X-header box, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~ Remove an existing X-header Do the following: Select the X-header that you want to remove by clicking to the left of the X-header name column. Click Delete X-header(s). 9 Check Assign SCL value to message to assign a SCL value to suspected spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 8. See About spam confidence level values on page Check Log to log suspected spam messages to the specified logging destinations. Suspected spam messages that meet or exceed an SCL value are identified in the Windows Event Log as information or events. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. Processing suspected spam messages You can configure Mail Security to reject or accept suspected spam messages. You can log all spam events to the specified logging destinations.

124 124 Identifying spam How to detect spam using Symantec Premium AntiSpam See About logging events on page 203. If you configure Mail Security to reject spam messages, then a spam message is not accepted by the SMTP server for delivery. The connection is closed and no error message is sent to the SMTP service that sent the message. If you configure Mail Security to accept suspected spam messages, you can specify the following message delivery options: Prevent the message from being sent to the intended recipient. Deliver the spam message to an alternate recipient. Add your customized subject line text to the message. Add one or more X-headers to the message. See Apply X-headers to messages for archiving on page 24. Re-assign the SCL value of the message. See About spam confidence level values on page 113. To reject suspected spam messages 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions. 3 In the content area, under Suspected Spam, under If message is Suspected Spam, check Reject the message. 4 Check Log to log spam messages to the specified logging destinations. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75. To accept suspected spam messages 1 In the console on the primary navigation bar, click Policies. 2 In the sidebar under Antispam, click Premium AntiSpam Actions. 3 In the content area, under Suspected Spam, under If message is Suspected Spam, check Accept the message. 4 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. 5 Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient.

125 Identifying spam How to detect spam using Symantec Premium AntiSpam Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. 7 Check Add X-header(s) to add one or more X-headers to messages that trigger the violation, and then do any of the following: Add an existing X-header Do the following: Click Add X-header. In the X-header name column, use the drop-down menu to select the X-header that you want to use. You can modify the existing X-header by clicking on the text and typing the new content. In the X-header value column, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~ Create a new X-header Do the following: Click Add X-header. In the X-header box, type the name of the X-header. You can type up to 127 characters. The name must begin with "x-" or X-". The following characters are not supported in X-header names:,. ; < > :? / = ( )[ ;~ In the X-header box, type the X-header value. You can type up to 127 characters. The following characters are not supported in X-header values: ~ Remove an existing X-header Do the following: Select the X-header that you want to remove by clicking to the left of the X-header name column. Click Delete X-header(s).

126 126 Identifying spam How to detect spam using Symantec Premium AntiSpam 8 Check Assign SCL value to message to reassign the SCL value, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 6. See About spam confidence level values on page Check Log to log suspected spam messages to the specified logging destinations. Suspected spam messages are identified in the Windows Event Log as information or events. See About logging events on page On the toolbar, click Deploy changes to apply your changes. See Deploying settings and changes to a server or group on page 75.

127 Chapter 8 Filtering content This chapter includes the following topics: About filtering content About creating a content filtering rule What you can do with content filtering rules How to enforce attachment policies Managing match lists About filtering content Mail Security can filter messages and their attachments using the following features: Content filtering rules Content filtering rules filter messages and their attachments for the specific content that you specify (for example, offensive language or sensitive information). Mail Security can scan for content within the following message parts: message body, subject, sender, attachment name, and attachment content. You can use the default content filtering rules that Mail Security provides or you can create your own rules. You can individually enable and disable each rule. See About creating a content filtering rule on page 129. See About default content filtering rules on page 128.

128 128 Filtering content About filtering content File filtering rules Mail Security uses file filtering rules to enforce attachment policies. Mail Security provides the following pre-defined file filtering rules: File Name Rule Blocks attachments based on the file name that you specify Multimedia File Rule Blocks specific multimedia file attachments Executable File Rule Blocks specific executable file attachments See How to enforce attachment policies on page 153. Match lists Mail Security uses match lists to filter messages and attachments for specific words and phrases. You use match lists with content filtering rules or the File Name file filtering rule. When the rule is enabled, Mail Security scans for the criteria that you specify in the rule, including the words and phrases that are in the associated match list. Match lists support literal strings, DOS wildcard-style expressions, or regular expressions. See Managing match lists on page 162. You can also use match lists to help manage outbreaks. You can configure Mail Security to automatically add the names of outbreak-triggered attachments and outbreak-triggered subject text to match lists. Mail Security uses these match lists with content or file filtering rules to automatically block suspicious file attachments or subjects. See About outbreak management on page 195. You can specify the action that you want Mail Security to take when it detects a content filtering rule or file filtering rule violation. You can also configure Mail Security to notify the administrator and senders (internal and external) of a violation with a message that you can customize. About default content filtering rules Table 8-1 describes the pre-configured content filtering rules that Mail Security provides.

129 Filtering content About creating a content filtering rule 129 Table 8-1 Rule Default content filtering rules Description Allow-Only Attachment Rule Detects and filters files with attachment types that are not on a list of permitted attachment types This rule is only available if you upgrade from a previous version of Mail Security. This rule is not available if you perform a clean installation of Mail Security Blank Subject and Sender Quarantine Triggered Attachment Names Detects and filters messages with blank subject line and blank sender line Detects and filters files whose attachment name matches a list of outbreak-triggered attachment names See Managing match lists on page 162. Quarantine Triggered Subjects Detects and filters messages whose subject matches a list of outbreak-triggered subjects See Managing match lists on page 162. Sample Executable File Detects and filters executable files based on the Sample Attachment Name match list Enable the default content filtering rules that you want to use. You can modify the rules as needed. About creating a content filtering rule Creating a content filtering rule involves the following process: Configuring the conditions of a content filtering rule Specifying the users and groups to which the rule applies Specifying who to notify if a content filtering rule is violated Configuring rule actions Configuring the conditions of a content filtering rule A content filtering rule consists of one or more conditions that you define. For example, a condition might be that an subject line contains one or more

130 130 Filtering content About creating a content filtering rule words from a subject line match list. A rule can optionally contain one or more exceptions. Mail Security uses OR ("Match any term") and AND ("Match all terms") conditions to create a framework in which to evaluate messages or messages and their attachments. By default, content filtering rules are set to "Match any term" for the entries in the Content list. This means that the rule triggers a violation if any of the entries are present and all of the other criteria that you configured are met. If you check "Match all terms," then the rule only triggers a violation if all the items in the Content list are present and all other rule criteria that you configure are met. "Match any terms" is the only condition available for the entries in the Unless list. Figure 8-1 shows the rule elements that you can configure on the content filtering rule tab.

131 Filtering content About creating a content filtering rule 131 Figure 8-1 Content filtering rule tab Content list Unless list Table 8-2 describes the rule elements that you can configure on the content filtering rule tab.