Symantec Mail Security Appliance Version 7.5 Administration Guide

Transcription

1 Symantec Mail Security Appliance Version 7.5 Administration Guide Symantec Information Foundation

2 Symantec Mail Security Appliance Version 7.5 Administration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 7.5 PN: Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support Chapter 1 Chapter 2 About Symantec Mail Security Key features New features Migration: what to expect Policy migration Instant Messaging User interface changes Functional overview Architecture What you can do with Symantec Mail Security Protect against security threats Manage outbreaks Identify and process spam messages Create content compliance policies Protect against Instant Messaging viruses and Spim Quarantine messages and hold for review Send notifications of threats and violations Where to get more information Understanding message filtering About filtering Notes on filtering actions Multiple actions per verdict Verdict and action combinations Multiple content compliance policies Spyware or adware verdict details Creating groups and adding members Groups, recipients, and senders Create a group, add or remove members Importing and exporting group members Assigning filter policies to a group Selecting virus policies for a group Selecting spam policies for a group... 50

8 8 Contents Selecting compliance policies for a group Enabling and disabling end user settings Allowing or blocking based on language Managing Groups Manage Groups About Instant Messaging Protocols settings Virus settings Spam settings Reports Chapter 3 Chapter 4 Configuring spam filtering Creating spam policies Understanding spam settings Configuring suspected spam Enabling language identification Software acceleration Configuring spam settings Configuring directory harvest attack recognition Configuring sender groups About Allowed and Blocked Senders Lists How Symantec Mail Security identifies senders and connections Adding senders to Blocked Senders Lists Adding senders to Allowed Senders Lists Deleting senders from lists Editing senders Enabling or disabling senders Importing allowed and blocked sender group information Enabling Open Proxy Senders, Safe Senders, and Suspected Spammers lists About SMTP traffic shaping Configuring Sender Authentication Configuring IM Scan Settings for Spim About Spim How Spim works How Spim detection works Configuring virus filtering Creating virus policies Determining your suspicious attachment policy Configuring virus settings... 87

9 Contents 9 Configuring LiveUpdate Excluding files from virus scanning Configuring Bloodhound settings Configuring virus attack recognition Configuring IM Scan Settings for file transfers Chapter 5 Configuring content compliance filtering About content compliance Content compliance examples Monitor compliance policies Policy resources Dictionaries Attachment Lists Patterns Premium Content Compliance resources Premium dictionaries Premium Attachment List resources Premium patterns Regular expressions Record resource Compliance policy templates About premium templates Regulatory compliance mitigation Templates best practices Viewing policy templates U.S. regulatory policy templates Confidential data-protection policy templates Acceptable use policy templates Customer and employee data-protection templates Network security policy templates UK and international regulatory policy templates Managing policy resources Annotating messages Configuring attachment lists Configuring dictionaries Adding and editing notifications Managing Patterns Creating a Record resource Creating compliance policies Preparation for adding compliance policies Adding compliance policies Compliance policy conditions

10 10 Contents Adding conditions to compliance policies Using Perl-compatible regular expressions in conditions Determining compliance policy order Enabling and disabling compliance policies Archiving messages Configuring optional archive tags Configuring TLS encryption for remote domains Chapter 6 Chapter 7 Configuring compliance incident management Creating compliance folders Managing compliance folders Adding compliance folders Editing the notification template Managing incidents Compliance folder overview Incident Management Compliance Incident Management details Working with incidents Configuring protocol settings Configuring address masquerading Importing masqueraded entries Configuring aliases Managing aliases Importing aliases Configuring invalid recipient handling IP Reputation Configuring local domains Importing local domains and addresses Message audit logging Enable the Message Audit Log Searching for a message Message queues Work with message queues Message trends Configuring scanning settings Configuring container settings Configuring content filtering settings Configuring bad message handling Blocking access to an IM network Viewing IM network server status Viewing active IM users

11 Contents 11 Working with search results Registering IM users About user registration Registering an IM user in the Control Center Self-registering an IM user Editing and deleting IM users in the Control Center Chapter 8 Chapter 9 Working with Spam Quarantine About Spam Quarantine Delivering messages to Spam Quarantine Working with messages in Spam Quarantine for administrators Accessing Spam Quarantine Checking for new Spam Quarantine messages Administrator message list page Administrator message details page Searching messages Configuring Spam Quarantine Delivering messages to Spam Quarantine Configuring Spam Quarantine port for incoming Configuring Spam Quarantine for administrator-only access Configuring the Delete Unresolved setting Configuring the login help Configuring recipients for misidentified messages Configuring the user and distribution list notification digests Configuring the Spam Quarantine Expunger Specifying Spam Quarantine message and size thresholds Troubleshooting Spam Quarantine Working with Suspect Virus Quarantine About Suspect Virus Quarantine Routing messages to Suspect Virus Quarantine Accessing Suspect Virus Quarantine Checking for new Suspect Virus Quarantine messages Suspect Virus Quarantine messages page Searching messages Configuring Suspect Virus Quarantine Configuring Suspect Virus Quarantine port for incoming Configuring Suspect Virus Quarantine message release Configuring the size for Suspect Virus Quarantine

12 12 Contents Chapter 10 Chapter 11 Working with reports About reports About charts and tables Selecting report data to track Running reports Saving and editing favorite reports Running and deleting favorite reports Printing, saving, and ing reports Scheduling reports to be ed Configuring the report Expunger Setting the retention period for report data Setting the Expunger frequency and start time Troubleshooting report generation No data available for the report type specified Sender HELO domain or IP connection shows gateway information Reports presented in local time of Control Center By default, data are saved for one week Processed message count recorded per message, not per recipient Recipient count equals message count Deferred or rejected messages are not counted as received Reports limited to 1,000 rows Administering Scanners About administering scanners Managing Scanners Adding Scanners Editing Scanners Enabling and disabling Scanners Deleting Scanners Configuring Scanner host settings Working with Services DNS/Time servers Proxy Ethernet settings SMTP settings Configuring SMTP Advanced Settings Internal mail hosts IM settings Checking Scanner status Managing software licenses

13 Contents 13 Shutting down an appliance Rebooting an appliance Using network utilities Backing up an appliance Restoring an appliance Returning to factory defaults Updating system software Chapter 12 Administering the system About administration settings Managing system administrators Manage administrators Finding users Archiving messages Configuring optional archive tags About alerts Configuring alerts Configuring certificate settings Manage certificates Configuring Control Center settings Control Center administration Control Center certificate Configuring, enabling and scheduling Scanner replication Control Center SMTP host settings System locale and fallback encoding About logs Configuring log levels and local logging Details about the maximum log size and the Log Expunger Configuring remote logging to Syslog Viewing logs Working with logs Checking the Control Center error log Configuring SNMP settings Setting up UPS monitoring Administering the system with the command line agentconfig cat cc-config clear crawler date db-backup

14 14 Contents db-restore deleter diagnostics dns-control dn-normalize grep help http ifconfig install iostat ldapsearch ls mallogs malquery more mta-control mta-stats netstat nslookup passwd pause-mode ping reboot rebuildrpmdb rm route service shutdown sshdctl system-stats tail telnet traceroute update version watch Chapter 13 Getting status information Overview of system status Dashboard Hardware

15 Contents 15 View hardware status LDAP synchronization Perform synchronization tasks Synchronization status information Perform replication tasks Replication status information Logs Work with logs Services Host details Chapter 14 Appendix A Appendix B Appendix C Configuring LDAP synchronization and Scanner replication Configuring LDAP settings Directory servers Authentication Synchronization Routing Configure LDAP settings Replicating data to Scanners Starting and stopping replication Troubleshooting replication Action and verdict combinations Limits on combining actions Action processing combinations User interface action combinations Verdict combinations Premium Content Compliance Resources Premium resources Premium dictionary resources Premium pattern and regular-expression resources Premium Attachment Lists Available reports Choosing a report Glossary

16 16 Contents Index

17 Chapter 1 About Symantec Mail Security This chapter includes the following topics: Key features New features Migration: what to expect Functional overview Architecture What you can do with Symantec Mail Security Where to get more information Key features Symantec Mail Security offers enterprises a comprehensive gateway-based message security solution incorporating the following features: SMTP traffic shaping Over time, this feature evaluates sources and develops a record of their reputation for sending spam to your site. As the reputation record grows, Symantec Mail Security accepts fewer connections from those sources identified to be illegitimate, reducing the volume of spam received at your site and saving computing resources needed to filter spam messages. Firewall This early response feature improves message throughput by analyzing incoming SMTP connections, comparing them to Symantec's

18 18 About Symantec Mail Security New features Reputation service data and industry-generated lists of known hostile senders and enabling you to refuse or defer connections from those hosts. Antispam technology Symantec's state-of-the-art spam filters assess and classify as it enters your site. Antivirus technology Virus definitions and engines protect your users from -borne viruses. Content Compliance These features help you enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements. Groups and filter policies An easy-to-use authoring tool lets administrators create powerful, flexible ad hoc filters for users and groups. Instant Messaging (IM) Protects your corporate network against external threats delivered via IM, such as viruses, worms, and malicious URLs. New features The following table lists the features that have been added to this version of Symantec Mail Security: Table 1-1 New features for Symantec Mail Security Appliance Category User interface Threat protection Features Enhanced navigation Instant Messaging integration Description New top-level menus Protects against IM file-transfer viruses and and spam instant messaging (Spim)

19 About Symantec Mail Security New features 19 Table 1-1 New features for Symantec Mail Security Appliance (continued) Category filtering and content compliance Message handling Enhanced localization capabilities Features Support for multiple filtering actions Support for Enterprise Vault and third-party archival tools Support for structured data resources Additional Premium content compliance policy templates Additional Premium compliance policy resources Content compliance audit log Enhanced incident management Bad message handling Support for non-ascii character sets Description Permit multiple combinations of triggered policies and actions to impact the same message. Automatically resolves potential conflicts among actions Specify conditions that result in being sent to an archival address or disk location Create compliance policies that are based on customer-specific data sources Structured data templates for many pre-built compliance policies; new policy templates for US defense and intelligence security classifications Dictionaries in support of new policy templates Track compliance policy additions, modifications, deletions, and changes to administrators Hold incidents of policy noncompliance for review before approving or rejecting policy actions; view incident details, including history Hold messages that cause repeated direct mail failures in separate queue so that normal delivery can proceed without further delays until suspect messages can be cleared Extended support for double-byte character sets Language autodetection of messages for Quarantine and of subject encodings for message handling

20 20 About Symantec Mail Security Migration: what to expect Migration: what to expect If you are upgrading your installation from a previous version of the Symantec Mail Security Appliance, you will have already received a software update notification that details any known issues in installing the new version. See "Migrating to Symantec Mail Security Appliance 7.5" in the Symantec Mail Security Appliance Installation Guide for more information. After you have updated your Symantec Mail Security Appliance installation, you should remain aware of the following issues: Policy migration When migrating your policies data from a previous version of Symantec Mail Security, all policy data is preserved. With this release, Symantec Mail Security Appliance offers the ability to combine multiple actions for different verdicts on the same message. This capability provides advantages over the previous model in which only one verdict for a message can result in actions. Existing policies, however, may generate multiple actions in cases where a single message results in multiple verdicts. See Policy migration on page 21. Instant Messaging When upgrading from Symantec Mail Security Appliance 5.x, Instant Messaging (IM) is disabled by default. You must enable Instant Messaging for each Scanner on which you intend to filter IM. You must also configure the DNS settings for any IM-enabled Scanner to route instant messages to their public IM networks over the Internet. See About Instant Messaging on page 55. User interface changes The new version of Symantec Mail Security Appliance accommodates all the elements of the previous user interface. However, many of these elements are located in different menus and under different headings. For instance, many elements, including Hosts, that were under the System Settings heading in the Settings menu, are now accessed from the Administration menu under Settings. In addition, threat-specific page links that were previously listed under System Settings in the Settings menu have been moved to Settings headings under separate top-level menus for each type of threat (Virus, Spam, Compliance). In a few cases, the name of a page link has changed. For instance, what was Spam Throttling under Policies > Firewall Policies in Symantec Mail Security Appliance 5.x is now SMTP Traffic Shaping under Spam > Settings. New user interface elements have been added for new features, such as Instant Messaging. See User interface changes on page 22.

21 About Symantec Mail Security Migration: what to expect 21 Policy migration Instant Messaging Because Symantec Mail Security Appliance 7.5 supports multiple verdict-action combinations, a message triggering multiple verdicts may invoke more than one policy's actions. In previous versions of Symantec Mail Security, a message could trigger only one applicable policy and only the actions triggered by that policy were invoked, even if more defined policies could apply. Symantec Mail Security employs a sophisticated processing logic that automatically resolves potential conflicts between actions. For instance, a message that returns both virus and suspect-spam verdicts could trigger both a virus-policy action that cleans the message (removes the virus) and a suspect-spam policy that holds the message in Spam Quarantine. However, if the same message triggers a virus policy configured to delete the message, the delete action will supersede the actions of the suspect-spam policy, even if the message triggers both virus and suspect-spam policies. In general, actions that delete messages prevent all other actions from occurring. See Verdict and action combinations on page 43. Symantec Mail Security's IM filtering features provide a proxy for securing, managing, and logging IM activity for public and enterprise IM protocols. It delivers real-time threat protection, management, and compliance for your organization s IM traffic. When you enable IM for a Scanner, Symantec Mail Security Appliance configures the following settings: The primary IP address for the Internal IM Interface defaults to the IP address of the appliance's network interface card (Ethernet 1). Symantec Mail Security Appliance uses the Internal IM Interface to handle instant messaging within your organization. The secondary IP address for the Internal IM Interface defaults to the card's virtual IP address. Symantec Mail Security Appliance uses the secondary internal IP address to support extended IM client services. The extenal IP address for the External IM Interface also defaults to the active IP address of the network interface card (Ethernet 1). Symantec Mail Security Appliance uses the External IM interface to route instant messaging over the Internet. filtering and IM filtering can run on the same Scanner. Because and IM use different ports, both protocols can share the same IP addresses on the same network interface card. The IP address that you use for incoming can be the same as your primary IP address that you use for internal IM. Likewise,

22 22 About Symantec Mail Security Migration: what to expect User interface changes you can use the same external IP address for your outgoing mail as you use for external IM. You can assign an external IP address for your External IM Interface to a card that is different from the card that is used for the primary IP address of your Internal IM Interface. You cannot, however, assign the primary and secondary IP addresses used by the Internal IM Interface to different network interface cards. You must configure your enterprise DNS server to route IM messages from IM users to any Scanner that has instant messaging filtering enabled. You must then configure the Scanner's DNS settings to route IM messages to their public IM networks over the Internet. Refer to "Configuring your DNS for IM Filtering" in the Symantec Mail Security Installation Guide for more information. See DNS/Time servers on page 302. Changes in the Symantec Mail Security Appliance have been implemented to enhance the user interface. Table 1-2 maps the menus, headings, and page links as they appeared in Symantec Mail Security Appliance 5.x to the corresponding elements as they appear in Symantec Mail Security Appliance 7.5. To find the corresponding user interface element, locate the page link by the menu and heading that it appeared under in Symantec Mail Security Appliance 5.x. Read across the table to the adjacent page link to determine what heading and menu it appears under in Symantec Mail Security Appliance 7.5. The table does not list new user interface elements that have been added to Symantec Mail Security Appliance 7.5, since no elements in Symantec Mail Security Appliance 5.x correspond to them.

23 About Symantec Mail Security Migration: what to expect 23 Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5 Symantec Mail Security Appliance 5.x Symantec Mail Security Appliance 7.5 Menu Heading Page links Page links Heading Menu Status Overview Compliance Folder Overview Incident Management Compliance Hardware Status Hardware System Status Logs Logs Services Services Synchronization LDAP Synchronization Message Queues Message Queues SMTP Protocols Message Details Message Trends Troubleshooting Connections IP Reputation Message Message Audit Log Network Utilities Hosts Administration User Find User Users Reports Reports Favorites NA Favorites Reports Schedule NA Schedule View Compliance View SMTP Spam Virus

24 24 About Symantec Mail Security Migration: what to expect Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5 (continued) Symantec Mail Security Appliance 5.x Symantec Mail Security Appliance 7.5 Menu Heading Page links Page links Heading Menu Policies Group Policies N/A Groups Users Administration Filter Policies Compliance Policies Compliance Spam Policies Spam Virus Policies Virus Firewall Policies Directory Harvest Attacks Directory Harvest Attacks Settings Spam Sender Authentication Sender Authentication Sender Groups Sender Groups Spam Throttling SMTP Traffic Shaping Virus Attacks Virus Attacks Settings Virus Policy Resources Annotations Attachment Lists Annotations Attachment Lists Resources Compliance Dictionaries Dictionaries Notifications Notifications Patterns Patterns

25 About Symantec Mail Security Migration: what to expect 25 Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5 (continued) Symantec Mail Security Appliance 5.x Symantec Mail Security Appliance 7.5 Menu Heading Page links Page links Heading Menu Settings System Settings Alerts Archive Alerts Archive Settings Settings Administration Compliance Certificates Certificates Settings Administration Compliance Compliance Folders Settings Compliance Control Center Control Center Settings Administration Hosts Configuration Hosts LDAP LDAP Settings Logs Logs Quarantine Quarantine Settings Spam Quarantine Settings Virus Reports Reports Settings Administration SNMP SNMP UPS UPS Scanning Address Masquerading Address Masquerading SMTP Protocols Aliases Aliases Encryption Encryption Settings Compliance Invalid Recipients Invalid Recipients SMTP Protocols Local Domains Local Domains Scanning Scanning Settings Spam Settings Spam

26 26 About Symantec Mail Security Functional overview Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5 (continued) Symantec Mail Security Appliance 5.x Symantec Mail Security Appliance 7.5 Menu Heading Page links Page links Heading Menu Scan Settings Virus LiveUpdate Settings Virus Scan Settings Administration Administrators N/A Administrators Users Administration Device Management Reboot Shutdown Shutdown Hosts Software Management Backup Licenses Version Licenses Factory Reset Version Restore Software Updates Quarantine Quarantine Spam Quarantine Spam Quarantine Spam Suspect Virus Quarantine Suspect Virus Quarantine Virus Compliance Incident Management Default Default Incident Management Compliance Functional overview Each Symantec Mail Security Scanner uses the following three separate message transfer agents, or MTAs when scanning messages:

27 About Symantec Mail Security Functional overview 27 Delivery MTA Inbound MTA Outbound MTA The component that sends inbound and outbound messages that have already been filtered to their required destinations. To do this, the delivery MTA uses the filtering results and the configuration settings for relaying inbound and outbound mail. The component that receives inbound mail and forwards it to the Filtering Hub for processing. The component that receives outbound mail and forwards it to the Filtering Hub for processing. You can deploy Symantec Mail Security in different configurations to best suit the size of your network and your traffic processing needs. Note: Symantec Mail Security provides neither mailbox access for end users nor message storage. It is not intended for use as the only MTA in your infrastructure. Each Symantec Mail Security host can be deployed in the following ways: Scanner Deployed as a Scanner, a Symantec Mail Security Scanner can filter for viruses, spam, IM threats, and noncompliant messages.

28 28 About Symantec Mail Security Architecture Control Center Deployed as a Control Center, Symantec Mail Security allows you to add and configure Scanners. You then manage filtering, SMTP routing, system settings, and all other functions from the Web-based Control Center interface. You can deploy multiple Symantec Mail Security Scanners enterprise-wide, but only one Control Center is required (or supported) to administer them. The Control Center provides information on the status of all Symantec Mail Security Scanners in your deployment, including system logs and extensive customizable reports. Use the Control Center to configure both system-wide and host-specific details. The Control Center also hosts the Spam and Suspect Virus Quarantines to isolate and store spam and virus messages, respectively. End users can view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure Spam Quarantine for administrator-only access. Messages which trigger content-based compliance policies are also stored on the Control Center, in compliance folders. Scanner and Control Center A single Symantec Mail Security host performs both functions. Note: Symantec Mail Security does not filter messages that do not flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, their messages will not pass through the Symantec Mail Security filters. Architecture Symantec Mail Security Appliance Architecture shows how a Symantec Mail Security installation processes an message, assuming the sample message passes through the Filtering Engine to the Transformation Engine without being rejected. The diagram also shows the path IM traffic takes through the system.

29 About Symantec Mail Security Architecture 29 Figure 1-1 Symantec Mail Security Appliance Architecture Path an message takes through the system: At the gateway, traffic shaping checks the message s IP address to determine if it comes from a known source of spam or -borne viruses. The incoming connection arrives at the inbound MTA via TCP/IP. Before accepting the connection, the inbound MTA sends the message s IP address to the Firewall to check whether it is a known source of spam or -borne viruses. If it is not, the inbound MTA accepts the connection and moves the message to its inbound queue. The Filter Hub accepts a copy of the message for filtering. The Filter Hub consults the LDAP SyncService directory to expand the message s distribution list. The Filtering Engine determines each recipient s filtering policies.

30 30 About Symantec Mail Security What you can do with Symantec Mail Security Antivirus and configurable heuristic filters determine whether the message is infected. Content Compliance filters scan the message for restricted attachment types or words, as defined in configurable dictionaries. Antispam filters compare message elements with current filters published by Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings. The Transformation Engine performs actions based on filtering results and configurable Group Policies. Path an instant message takes through the system (from an external source): IM traffic enters your network and is redirected to the IM proxy by your enterprise DNS servers. The IM proxy filters IM traffic based on your settings and compares the traffic with current filters published by Symantec Security Response to determine whether the message is Spim or contains a virus. If a message is determined to contain Spim or a virus, you can choose to block this traffic. The IM traffic reaches the internal user's IM client. If you have enabled outbound IM filtering, outbound messages are also routed through the IM proxy before reaching an external user's IM client. What you can do with Symantec Mail Security Symantec Mail Security scans messages, their attachments, and IM messages for violations to policies. A policy is a set of rules designed to detect certain conditions that you specify. When a message triggers one or more policies, Symantec Mail Security takes the action that you specify for that policy. Symantec Mail Security enforces the following policy types: firewall Virus Contains rules controlling scanning limits, exceptions, and outbreak management based on the number of attacks from an or IP address or domain. Contains rules for detecting threats in messages and attachments with viruses, virus-like characteristics, or security risks, such as adware or spyware

31 About Symantec Mail Security What you can do with Symantec Mail Security 31 Spam, Spim (Instant Messaging) Enforces rules that you configure for the following: Detecting and blocking spam and Spim (Instant Messaging) Specifying recipients whose messages are not scanned for spam Compliance Contains rules for filtering inappropriate content in message bodies and attachments Also contains filtering rules that let you detect and block messages by file name and file type. Protect against security threats Symantec Mail Security prevents messages from sources known to disseminate viruses, including adware, spyware, and other malware, from entering your network. Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, and worms) to identify new risks. Symantec Response Center stores information about a threat (a signature) in a definition file. Definition files contain information to detect and eliminate threats. Symantec Mail Security downloads these definition files several times per hour using LiveUpdate or Rapid Release. Symantec Mail Security also uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. When Symantec Mail Security scans for threats, it searches for these signatures. Symantec Mail Security's firewall protection uses them to thwart known threats from intruding into your mail system. Such firewall protection serves as your first line of defense against -borne viruses. You can also use Symantec Mail Security to limit inbound messages to those from trusted sites or domains, further reducing risk. Symantec Mail Security lets you update your protection from threats and security risks using the following tools: LiveUpdate LiveUpdate downloads and installs available definitions from the Symantec LiveUpdate server. LiveUpdate certified definitions undergo stringent testing and are updated daily. LiveUpdate is enabled by default with a recommended daily schedule. However, you can modify the schedule.

32 32 About Symantec Mail Security What you can do with Symantec Mail Security Rapid Release Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection. Rapid Release definitions can also be retrieved manually on-demand. Both methods let you update definitions on demand and automatically, based on the schedule that you specify. You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates. For example, you can schedule daily LiveUpdates and then manually run Rapid Release when a new threat emerges. See Configuring virus settings on page 87. Note: You must have a valid content license to update definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions, and your servers are vulnerable to risks. Manage outbreaks Access to regular updates of threat information maximizes security and guards your organization's mail server against infections and the downtime that is associated with an outbreak. An outbreak situation occurs when the number of messages containing a virus received within a specified (short) period of time exceeds a specified limit. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical. Symantec Mail Security lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Mail Security to send notifications and alerts in the case of an outbreak. See Configuring virus attack recognition on page 91. Identify and process spam messages Symantec Mail Security can detect if an incoming message is spam with a high level of accuracy. You can adjust antispam detection by specifying domains that are automatically permitted to bypass antispam scanning, enable sender authentication and requirements for TLS encryption, define policies for handling messages that have been identified as spam, and more. See Understanding spam settings on page 61.

33 About Symantec Mail Security What you can do with Symantec Mail Security 33 Create content compliance policies Symantec Mail Security lets you configure content filtering rules for inbound and outbound mail. These rules can be used to enforce regulatory policies and organizational requirements, prevent data leakage, and protect customer and employee data. Content filtering rules let you filter messages for attachment names, attachment content, specific words, phrases, subject lines, and senders. Mail Security takes the action that you specify in the rule when policy conditions match message content. Content compliance policies reference resources, such as dictionaries, patterns, and data-source records, to filter messages and attachments for specific words, terms, phrases, regular expressions, and propritary data. Symantec Mail Security also lets you scan messages based on attached file names or file types, such as multimedia or executable files. See About content compliance on page 95. Protect against Instant Messaging viruses and Spim When properly enabled, Symantec Mail Security scans IM attached files for viruses and blocks infected files from delivery. It scans IM for Spim (Instant Messaging spam) and, optionally, blocks suspected messages from delivery. You can also block access to IM networks that your organization does not support. You can register IM users before allowing them to access IM networks. See About Instant Messaging on page 55. Quarantine messages and hold for review You can quarantine messages that filter policies detect as suspect viruses and spam. You have the option of reviewing these messages in thespam Quarantine and Suspect Virus Quarantine. If you configure end-user access to Spam Quarantine, end users receive notification when a message addressed to them is quarantined as spam and can then review these messages and take action as desired. that meets conditions specified in compliance policies can be held for review. Actions that have been configured for such policies are deferred until an administrator or compliance officer has had an opportunity to review the message and approve or reject the actions. See About Suspect Virus Quarantine on page 275. See About Spam Quarantine on page 249.

34 34 About Symantec Mail Security Where to get more information Send notifications of threats and violations Symantec Mail Security can be configured to send notifications about a wide variety of events and status information. See About alerts on page 328. Where to get more information The Symantec Mail Security documentation set consists of the following manuals: Symantec Mail Security Administration Guide Symantec Mail Security Installation Guide Symantec Mail Security Getting Started Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information. You can visit the Symantec Web site for more information about your product. The following online resources are available: Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration /licensing/els/help/en/help.html Provides product news and updates Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats

35 Chapter 2 Understanding message filtering This chapter includes the following topics: About filtering Notes on filtering actions Multiple actions per verdict Verdict and action combinations Multiple content compliance policies Spyware or adware verdict details Creating groups and adding members Assigning filter policies to a group Managing Groups About Instant Messaging About filtering Although Symantec Mail Security provides default settings for dealing with spam and viruses, you will likely want to tailor the actions taken on spam and viruses to suit your requirements. Content compliance and Firewall policies offer further methods of managing mail flow into and out of your organization. You can also use content compliance policies to monitor and enforce compliance with regulatory and organizational requirements.

36 36 Understanding message filtering About filtering Symantec Mail Security provides a wide variety of actions for filtering , and allows you to either set identical options for all users, or specify different actions for distinct user groups. You can specify groups of users based on addresses, domain names, or LDAP groups. For each group, you can specify an action or group of actions to perform, given a particular verdict. You specify actions when you create or edit a spam, virus, or compliance policy. Each of these policies is a filtering policy. When you create or edit a filtering policy, you specify the conditions you are looking for in messages. In most cases, conditions are synonymous with verdicts, except in the case of more complex content compliance conditions. Verdicts are the conclusions reached on a message by the filtering process. Symantec Mail Security performs actions on a message based on the verdict applied to that message, and the groups that include the message recipient as a member. However, for outbound filtering, the groups that impact message filtering are those groups that include the message sender. Table 2-1 describes filtering verdicts by category. Verdict Category Firewall Verdict Table 2-1 Directory harvest attack SMTP traffic shaping Virus attack Sender Groups Filtering verdicts by verdict category Description An attempt is underway to capture valid addresses. A directory harvest attack is accomplished by ing to your domain with a specified number of non-existent recipient addresses sent from the same IP address. A specified quantity of spam messages has been received during a configurable time window from a particular IP address. A specified quantity of infected messages has been received from a particular IP address. A message or an IP connection matches one of the following lists: Blocked Senders (Domain-based) Blocked Senders (IP-based) Blocked Senders (Third Party Services) Allowed Senders (Domain-based) Allowed Senders (IP-based) Allowed Senders (Third Party Services) Open Proxy Senders Safe Senders Suspected Spammers See Configuring sender groups on page 64.