MORE THAN SECURITY
www.avira.com
User Manual
Avira AntiVir
Exchange Server 2000/2003
Table of Contents
Table of Contents
1 About this Manual................................................................................1
1.1 Introduction ................................................................................... 1
1.2 The Structure of the Manual ........................................................1
1.3 Symbols and emphases ................................................................. 2
2 Avira AntiVir for Exchange - Product Overview..........................3
2.1 AntiVir ........................................................................................... 3
2.2 AntiVir Wall .................................................................................. 4
2.3 AntiVir Wall .................................................................................. 4
3 Getting Started .....................................................................................5
3.1 Installation on an Exchange Server ............................................. 5
3.2 Starting the AntiVir Exchange Management Console ................ 5
3.3 Configuration in the AntiVir Exchange Management Console .. 6
3.3.1 Required Basic Configuration Steps .............................................6
3.3.2 Required Policy Configuration Steps ............................................ 6
3.3.3 Recommended Basic Configuration Steps ....................................7
3.3.4 Virus Scanning in Exchange Databases ....................................... 7
3.4 Observing Data in AntiVir Monitor .............................................7
4 Installation ............................................................................................9
4.1 System Requirements ...................................................................9
4.2 Installation of Virus Scanners ...................................................... 9
4.3 Execution ..................................................................................... 10
4.3.1 Installation of Avira AntiVir Exchange on an Exchange Server10
4.4 Installation in Cluster ................................................................12
4.5 Uninstallation of Avira AntiVir Exchange for Exchange .........12
4.6 Insert Licence File ....................................................................... 13
5 General .................................................................................................15
5.1 The Architecture of Avira AntiVir Exchange ............................15
5.1.1 AntiVir Exchange Management Console .................................... 15
5.1.2 The AntiVir Server....................................................................... 16
5.1.3 The Grabber ................................................................................. 16
5.1.4 The AntiVir Service = Enterprise Message Handler (EMH) ..... 16
5.1.5 Avira AntiVir Exchange Configuration Settings........................ 19
5.2 Message Processing Sequence ....................................................20
5.3 User Interface ..............................................................................20
5.3.1 The Toolbar................................................................................... 21
5.3.2 The Icons....................................................................................... 21
5.4 Configuration in the Avira AntiVir Exchange Management
Console ......................................................................................... 23
Avira GmbH AntiVir Exchange Server I
Table of Contents
5.5 Basic Configuration .................................................................... 23
5.5.1 Configuration Reports.................................................................. 23
5.5.2 Import Configuration ................................................................... 24
5.5.3 AntiVir Server Settings ............................................................... 24
5.5.4 Individual Server Settings........................................................... 27
5.5.5 Address Lists ................................................................................30
5.5.6 Create Notification Templates ....................................................36
5.5.7 Folder settings..............................................................................43
5.5.8 Utility Settings ............................................................................. 47
5.6 Policy Configuration ................................................................... 47
5.6.1 Job Types ......................................................................................47
5.6.2 Actions ..........................................................................................49
5.6.3 Job Processing Sequence ............................................................. 49
5.7 AntiVir Monitor ........................................................................... 50
5.7.1 Quarantines.................................................................................. 51
5.7.2 AntiVir Reports ............................................................................57
6 AntiVir ..................................................................................................59
6.1 Overview ...................................................................................... 59
6.2 Virus Scanning ............................................................................ 60
6.2.1 Scanning in the Information Store.............................................. 61
6.2.2 AntiVir powered by Avira............................................................ 62
6.2.3 Enabling Virus Scanning – Example ..........................................63
6.3 Virus Scan in the Information Store – Sample Job ................... 69
6.3.1 General Settings........................................................................... 70
6.3.2 Scheduling ....................................................................................70
6.3.3 Defining Actions........................................................................... 71
6.3.4 Job Details ....................................................................................73
6.3.5 Server Status ................................................................................ 73
6.4 File Restrictions for Attachments .............................................. 74
6.4.1 By Type .........................................................................................74
6.4.2 By Message Size ........................................................................... 75
6.4.3 By Type and/or Attachment Size................................................. 75
6.4.4 Configuring Fingerprints.............................................................75
6.4.5 Denying File Attachments by Type – Example .......................... 81
6.4.6 Limiting Message Size - Example ...............................................84
6.4.7 Denying Attachment Types and Size – Example .......................87
7 AntiVir Wall.........................................................................................93
7.1 Overview ...................................................................................... 93
7.2 Address Filtering ........................................................................ 94
7.2.1 Blocking Senders and/or Recipients – Example ......................... 95
7.3 Content Filtering With Dictionaries .......................................... 97
7.3.1 Setting up Dictionaries ................................................................98
II AntiVir Exchange Server Avira GmbH
Table of Contents
7.3.2 Checking and Denying Text Contents – Example.................... 100
7.4 Spam Filtering With the AntiVir Wall Spam Filtering Job ... 104
7.4.1 Definite No-Spam Criteria ........................................................ 106
7.4.2 Definite Spam Criteria .............................................................. 108
7.4.3 Practical Tips.............................................................................. 108
7.4.4 Spam Filtering – Example.........................................................109
7.4.5 Advanced Spam Filtering ..........................................................117
7.4.6 Manual Spam Filtering Configuration .....................................121
7.5 Spam Filtering With the DCC Spam Filtering Job ................. 122
7.5.1 What is DCC? .............................................................................122
7.5.2 DCC Settings ..............................................................................123
7.5.3 Spam Filtering with DCC – Example .......................................125
7.6 Blocking Images ........................................................................126
7.6.1 Blocking Offensive Images - Example ...................................... 126
7.7 Limiting the Number of Recipients .......................................... 129
7.7.1 Limiting Number of Recipients – Example ..............................129
8 Service ................................................................................................133
8.1 Support ...................................................................................... 133
8.2 Online shop ................................................................................ 133
8.3 Service hotline ........................................................................... 133
9 Appendix ............................................................................................135
9.1 Glossary ..................................................................................... 135
Avira GmbH AntiVir Exchange Server III
Table of Contents
IV AntiVir Exchange Server Avira GmbH
1 About this Manual
In this section you will get an overview of the structure and content of this
manual.
After a short introduction you will get information on the following topics:
z “The Structure of the Manual”
z “Symbols and emphases”
1.1 Introduction
We have enclosed in this manual all the information you need about AntiVir
Exchange Server 2000/2003 and we shall guide you step by step through the configuration and operations of this software.
The Appendix contains a comprehensive Glossary, explaining the basic terms used
in the manual.
About this Manual
For further information and assistance, please refer to our Website, to the Hotline
of our Technical Support and to our regular Newsletter (“Service” ).
Your Avira Team
1.2 The Structure of the Manual
Chapter Contents
“About this Manual” The structure of the manual, symbols and
“Avira AntiVir for Exchange Product Overview”
“Getting Started” Starting and stopping the software, program
“Installation” Instructions about installing the AntiVir
emphasis.
Overview of the software features and system requirements.
interface, technical background, notes ini.
Exchange Server 2000/2003 on your system,
system requirements.
“General” Description of the software architecture,
user interface, configuration of the AntiVir
Exchange Management Console and the
AntiVir monitors.
“AntiVir ” Virus scanning, file-and size restrictions in
emails and databases.
Avira GmbH AntiVir Exchange Server 1
About this Manual
Chapter Contents
“AntiVir Wall” Checking and blocking contents using tex-
“Service” Avira GmbH Support and Service.
“Appendix” Glossary, explaining terms and abbreviation
1.3 Symbols and emphases
The following symbols appear in this manual:
Symbol Explanation
The info symbol is used to indicate special points that must be
observed for trouble-free use of your system.
tual analysis, checking senders and recipients, avoiding mailflood, limiting the
number of recipients.
The warning symbol means Attention. Be careful! It indicates important passages in the text that must be observed in
order to avoid any loss of data, damage to your system or any
other unpleasant occurrences. Read these passages with particular care and attention.
Here, we give you support on particular problems, we provide
tips and tricks or alternative solutions and special points.
The following emphases are used:
Emphasis Explanation
C:\AntiVirData File names and file paths
Choose component, select
all
http://www.avira.de URLs
“Symbols and emphases” Cross-references within the documents
Elements of the software interface such as
menu items, window titles, buttons in the dialogue windows
2 AntiVir Exchange Server Avira GmbH
Avira AntiVir for Exchange - Product Overview
2 Avira AntiVir for Exchange - Product Overview
E-mail Lifecycle Management (ELM) is a set of strategies and methods for processing, storing, and managing e-mail , from creation to deletion, in accordance with
business processes and statutory regulations. E-mail Lifecycle Management ensures effective business processes in every company. The Avira AntiVir Exchange
from Avira GmbH is the leading software package for E-mail Lifecycle Management and is the ideal solution for implementing secure and efficient business processes. With Avira AntiVir Exchange, e-mails pass through all the necessary
processes on a single platform, from encryption and virus protection, anti-spamming and content-filtering, to classification and long-term archiving.
E-mail can be controlled and automatically processed throughout its entire lifecycle based on specific rules. Third-party archiving systems can be seamlessly incorporated into Avira AntiVir Exchange and used for audit-proof e-mail archiving.
Consisting of a range of modules that can be used either individually or in combination with each other, Avira AntiVir Exchange represents a highly scaleable, customizable solution. Using a common security concept, the modules interact
directly with each other to yield an outstanding level of performance and almost
unparalleled security. User-definable notification texts for senders, recipients and
administrators provide transparency. All modules are managed centrally through
a standardized user interface from Notes clients and browsers. Common logs, statistics and fault reports cut down on administration costs.
2.1 AntiVir
AntiVir provides comprehensive protection of your Microsoft Exchange environment from e-mail attacks, viruses and harmful content. Scanning all messages
and databases on the server, it reliably removes all viruses and other potentially
harmful attachments and places them in quarantine.
z Recursive virus scanning of all messages and attachments in real-time,
both event- and time-controlled
z Information Store scanning on every server
z Scans do not affect replication times
z Powerful built-in virus scanner
z Support for automatic virus pattern updates
z Scanning of e-mail message bodies and attachments
z File type identification attachments using unique, tamperproof file finger-
prints or by file extension; detection and blocking of manipulated files
z Definition of file restrictions through combination of filename, file exten-
sion and file size
z Application of file restrictions on archives, for example zip or rar
z Creation and use of user-defined file patterns to ensure exchange of current
information (for example price lists or terms and conditions)
z Automatic detection of new mailboxes
z Virus scanning of encrypted messages in combination with Crypt
Avira GmbH AntiVir Exchange Server 3
Avira AntiVir for Exchange - Product Overview
2.2 AntiVir Wall
Sexual and racist mail, an increasing volume of unsolicited advertising, and ever
new methods of attack by hackers, make it necessary to protect company systems
and employees from these problems. AntiVir Wall provides protection from
misuse and uncontrolled use of e-mail and databases. This module provides comprehensive protection from spam and junk mail and prevents the sending of con-
fidential information.
z Checking for forbidden, undesired or confidential content according to the
corporate policies
z Blocking of e-mail from specific senders (known spam sources, mailing lists,
etc.) and to specific recipients (for example competitors)
z Analysis of images for undesirable contents (for example pornography) with
the Xblock function
z Use of current spam patterns for fast detection of new spammer tricks
z User-specific, management of whitelists and blacklists on the server for
effective blocking of unwanted mail
z Specification of sender/recipient channels for regulating dedicated e-mail
communications
z User-editable exclusion lists for addresses and content in subject and mes-
sage body
z Flexible notification about blocked messages (direct or time-controlled) to
administration or mail recipient or sender
z User-specific access to quarantined messages
z Central quarantine management, especially efficient in enterprise and
multi-server environments
2.3 AntiVir Wall
The automatic organization and context-based storage of contents, the establishment of flexible delivery and distribution mechanisms and the automated indexing for die e-mail archiving are examples of the content-sensitive operations that
can be implemented with AntiVir Wall.
z Classification into company-specific e-mail categories
z Automatic classification of messages in one or more categories
z Response management through defined classifications, for example for cus-
z Document protection, for example scanning outbound mail and attach-
tomer support: automatic mail forwarding to qualified operators
ments for relevant information.
4 AntiVir Exchange Server Avira GmbH
3Getting Started
3.1 Installation on an Exchange Server
To install Avira AntiVir Exchange, double-click the file
antivir_exchange_server_2k_de.exe
in the installation package.
Follow the Installation instructions.Unless you specify a different installation
directory, Avira AntiVir Exchange is installed in the default directory, i.e.:
C:\Programme\H+BEDV\AntiVirExchange\ (German)
C:\Program Files\H+BEDV\AntiVirExchange\ (English)
.
Disable any real-time or on-access scan functions of your scan engines for the
...\AntiVirExchange\AntiVirData directory.
For further information on installing the software, see “Installation” on page 9.
Getting Started
3.2 Starting the AntiVir Exchange Management Console
Avira AntiVir Exchange is a server product which is configured through the AntiVir Exchange Management Console. The service must be running for the product
to work, also refer to “The AntiVir Service = Enterprise Message Handler (EMH)”
on page 16. To start the Console, select Æ Programs Æ Avira GmbHÆ
AntiVir ExchangeÆ AntiVir Exchange Management Console.
Before the AntiVir Exchange Management Console exits, you are prompted to
save any changes.
Pending changes are indicated by an asterisk (*) next to the top node. You can
save your configuration while you are working in Avira AntiVir Exchange by cli-
cking the button. The configuration settings are saved in the Config-
Data.xml file located in the H+BEDV\AntiVirExchange\Config.
Avira GmbH AntiVir Exchange Server 5
Getting Started
3.3 Configuration in the AntiVir Exchange Management Console
Following the installation, use the AntiVir Exchange Management Console to
make the following settings.
3.3.1 Required Basic Configuration Steps
Basic Configuration is used to define the valid servers, e-mail addresses, shared
templates and utility settings.
1. Under Basic Configuration Æ General Settings in the E-mail addres-
ses tab check the entries for the AntiVir Exchange Administrators and the
internal domains. Refer to “AntiVir Server Settings” on page 24.
3.3.2 Required Policy Configuration Steps
Use the Policy Configuration to define and enable selected jobs according to the
company’s policies.
1. Under Sample jobs, find the template you wish to use.
2. To create a new job, select the template and drag it to the Mail Transport
Jobs folder. Give the job a name and edit its properties. Then, under Pro-
perties, enable the job (Active).
3. Make sure that the jobs are performed in the correct order (see “Job Proces-
sing Sequence” on page 49).
4. Save your changes, also refer to “Starting the AntiVir Exchange Manage-
ment Console” on page 5.
For further information on setting up jobs and company policies, refer to “Policy
Configuration” on page 47.
6 AntiVir Exchange Server Avira GmbH
3.3.3 Recommended Basic Configuration Steps
In the Basic Configuration, it is recommended to define individual settings for
address lists, templates, etc. However, this is not necessary for simply testing the
system.
1. Configure the Address lists (for selections in job rules) under General
Settings.
2. Where required, change the standard templates under General Settings.
3. Under Utility Settings, configure any accessories required, e.g. dictiona-
ries and DCC servers (for AntiVir Wall), fingerprints.
For further information on Basic Configuration please refer to “Basic Configura-
tion” on page 23. Module-specific settings are described in the corresponding sec-
tions:
z “AntiVir” on page 59,
z “AntiVir Wall” on page 93.
For information on further customizing options, refer to “Configuration in the
Avira AntiVir Exchange Management Console” on page 23.
Getting Started
3.3.4 Virus Scanning in Exchange Databases
Under Information Store Jobs, you can enter appropriate settings for each
AntiVir server separately. It is not possible to create Informations Store jobs. A
new Information Store job is automatically provided whenever a new server is
specified. If the server is removed, the Information Store job will also be deleted.
For further details on Information Store jobs, please refer to “Scanning in the
Information Store” on page 61.
3.4 Observing Data in AntiVir Monitor
After having saved your settings, use the AntiVir Monitor to monitor the opera-
tion of Avira AntiVir Exchange. With the AntiVir Monitor, you can view current
data in real-time and manage, for example, the Quarantines of the configured
AntiVir servers. For details refer to Section “AntiVir Monitor” on page 50.
Avira GmbH AntiVir Exchange Server 7
Getting Started
8 AntiVir Exchange Server Avira GmbH
4 Installation
4.1 System Requirements
To install Avira AntiVir Exchange, your system must meet the following requirements:
z CD-ROM drive or network access
z RAM: Domino recommendation plus additional 64 MB
z Hard disk: at least 400 MB for installation
z Microsoft .NET Framework 1.1
z Operating systems:
– Windows 2000 Server from Service Pack 4
– Windows 2000 Advanced Server from Service Pack 4
– Windows Server 2003
– SBS 2003
z Exchange Server:
– MS Domino Server 2000 from Service Pack 4
– MS Domino Server 2000 Enterprise Edition from Service Pack 4
– MS Domino Server 2003 SP2
z User Rights
– User logged on to Active Directory with Administration rights for the
Active Directory
Installation
Disable any real-time or on-access scan functions of your scan engines for the
...\AntiVirExchange\AntiVirData directory.
4.2 Installation of Virus Scanners
The Avira AntiVir scan engine can optionally be installed together with Avira
AntiVir. The AntiVir scan engine is fully preconfigured and ready for immediate
use. A virus scanning job that uses AntiVir is supplied and needs only to be enabled.
Avira AntiVir Exchange also supports virus scanners from other manufacturers.
However, these virus scanners are not supplied with Avira AntiVir Exchange. To
use a scan engine other than AntiVir, you must install it on your server before
using Avira AntiVir Exchange.
Disable any real-time or on-access scan functions of your scan engines for the
...\AntiVirExchange\AntiVirData directory.
Avira GmbH AntiVir Exchange Server 9
Installation
4.3 Execution
4.3.1 Installation of Avira AntiVir Exchange on an Exchange Server
From the installation package, call (double-click) the file
setup_AntiVir_<Version No>_<Build No>.exe.
1. First select the Setup language. Then select the desired product version and
language. The selected product language applies to the user interface and
for the notifications sent to the users by Avira AntiVir Exchange.
2. In the window displayed next, accept the License Agreement and click Next
to continue.
3. In the next dialogue, select the features to be installed. This selection includes all server components and the AntiVir Exchange Management Console:
1
In case another Information Store Scan application
the feature will be disabled. If you wish to use Avira AntiVir Exchange Information
Store Scan, the other application has to be uninstalled first.
4. Click Next.
is already run on the server,
1. Information Store Scan applications are programs that use the Microsoft
interface for virus scanners (VSAPI).
10 AntiVir Exchange Server Avira GmbH
Installation
In case you have defined two or more virtual servers, you will now be
prompted for the active virtual server on which Avira AntiVir Exchange is to
be registered:
5. In the next screen, you have to specify the path of the configuration file:
6. If you do not operate Avira AntiVir Exchange on several servers and want to
work with a central configuration file for administration purposes1, confirm
the default setting and click Next.
7. In the next dialog, specify the Administrator’s e-mail address:
1. See also “Installation in Cluster” on page 12
Avira GmbH AntiVir Exchange Server 11
Installation
8. A summary of your settings is now displayed:
9. Now disable the on-access scanners for the ...\AntiVirData directory,
unless you have already done so.
10.Check your configuration settings.
These settings will be added as standard entries to the configuration of the
AntiVir server. For details refer to “AntiVir Server Settings” on page 24.
11.Follow the instructions on screen and click Install. AntiVir is installed to
the following directory:
<LW>:\<Std.progr.direct>\AviraGmbH\AntiVirExchange\
When you click Finish in the final dialog, Avira AntiVir Exchange is fully
installed.
If you are interested in a solution for multi-server environments please contact:
support@avira.com.
4.4 Installation in Cluster
If you are interested in a solution for cluster please contact: support@avira.com.
4.5 Uninstallation of Avira AntiVir Exchange for Exchange
Click and select
1. Settings Æ Control Panel Æ Software.
2. Select the Avira AntiVir Exchange Server 2000/2003.
3. Click Change to call the Setup.
4. In the Welcome window, click Next.
5. In the selection dialogue, click Remove program.
6. Click Next and confirm with Remove.
The Setup then uninstalls Avira AntiVir Exchange without removing your configuration and the Quarantine data. A decision concerning this data can be taken
separately after completing the uninstallation:
12 AntiVir Exchange Server Avira GmbH
Click No if you want to keep your configuration and Quarantine data and Yes if all
Avira AntiVir Exchange components are to be deleted.
4.6 Insert Licence File
Copy the licence file into the directory C:\Program Files\H+BEDV\AntiVir Exchange\Licence.
Restart the service AntiVir for Exchange to actually activate the licence.
Installation
Avira GmbH AntiVir Exchange Server 13
Installation
14 AntiVir Exchange Server Avira GmbH
5 General
5.1 The Architecture of Avira AntiVir Exchange
Avira AntiVir for Exchange consists of three main components:
z AntiVir Exchange Management Console
z AntiVir Server
z AntiVir Exchange Configuration (Also refer to
“Configuration in the Avira AntiVir Exchange Management Console” on
page 23).
5.1.1 AntiVir Exchange Management Console
The AntiVir Exchange Management Console is the "cockpit" from where Avira
AntiVir Exchange is configured and administered. It is a so-called "Snap-In" for
the MMC. The AntiVir Exchange Management Console can be used to administer
individual Exchange server with AntiVir Exchange installed as well as entire "AntiVir server farm". This simplifies daily administration tasks, in particular in a
multi-server environment. With the AntiVir Exchange Management Console, the
Administrator has access to all configuration information needed and the AntiVir
Monitor (Quarantine) of the AntiVir servers.
General
Two different access methods are used for configuring the system and for accessing the quarantine.
1. Standard Windows file access
Windows file access is used for accessing the AntiVir Exchange configuration file, for example for changing the security settings. The AntiVir
Exchange configuration file can be available locally or accessible through a
Universal Naming Convention (UNC) path.
2. SOAP and SSL
The AntiVir Monitor (see “AntiVir Monitor” on page 50) is accessed through
SOAP and SSL using a permanently assigned communication port.
The AntiVir Exchange Management Console supports two operating modes.
1. Local Administration
Here, AntiVir Exchange Management Console is run directly on the
Exchange server on which all components of AntiVir Exchange are installed.
This mode is suited for smaller systems and for managing the server locally.
2. Remote Administration
In this case, the AntiVir Exchange Management Console is not installed on
the Exchange server, but on a client.
Avira GmbH AntiVir Exchange Server 15
General
The AntiVir Exchange Management Console can run under the following client operating systems:
– Windows 2000 Professional
– Windows 2003
– Windows XP Professional
Remote administration is suited for central administration in multi-server environments, with the AntiVir Exchange Management Console accessing one or
more Exchange servers to configure and administer AntiVir Exchange.
5.1.2 The AntiVir Server
All of the functions and processes of the AntiVir Exchange which run exclusively
on the Exchange Server are referrd to as AntiVir Server. The AntiVir Server can be
installed in simple environments as well as in front-end/back-end environments.
It is divided into different sections.
5.1.3 The Grabber
The Grabber is a process ensuring that all messages, schedule queries, etc. sent,
received or routed by the Exchange server are grabbed. The SMTP protocol is used
for transporting e-mail, schedule queries, etc. The entire e-mail traffic is channeled through the SMTP Advanced Queue (a part of the SMTP protocol), regardless of whether the mail is internal (between mailboxes on the same server or
mailbox store), inbound or outbound.
All messages must go through the Advanced Queue.
The Grabber is “latched in” to this Advanced Queue. As a registered event sink, it
monitors the mail traffic and routes all relevant information to the AntiVir
Exchange Service – the second component of Server. Each message is held there
until the AntiVir Server has finished processing it.
Internal Exchange information, for instance replication messages, are recognized as such by the Grabber and left in the Exchange system unchanged.
5.1.4 The AntiVir Service = Enterprise Message Handler (EMH)
As Windows service, the AntiVir Exchange service is started on a permanent basis
and uses all information provided by the Grabber. From then on, the subsequent
processing through AntiVir Exchange is entirely monitored and controlled by the
AntiVir Exchange service. If the AntiVir Exchange service is stopped, the AntiVir
Exchange security functions are switched off. The AntiVir Exchange service has
access to all information required, including, for instance:
z the configured AntiVir jobs,
z the installed AntiVir Exchange license,
z the Active Directory,
z the AntiVir Quarantine
16 AntiVir Exchange Server Avira GmbH
Using this information, it scans messages for viruses, identifies and quarantines
spam and adds legal liability disclaimers.
After processing is complete, the AntiVir Exchange service returns the e-mails to
the Exchange server.
5.1.4.1 AntiVir Quarantine
Virus-infected or other undesirable messages can optionally be stopped on the
server to prevent them reaching their intended recipients. These messages are
instead placed in the AntiVir Quarantine. Several default quarantines are set up
on each AntiVir server during installation. The administrator can set up additional quarantines.
AntiVir quarantines consist of
z a quarantine directory on the Exchange server
(...\AntiVirData\Quarantine\Default-Quarantine),
z the messages copied into the quarantine,
z a quarantine database (LocIdxDB.mdb).
General
For each e-mail quarantined e-mail, Avira AntiVir Exchange automatically creates
an entry in the Quarantine database, a Microsoft Access file.
The following information is stored in that database:
z Message Subject line
z Date and time
z Message sender
z Message recipient
z Short description of the applicable restriction
z Message size
z Name of the AntiVir job that quarantined the message
z Name of the Exchange server
z Name of the mail file
z Processing history
When you view an AntiVir Quarantine using the AntiVir Exchange Management
Console, the information from the Quarantine database is shown first. When you
open a Quarantine entry, further information is read from the message file.
For communicating with the Quarantine, AntiVir uses SOAP (Simple Object
Access Protocol) and SSL (Secure Socket Layer). This applies both to local access
directly on the server and to access from remote Windows workstations. By
default, port 8008 is used for communications. You can change this port in the
AntiVir Exchange Management Console (AntiVir Servers node), but you
must then also make this change in all other AntiVir Exchange Management Consoles that access the server. All stations must use the same port. SSL is used to
encrypt the SOAP communications channel. The required components are included with the package.
Avira GmbH AntiVir Exchange Server 17
General
Only authorized persons have access to the AntiVir quarantines via the network.
The user privileges are set through the properties of the file access.acl
(...\H+BEDV\AntiVirExchange\AppData\). These privileges are che-
cked by the AntiVir Exchange service. If not logged on to the server, you must
authenticate yourself when calling the Quarantine for the first time. The authen-
tication information is temporarily stored so that subsequent calls (in particular
of other quarantines) use the same login information. If that fails, a user name
and password input dialog appears.
For successful access, the following conditions must be fulfilled:
z The AntiVir Exchange service is running.
z The communication port (default: 8008) is available.
z The station’s name can be resolved and accessed through TCP/IP.
z The user has the required Windows user rights.
5.1.4.2 Active Directory / LDIF
Avira AntiVir Exchange does not make any changes or additions to the Active
Directory. However, Avira AntiVir Exchange does read various information from
the Active Directory.
When started, the AntiVir Exchange service determines the available Global Catalog server, which is used, for example, for resolving addresses in distribution lists
during e-mail processing.
The AntiVir Exchange Management Console uses the Active Directory to select
sender/recipient conditions.
If an Active Directory is not available – for example because the corresponding
ports are not open – an LDIF file can be used. This can, for example, be created
through an LDAP export from an Active Directory, an Exchange 5.5 user directory
or a Notes Name and Address Book (NAB).
5.1.4.3 Compressed Files and Archives: The Avira AntiVir Exchange Unpacker
Files are often compressed (zipped) before being sent by e-mail. To allow compressed files to be scanned for viruses, Avira AntiVir Exchange unpacks the files
before running the scan. An unpacker is automatically installed with Avira AntiVir
Exchange.
The unpacker supports the following archive formats:
z ACE
z CAB
z ZIP
z Selfextracting ZIP
z ARJ
z Selfextracting ARJ
z TAR
z GZIP
z TGZ (Tape archive)
z UUE (Executable compressed ASCII archive)
18 AntiVir Exchange Server Avira GmbH
z LZH (LH ARC)
z RAR
z Selfextracting RAR
z Java Archive (.jar)
z BZIP2
Archives can themselves contain further archives. These recursively compressed files are by default decompressed to a nesting depth of five levels. All
archives exceeding this nesting depth are moved to the badmail folder (see
“Badmail” on page 56).
The standard upper limit for an e-mail including unpacked files is 500 MB. Such
a limit is particularly important to handle so-called "ZIP of Death" attacks.
You can change the recursion depth and the space restriction on the console
under AntiVir Servers Æ Properties Æ General tab.
5.1.5 Avira AntiVir Exchange Configuration Settings
All information required to run Avira AntiVir Exchange is saved in the Avira AntiVir Exchange configuration file, an XML file named ConfigData.xml.
General
The structure of the ConfigData.xml file is similar to that of a database: various
entries exist for each configuration area. Since all configuration settings are
stored in a single file, the configuration can be easily distributed and backed up. If
you have a problem with the configuration, you can simply send the Config-
Data.xml file to the Avira Support team for assistance.
The configuration settings are needed by both the AntiVir server and the AntiVir
Exchange Management Console. The AntiVir server needs it, for example, for
information on the AntiVir jobs to be carried out. To make changes to the configuration with the console, the console must be able to access the ConfigData.xml
file. The configuration file can be placed both in a local directory and on a shared
network path. The Avira AntiVir Exchange configuration used by the AntiVir
Exchange Management Console and the AntiVir server is specified through an
entry in the Registry. The path to the configuration file can be entered in the for-
mat C:\..... or as UNC path (\\Servername\Share\Config-
Data.xml). If the specified Avira AntiVir Exchange configuration file is not
available, Avira AntiVir Exchange uses the "last known good" configuration, which
is logged in the Windows events log. The last known good configuration is saved
locally for each server and is updated whenever the Avira AntiVir Exchange configuration is changed and access from the Avira AntiVir Exchange configuration file
to the last know good configuration is possible.
To open a non-standard configuration with the Console, you must specify the
file with a special parameter. Run Avira.msc file with the parameter config and
the desired configuration file. For example:
"C:\Programme\Avira GmbH\AntiVir Exchange\Avira.msc"
config "C:\OtherDirectory\Directory\ConfigData.xml"
You can also specify a UNC path here.
Avira GmbH AntiVir Exchange Server 19
General
For detailed instructions for customizing the Avira AntiVir Exchange configuration, refer to “Configuration in the Avira AntiVir Exchange Management Console”
on page 23.
5.2 Message Processing Sequence
The sequence is as follows:
1. An e-mail message arrives at the mail server.
2. The e-mail is intercepted from the SMTP Advanced Queue by the Grabber.
3. The Enterprise Message Handler (EMH) [= AntiVir Exchange Service] fetches the mail for processing.
4. According to the configuration settings, the EMH checks whether or not the
e-mail is to be processed by Avira AntiVir Exchange.
5. Messages to be processed are dealt with as specified in the configuration
settings (jobs by priority).
6. When processing is complete, the EMH releases the e-mail and, if applicable,
modifies the e-mail as configured.
5.3 User Interface
After you have opened Avira AntiVir Exchange, select Basic Configuration,
Policy Configuration or AntiVir Monitor in the left column. The right window
then shows the corresponding subfolder. To view the online help, click on the
toolbar or select Help in the Action menu
.
20 AntiVir Exchange Server Avira GmbH
5.3.1 The Toolbar
General
Previous
Next
Up one level
Properties of the selected item
Update view
Export list
Help
Save
Move up one position
Move down one position
5.3.2 The Icons
Enable job
Disable job
New item
Set filter in quarantine/badmail
Disable filter in quarantine/bad-
mail
AntiVir Exchange Management Start console and logo.
Basic Configuration for general settings for all modules
Node for Global settings.
The address list folder.
An individual AntiVir address list (orange collar). Included by
default in Avira AntiVir Exchange, cannot be edited.
An individual user-defined address list (yellow collar). Created by
the user and configurable under Properties.
The Notification Templates folder, which contains the individual
templates notification for each job type and recipient.
An individual notification template; configurable under Proper-
ties.
Avira GmbH AntiVir Exchange Server 21
General
A list of all AntiVir servers, in which you can add, remove and config-
ure servers. The common server properties are defined under General
Settings ‡ AntiVir Servers Settings. konfiguriert. Alternatively,
right-click AntiVir Servers ‡ Properties. This includes the default
e-mail addresses and the internal domain(s).
General AntiVir Servers settings under the node General Settings
in the right window section.
Folder Settings and Utility Settings. Folder Settings contains the
quarantines, while Utility Settings contains all add-ons, such as
virus scanners.
The Quarantine folder structure, which contains all quarantine fold-
ers.
An individual quarantine folder; configurable under Properties.
The Fingerprints folder.
A logically linked fingerprint group.
An individual fingerprint; configurable under Properties.
The folder for the dictionaries used for content filtering.
An individual dictionary; configurable under Properties.
DCC Folder
A single DCC configuration.
Policy Configuration for configuring individual jobs according to the
company policy.
Folder for sample jobs; contains sample jobs for each job type.
An AntiVir with different job types, configurable under Properties.
An AntiVir with different job types, configurable under Properties.
The AntiVir Monitor for viewing all quarantine folders on each avail-
able server. The quarantine folders contain the copies of original mes-
sages including attachments.
The Quarantine folders with original messages for viewing, including
detailed information for each message.
A single quarantined item.
An invalid quarantined item.
A resent quarantined item.
22 AntiVir Exchange Server Avira GmbH
General
Information Store quarantine item.
Time and weekday of quarantine maintenance.
Folder for reports supplied with AntiVir.
Individual AntiVir report.
5.4 Configuration in the Avira AntiVir Exchange Management Console
The AntiVir Exchange Management Console window consists of three sections:
z Basic Configuration
The Basic Configuration is used for general settings and the essential basic
settings of the modules.
z Policy Configuration
The Policy Configuration is used to implement the company policies by
way of jobs.
z AntiVir Monitor
The AntiVir Monitor allows to view the Quarantine areas on each available
server as well as detailed information on the mails quarantined there.
5.5 Basic Configuration
In the Basic Configuration, you can make
z the general settings, such as:
– Adress lists,
– Notification Templates
–all Folders (such as the Quarantines)
z and Utilities:
– dictionaries and the DCC server for content checking,
– Fingerprints for blocking attachments,
– the virus scanners and
– unpackers
5.5.1 Configuration Reports
The configuration reports provide an overview of the current configuration:
1. Right-click on Basic Configuration.
2. Click All AufgabenÆ Show configuration reports ...
3. A list of all configuration reports is displayed:
Avira GmbH AntiVir Exchange Server 23
General
Click on the desired report and then on Display report: . The report is
opened as HTML file in the browser. Click Preview Report for a preview of the printed report.
Click Save Report to save the selected report as HTML file.
5.5.2 Import Configuration
To update any of the above elements and items, such as dictionaries and fingerprints, with a new version, select Basic Configuration Æ All Tasks Æ Import
Configuration and select the XML file provided by Avira GmbH
This function updates only individual jobs, not the complete configuration
(ConfigData.xml).
Before you update a Basic Configuration object, make a backup copy of the existing object. The new version replaces the old one, overwriting any user-defined
settings.
5.5.3 AntiVir Server Settings
The AntiVir Server Settings option is used to configure the standard settings
for all AntiVir servers
for details refer to “Individual Server Settings” on page 27.
Select Basic Configuration Æ General Settings, in the right window section
click on AntiVir Server Settings and select Properties from the context menu
(right-click) or open the Properties with a double-click. As an alternative, in the
left window section under Basic Configuration, right-click on AntiVir Servers
to open the Properties.
1
. Additionally, each server can be configured individually;
1. For background information refer to “The AntiVir Server” on page 16.
24 AntiVir Exchange Server Avira GmbH
5.5.3.1 Packed Files and AntiVir Monitor
The settings on the General tab set the maximum size of unpacked files on the
hard disk1 and the maximum recursion depth on archives2. Whenever an e-mail
exceeds one of these values, it is moved to the Bad Mail area.
Be sure to use a correct setting for the communication port for AntiVir Moni-
tor. Otherwise, communication with the servers will be impossible.
Usually, 8008 is used (also entered as standard port during installation). The
values specified here apply to all servers.
General
In this context, also read the description on allocating rights and security settings
under “AntiVir Monitor” on page 50.
5.5.3.2 Definition of e-mail addresses and internal domains
Avira AntiVir Exchange requires a number of basic settings concerning the mail
domain of the e-mails processed. During installation, the e-mail address of the
AntiVir Administrator specified is used for the following Avira AntiVir Exchange
basic settings:
1. Also refer to ZIP of Death in the “Glossary” on page 135
2. Also refer to “Compressed Files and Archives: The Avira AntiVir Exchange Unpacker” on
page 18
Avira GmbH AntiVir Exchange Server 25
General
z Administrator(s): The AntiVir administrator addresses entered in this
field will receive important status notifications on the Avira AntiVir
Exchange installation as well as the configured Administrator notifications.
As default, the installation enters the administrator address prompted for.
z Notification sender: The sender shown in the Avira AntiVir Exchange
notifications. As default, the installation enters Avira AntiVir Exchange
with the mail domain of the administrator address prompted for.
z Reply-to address: The recipient stored in the Avira AntiVir Exchange noti-
fications of replies to these notifications. As default, the installation enters
the administrator address prompted for.
z Internal domains: The mail domains entered in this field are considered as
internal mail domains, all others as external mail domains. This setting is
used to enable the Avira AntiVir Exchange rule engine to identify incoming
and outgoing through the sender and recipient addresses. For instance, a
spam filter job will only apply to incoming mails, while a trailer is not to be
added to an incoming mail.
Multiple domains are separated by Carriage Return. Subdomains are automatically included, when the main domain is preceded by a "*" wildcard, e.g.
*.domain.com. As default, the installation enters the mail domain of the
administrator address prompted for.
These entries apply to all Avira AntiVir Exchange servers. The settings can be
changed at any time in the same window.
26 AntiVir Exchange Server Avira GmbH
5.5.4 Individual Server Settings
Select Basic Configuration, in the left window section click Antivir Servers
and double-click the required server to select it. To define a new server, right-click
AntiVir Servers Æ New Æ AntiVir Server. Right-click Properties.
5.5.4.1 General Server Settings
General
1. Enter the name of the Exchange server. During the installation, the current
Exchange server is automatically entered as the internal domain.
2. Set the maximum number of e-mails processed simultaneously by Avira
AntiVir Exchange in the field Number of Threads. A reasonable maximum
depends on the capacity and performance of your server.
3. Select the logging level for the event log. You can view this log with the
Event Viewer (Windows Event Log). The options range from None to Maxi-
mum.
4. Set the number of days the mails are to remain in the Bad Mail Quarantine.
When this period expires, the mails are automatically deleted.
5. Set the number of days after which a job processing log in the Log folder is
to be deleted. Refer to “Write processing log” on page 64.
To be able to access a newly created server in the Monitor, refresh the view in
the Monitor (right-click on AntiVir MonitorÆ Refresh or click on the refresh
symbol in the tool bar).
Avira GmbH AntiVir Exchange Server 27
General
5.5.4.2 Defining Global E-Mail Addresses for a Single Server
The user-defined and default installation settings in the Properties for all AntiVir servers are copied to each individual server. These are the default setting for
AntiVir servers. To specify different settings for a specific server, select Customize address settings and enter the new addresses in the appropriate fields.
5.5.4.3 User-specific Quarantine Access
With Avira AntiVir Exchange, users can access their quarantined messages themselves. For each quarantine, you can specify individual access rules for messages
and users. This function is especially useful for spam filtering, i.e. for the spam
quarantines. It also helps to reduce the administrator’s workload by allowing users
to forward quarantined messages to their inboxes. For each server you can specify
whether and how users can access their quarantined mail. The user receives a
summary report on quarantined mails, clicks on the corresponding action for the
selected mail and, by doing so, sends a request. These actions are configured individually for each quarantine and include Request (delivery to the recipient of the
summary notification), Release (delivery to all recipients) and/or Remove (mail
marked for deletion in the quarantine). The user gets access through a mail
request or a HTTP request. Click the Quarantine access tab:
28 AntiVir Exchange Server Avira GmbH
General
Allow users to request quarantined items per mail: Quarantine queries are
started by a mail request. This message is generated automatically when the user
clicks the action link for a quarantined message in the summary report1 and is
sent to the e-mail address entered in the Mailbox field on this tab. A precondition
is that the e-mail address exists and that the mail is sent through the server on
which Avira AntiVir Exchange (and the queried quarantines) are installed. We
recommend that you set up the mailbox on the same server. The message content
is read out, thereby triggering the action requested by the user. Avira AntiVir
Exchange recognizes request messages by
1. the e-mail address (specified in the Mailbox field),
2. the keyword for a user request in the message.
Finally the request message is placed in the specified mailbox. To delete request
messages once they have been processed, check the Delete request mails after
processing option.
Allow users to request quarantined items per HTTP: Quarantine queries are
started by an HTTP request. When the user clicks the required action, the default
Web browser opens. The user is notified that the inquiry is being processed. The
precondition for this inquiry is a free port. The default port is 8009.
The browser always displays the same feedback message (OK_Response.html in
the AntiVirExchange\AppData directory). If the requested message no
longer exists (for example because it has been deleted from the quarantine), the
user is not notified.
For further information on configuring user-specific quarantine access, refer to
“Configuring the Quarantine” on page 43.
1. Also refer to “Defining Quarantine Summary Reports” on page 44
Avira GmbH AntiVir Exchange Server 29
General
5.5.4.4 Quarantine Maintenance
Use this tab to specify the time at which the quarantine on the servers is to be
purged. This deletes all messages marked for deletion to make space for newer
messages. The default setting is each Saturday at 3:00 a.m. If you wish to modify
the time and/or the purge period, click Edit und enter the selected time.
If necessary, you can also purge quarantines manually. To do so, open the quarantine in the AntiVir Monitor and right-click All Tasks Æ Purge Quaran-
tine.
5.5.4.5 Viewing list of all jobs
In the tab AntiVir Jobs you will get a list of all the jobs, which are defined on this
server.
If you want to edit a job on the server, open the job properties. Refer to “Policy
Configuration” on page 47
5.5.5 Address Lists
5.5.5.1 Creating, Editing and Deleting Custom Address Lists
In the Basic Configuration –> General Settings under Address lists, you can
create your own address lists to be selected for individual jobs. The available
addresses are taken from the Active Directory.
To create an address list, perform the following steps:
1. Click Address lists.
2. Right-click and select New Æ Address list from the context menu.
3. Enter a meaningful name for the address list.
4. Click the Select addresses icon: .
5. In the window that opens, select the addresses to be added and click Add:
30 AntiVir Exchange Server Avira GmbH
General
To add your own addresses to the address list, enter them in the input field.
You can use the wildcards * (asterisk) and ? (question mark). it is also pos-
sible to enter formally invalid e-mail addresses such as info@domain. Press
the Enter key before each new entry to place it on a new line.
To search for an entry in a large list of custom addresses, click the symbol. This text search function is also available for dictionaries. For further
information on searching and replacing, see “Searching for Text in Dictiona-
ries” on page 99.
To remove an entry from the list, select it and click Remove.
6. Click OK.
7. Your address list should now look like this:
Avira GmbH AntiVir Exchange Server 31
General
Allow adding addresses from quarantine: Use this option to specify
whether or not addresses from quarantined messages can be directly added
to this address list. When checked, you can add the quarantined mail’s sender address to various address lists with the Add button in the AntiVir
Monitor.
By default the following address lists are enabled for direct access:
– Anti-Spam: Blacklist
– Anti-Spam: Newsletter Blacklist
– Anti-Spam: Newsletter Whitelist
– Anti-Spam: Whitelist
8. Click OK again.
To edit or delete your address list, select Address lists. To delete the address list,
right-click it and select Delete from the context menu.
5.5.5.2 Using and Handling Addresses Within a Job
In each job, the Addresses tab allows to set the users for whom a job is valid.
Most of the current application cases can be set with options available:
Set whether the job is to be valid for all users or restricted to internal or external
users. This selection is available for senders and recipients.
Both conditions in the Message from and Addressed to fields must come true
for an action to be triggered (logical AND!).
Handle every recipient separately (Split): If a message is addressed to several
recipients and one or more of these are entered in an address filtering job, the
message is split into two e-mails: one for the recipients specified in the address filtering job and one for the remaining recipients. Only the message with the specified recipients is processed by the job. The message is not split if no address
filtering was defined for the recipients! Note that splitting messages affects the
performance of your server.
32 AntiVir Exchange Server Avira GmbH
General
Example: scanning for viruses
Corporate policy: You want to scan all messages for viruses. In this case it is not
enough to scan messages from external domains only: you also have to make sure
that no infected mail leaves the company. The specified actions (scanning for
viruses, if necessary cleaning the file and sending a copy to quarantine), must
therefore be performed regardless of the sender and recipient address.
Implementation: The action is executed for Message from: <All Senders/Recipi-
ents> and Addressed to: <All Senders/Recipients>. There are no exceptions.
Each mail from each sender to each recipient is checked for viruses.
These are the address settings for the job:
The Advanced window of the Addresses tab provides options for an easy imple-
mentation of more complex corporate policies1. Click on the Advanced button:
Click the Basic button to return to the standard selection.
Example job for blocking file attachments
Company policy: Let us assume you want to block messages with attached video
files from Internet domains unless they are addressed to Marketing or Management.
z Run this job when a message arrives from checks the sender, as well as
the exception Except where addressed from.
z And where addressed to checks the recipient, as well as the exception
Except where addressed to.
Implementation: The address settings in the job should look as follows: The specified job action (i.e. blocking files with video attachments) is performed for the
<External Senders/Recipients> specified under Run this job when a message
arrives from and is not performed for the <Internal Senders/Recipients> specified under And where addressed to.
1. Also refer to “Policy Configuration” on page 47
Avira GmbH AntiVir Exchange Server 33
General
Under Except where addressed to, enter the Marketing and Management
addresses. If you have not already entered these as a group in the Active Directory,
you can enter them individually. All video attachments from external senders to
internal recipient will now be blocked unless the recipient is a member of the Marketing department or a corporate manager. These are the address settings for the
job:
All specified conditions in the senders are and recipients are fields must be
fulfilled for an action to be initiated (logical AND). If several addresses are entered within the same condition (e.g. senders are), only one has to apply to trigger the action. The exceptions (except where addressed from/to ...) have no
effect on the initiation of this action and are only taken into account in addition
to the specified conditions. Messages to or from these addresses are forwarded
without further processing.
To specify the addresses for a specific condition, click Internal Senders/Recipi-
ents, No addresses selected or a corresponding entry in the exceptions. This
opens the Address Selection dialog:
34 AntiVir Exchange Server Avira GmbH
General
You can also use the AntiVir address lists:
The AntiVir address lists are permanent lists, generated from the global AntiVir
Server settings that are prompted for and entered during installation or which
you have configured manually. Also refer to “AntiVir Server Settings” on page 24.
Avira GmbH AntiVir Exchange Server 35
General
5.5.6 Create Notification Templates
In each job, under Actions, you can specify the persons to be notified when Avira
AntiVir Exchange has intercepted a denied message. You can create new jobs using
templates: simply select the appropriate template for the job type. For further
information on the individual job types, see “Policy Configuration” on page 47.
The notification templates for the individual jobs (content filtering, virus scanning, etc.) are created under Basic Configuration.
You can find standard notification templates for each module under Basic Confi-
guration Æ General Settings Æ Templates.
1. Click Templates and select the template type.
2. In the right pane, right-click the template you want to use and select Pro-
perties.
3. Enter the subject.
4. For the notification body text, click the Notification Body tab and then
Edit. To add layout to your text with HTML, use the Formatting toolbar. To
enter HTML tags directly, open the source code with the button.
5. The Jobs tab lists the jobs that use the notification template.
6. Click OK.
For further information on the template type Quarantine summary report,
refer to “Defining Quarantine Summary Reports” on page 44.
5.5.6.1 List of Notification Variables
In the message body and Subject line, you can enter the following variables, which
you can also insert directly with the button :
Category,
Variable-Type
General
General: Sender [VAR]From[/VAR] Sender of the message that
General: Subject [VAR]Subject[/VAR] Subject line of the message
General: Date and
Time
General: Date [VAR]DateOnly[/VAR] Date on which the job that
Variable Description
triggered the action
that triggered the action
[VAR]Date[/VAR] Date and time at which the
job that started the action
was run
started the action was run
General: Recipient(s)
General: Job Name [VAR]Jobname[/VAR] Name of the job that started
36 AntiVir Exchange Server Avira GmbH
[VAR]Recipients[/VAR] Recipient of the message
that triggered the action
an action
General
Category,
Varia ble-Type
General: Non-applicable recipient
General:
Quarantine folder
General: ID of a
quarantine e-mail
General: Server [VAR]Server[/VAR] Server through which the
General: Server
(Network name)
Variable Description
[VAR]UnrestrictedRecipients[/VAR]
[VAR]Quarantine[/VAR] The quarantine in which a
[VAR]QuarantineDocRef
[/VAR]
[VAR]ServerFQDN[/VAR] Server through which the
Recipients of the message
that triggered the action
who were not defined in the
(inbound) address conditions
message was placed
Unique identifier of the
quarantined mail
affected message was sent;
here: the name entered in
the configuration settings
affected message was sent;
here: the server’s network
name (fully qualified
domain name)
General: Time [VAR]TimeOnly[/VAR] Time at which the job that
started the action was run
General: Avira AntiVir Exchange
Report
General: Avira AntiVir Exchange
Report (Details)
General: Applicable
recipient
AntiVir
AntiVir:
Attachment size
AntiVir:
Attachment type
[VAR]ToolReport[/VAR] Summary of the scan results
[VAR]ToolReportDetails
[/VAR]
[VAR]RestrictedRecipients
[/VAR]
[VAR]AttachmentSize
[/VAR]
[VAR]FingerprintName
[/VAR]
Result of the scans with all
details
Recipients of the message
that triggered the action
who were defined in the
(inbound) address conditions.
Size of the denied/infected
attachment
Name of the denied file type
AntiVir: Fingerprint category
AntiVir: e-mail size [VAR]MessageSize[/VAR] Size of the whole message
Avira GmbH AntiVir Exchange Server 37
[VAR]Fingerprintcategory[/VAR]
Category of the denied file
type
General
Category,
Variable Description
Variable-Type
AntiVir: Attachment Name
AntiVir: e-mail size
limit
[VAR]AttachmentName
[/VAR]
Names of the denied/infected attachments
[VAR]SetSizeLimit[/VAR] Maximum message size spe-
cified in the job
AntiVir: Virus name [VAR]Virusname[/VAR] Names of the found viruses
AntiVir: Virus scanner
[VAR]VirusScanner[/VAR] Names of the scan engines
that have found the virus
Information Store Scan
IS-Scan: Database [VAR]VSAPI_Database[/
VAR]
Name of the Information
Store in which the message
was located at the time of
the virus scan
IS-Scan: Databas
URL
[VAR]VSAPI_Url[/VAR] URL of the Information
Store, in which the message
was located at the time of
the virus scan
IS-Scan: Error
description
[VAR]VSAPI_ErrorText[/
VAR]
Further description in the
event of an error through
the Information Store job
IS-Scan: Submit
time
IS-Scan: MessageUrl URL
[VAR]VSAPI_SubmitTime
[/VAR]
[VAR]VSAPI_MessageUrl
[/VAR]
Date and time at which
message was sent
Information Store URL of
the message at the time of
the virus scan
IS-Scan: Folder [VAR]VSAPI_Folder[/VAR] Name of the Information
Store folder in which the
message was located at the
time of the virus scan
IS-Scan: Mailbox [VAR]VSAPI_Mailbox[/
VAR]
Name of the mailbox in
which the message was located at the time of the virus
scan
IS-Scan: Server [VAR]VSAPI_Server[/
VAR]
Name of the server on
which the virus scan was
performed through the
Information Store scan
IS-Scan: Virus scanner
38 AntiVir Exchange Server Avira GmbH
[VAR]virusscanner[/VAR] Names of the scan engine
that has found the virus
General
Category,
Varia ble-Type
IS-Scan: Virus
name
IS-Scan: Delivery
time
AntiVir Wall
Content filtering
AntiVir Wall: Content analysis details
AntiVir Wall: Mail
part
AntiVir Wall: Restricted dictionaries
AntiVir Wall: Restricted words
Variable Description
[VAR]virusname[/VAR] Names of the found viruses
[VAR]VSAPI_DeliveryTim
e
[/VAR]
[VAR]DeniedContentTabHTML[/VAR]
[VAR]DeniedMailParts
[/VAR]
[VAR]DeniedWordlists
[/VAR]
[VAR]DeniedWord[/VAR] Word triggering action
Date and time at which
message was delivered
Detailed information about
the found words/sentences
Attachments/message body
texts causing the action
Dictionaries triggering
action because value/threshold value was reached
because value/threshold
value was reached
Spam filtering
AntiVir Wall: DCC
result
AntiVir Wall: Spam
analysis details
AntiVir Wall: Spamprobability
[VAR]DCCString[/VAR] Return value of the DCC
server after the message has
been analyzed by the server
[VAR]SpamReportHTML
[/VAR]
[VAR]SpamValue[/VAR] Calculated spam probability
Detailed information about
each spam criterion
value (from 0 to 100). This
value is compared with the
individually defined threshold values in the advanced
spam filtering job.
Avira GmbH AntiVir Exchange Server 39
General
Category,
Variable-Type
AntiVir Wall: Spam
level
Variable Description
[VAR]SpamLevel[/VAR] AntiVir Wall adds a spam
level in the form of a star
rating in the header of each
scanned message (for
example X-SPAM-TAG: *
indicates a spam probability between 0 and 10, XSPAM-TAG: *** a probability between 20 and 30). You
can define a rule that looks
for this string in the Outlook message header and
applies actions to message
with more than a certain
number of asterisks. For
further information on creating rules in Outlook, see
the Outlook help.
Address filtering
AntiVir Wall: Number of recipients
[VAR]NumberRecipient
[/VAR]
Number of recipients to
which the message is
addressed
AntiVir Wall: Recipient number limit
AntiVir Wall: Restricted sender
AntiVir Wall: Restricted recipient
[VAR]SetRecipientLimit
[/VAR]
[VAR]DeniedSender
[/VAR]
[VAR]DeniedRecipient
[/VAR]
The maximum number of
recipients defined in the job
Name of the sender that
started an action
Name of the recipient that
started an action
Summary report
Summary: Sender [VAR]From[/VAR] Sender of the summary
report
Summary: Reply to [VAR]ReplyTo[/VAR] Address to which replies to
the summary report are to
be sent (NotificationReplyTo)
Summary: Subject [VAR]Subject[/VAR] Subject of the summary
report
Summary: Current
summary report
date
40 AntiVir Exchange Server Avira GmbH
[VAR]Nowdate[/VAR] Date on which the current
summary report was generated
General
Category,
Varia ble-Type
Summary: Last
summary report
date
Summary: Current
summary report
date and time
Summary: Last
summary report
date and time
Summary: Recipients
Summary: Fully
qualified domain
name
Variable Description
[VAR]Lastdate[/VAR] Date on which the previous
summary report was generated
[VAR]Now[/VAR] Date and time at which the
current summary report
was generated
[VAR]Last[/VAR] Date and time at which the
previous summary report
was generated
[VAR]RcptTo[/VAR] Recipients of the summary
report
[VAR]FQDN[/VAR] Full domain name of the
server on which the quarantine for which a notifications to be generated is
located
Summary: Quarantine e-mail list
Summary: HTTP
Port
Summary: HTTP
Server
Summary: Quarantine
Summary: Server [VAR]Server[/VAR] Short name server on which
Summary: Current
summary report
time
[VAR]HtmlList[/VAR] Complete list of all quaran-
tined items for a recipient
with HTML formatting
(compulsory field in the
quarantine summary
report)
[VAR]HTTPPort[/VAR] Port of the HTTP server
[VAR]HTTPServer[/VAR] HTTP server through which
HTTP user requests are sent
[VAR]Displayname[/VAR] Name of the quarantine
from which the message list
was generated
the quarantine for which a
notifications to be generated is located
[VAR]Nowtime[/VAR] Time at which the current
summary report was generated
Summary: Last
summary report
time
Avira GmbH AntiVir Exchange Server 41
[VAR]Lasttime[/VAR] Time at which the previous
summary report was generated
General
Category,
Variable-Type
X-Block
X-Block: Name of
the image with
offensive contents
X-Block: Result of
the of the image
with offensive contents
Whitelist
Whitelist: Whitelist entries
Whitelist: Fuly qualified domain name
Variable Description
[VAR]XblockAttachment
[/VAR]
If several images were
found, the one with the
highest value is specified.
[VAR]XblockResult[/VAR] If several images were
found, the one with the
highest value is specified.
[VAR]HtmlList[/VAR] Complete list of all entries
for a recipient with HTML
formatting (compulsory
field in the whitelist summary report)
[VAR]FQDN[/VAR] Full domain name of the
server on which the whitelist for which a notifications
to be generated is located
Whitelist: HTTP
[VAR]HTTPPort[/VAR] Port of the HTTP server
port
Whitelist: HTTP
server
Whitelist: Display
name
[VAR]HTTPServer[/VAR] HTTP server through which
HTTP user requests are sent
[VAR]Displayname[/VAR] Name of the whitelist from
which the message list was
generated
Whitelist: Recipients
[VAR]RcptTo[/VAR] Recipients of the summary
report
Whitelist: Reply To [VAR]ReplyTo[/VAR] Address to which replies to
the whitelist summary
report are to be sent (NotificationReplyTo)
Whitelist: Sender [VAR]From[/VAR] Sender of the summary
report
Whitelist: Server [VAR]Server[/VAR] Short name server on which
the whitelist for which a
notifications to be generated is located
Whitelist: Size [VAR]CollectedSize[/VAR] Size of the whole whitelist
Whitelist: Subject [VAR]Subject[/VAR] Subject of the summary
report
42 AntiVir Exchange Server Avira GmbH
General
Category,
Varia ble-Type
Whitelist: Summary part
Whitelist: Send
whitelist by web
Whitelist: Send
whitelist by mail
Whitelist: Clear
whitelist by web
Whitelist: Clear
whitelist by mail
Variable Description
[VAR]SummaryPart[/VAR] In case more than 3,000
new addresses are to be
entered in a whitelist, the
user receives several whitelist reports. The variable
returns the number of the
summary report ("1“ for the
first 3000 entries, „2“ for
the next 3000 etc.).
[VAR]link::HTTP_SendWh
itelist[/VAR]
[VAR]link::MAIL_SendWh
itelist[/VAR]
[VAR]link::HTTP_ClearW
hitelis[/VAR]
[VAR]link::MAIL_ClearWh
itelist[/VAR]
Whitelist request and notifcation occurs through HTTP
Whitelist request and notifcation occurs through email
Delete the whitelist through
HTTP
Delete the whitelist through
e-mail
Note that the tokens [VAR] and [/VAR] are case-sensitive and must always be
written in capital letters.
5.5.7 Folder settings
5.5.7.1 Configuring the Quarantine
The quarantine is a directory in which all messages are placed that meet the criteria you have defined for the Copy to quarantine action. When Avira AntiVir
Exchange is installed, a folder called Quarantine is created in the data directory,
which contains initially some default quarantines and later all other new quarantines. Select Basic Configuration Æ Folder Settings Æ Quarantine to configure the existing quarantines and set up new ones.
1. Click Quarantines: in the right window section, all available quarantines
are shown.
2. Right-click an existing quarantine in the right pane and select Properties.
3. Under Name, enter a description for the Quarantine. The Quarantine’s Fol-
der Name remains the same. This option is only available when you create a
new quarantine.
4. Unter the Summary Reports tab, you can now configure a summary notification for the selected Quarantine.
In case you allow the users to access and modify whitelists, select under Temp-
late Quarantine Summary Report with Whitelist Support.
Avira GmbH AntiVir Exchange Server 43
General
To create a new Quarantine:
1. Right-click Quarantine and New Æ Quarantine.
2. The Folder Name is taken from the description. Only the characters A - Z
and 0 - 9 are used, all others are converted into underscores.
3. The proposed Folder Name can be overwritten.
Enter the folder name only, not an absolute path!
4. When you have saved the configuration, these quarantines are automatically created by the EMH and displayed in the AntiVir Monitor (after having
refreshed the View)1.
The size of a quarantine is limited to 2 GB! Observe the deletion interval. By
default, all entries older than 30 days are automatically deleted.
5.5.7.2 Defining Quarantine Summary Reports
Quarantine Summary Reports provide information on the messages quarantined by Avira AntiVir Exchange, the Whitelist Summary Reports on the new
entries in the user whitelist.
Summary reports can be sent to various recipients or recipient groups and contain
a list of various quarantined messages. The listed messages, the actions the user
can take when receiving a summary report and the additional information contained therein are defined separately for each summary report.
Summary reports consist of two parts:
z the template, which contains variables and defines the form of the notifica-
tion.
To edit the summary report template, select Basis Settings Æ Templates
Æ Quarantine Summaries. The variables used here apply only to the
summary report and its form. Configure the summary report template as
described under “Create Notification Templates” on page 36.
z Fields define the messages and the fields of each message to be listed in the
summary.
The content of the summary report, i.e. the list of quarantined messages, is
defined by variable Summary: Quarantine e-mail list ([VAR]HTMLList
[/VAR]) , which must be set for every summary report. The entries contained in the list is specified under Folder Settings Æ Quarantine Æ Pro-
perties Æ Summary Reports Æ Add Æ Summary fields.
You can configure the list content but not its form or representation.
Example: Variable Summary: Sender under Templates indicates the sender of
the summary report (the same sender as for all Avira AntiVir Exchange notifications; it is defined under AntiVir Server Settings). The Sender checkbox in the
Fields tab for a quarantine specifies that the sender of the quarantined message
will be shown in the list.
1. Furthermore on Quarantines in “Quarantines” on page 51
44 AntiVir Exchange Server Avira GmbH
General
1. In the Recipients field, select All Recipients. The recipients of the quarantined messages will receive the summary report. Select Userdefined reci-
pients when you want to limit the group of recipients of a summary report.
The selected recipients or groups are listed in the field under the Recipi-
ents field.
2. As Template you can use a summary report that you have created yourself
under General Settings Æ Templates Æ Quarantine-Summary
Report. By default, Avira AntiVir Exchange contains only the Quarantine
summary report template.
3. For the summary data (report’s content) select New mails only. The sum-
mary report will then list only those messages that have been quarantined
since the last summary report.
4. Processing: do not process by AntiVir jobs means that messages resent
or released on the user’s request are not checked by enabled AntiVir jobs,
but are delivered to the recipient without further processing. Also refer to
the next tab, Fields.
5. In the Fields tab, select the message fields to be listed in the quarantined
messages summary report. If, for example, you check Subject here, the subject of the quarantined messages are listed in the summary report. A default
selection is already checked by default.
Avira GmbH AntiVir Exchange Server 45
General
Users can click the links in the summary report to perform actions on the
selected messages. Select one of the actions to be performed:
Request: The quarantined message is forwarded to the recipient of the
summary report.
Release: The message is forwarded to all original recipients.
Remove: The quarantined message is marked for deletion.
All options checked the Fields tab will appear as a link in the summary report
list.
6. Click the Schedule tab and then Add. A Schedule dialog opens in which you
can specify the time at which summary reports will be generated. In this
case, a summary report is sent to the recipient of the spam mail daily at
midnight (00:00 hours).
You can create several different summary reports with differing content for a
single quarantine. For each report, the messages are compiled separately from
the quarantine, even if the reports are scheduled for the same time.
A list of all quarantines is available under Folder Settings Æ Quarantine. The
Summary report column shows the quarantines for which a summary notification has been configured (yes/no).
46 AntiVir Exchange Server Avira GmbH
5.5.8 Utility Settings
5.5.8.1 Fingerprints
AntiVir uses Fingerprints to identify file types. A comprehensive, categorized
range of fingerprints is included with Avira AntiVir Exchange. Normally, you do
not have to make any changes to these initially. For further information on configuring fingerprints, see “Configuring Fingerprints” on page 75.
5.5.8.2 Dictionaries
Here, you can create dictionaries of text strings that you want AntiVir Wall content and spam filtering to block. We have already created a few dictionary categories that you can customize to your requirements. For details about setting up
dictionaries see “Setting up Dictionaries” on page 98.
5.5.8.3 DCC
AntiVir Wall uses DCC technology for spam detection. It recognizes bulk mail
using checksums that are counted by DCC servers. You can define the global DCC
settings under Basic Configuration. For further information about junk mail filtering with DCC, see “Spam Filtering With the DCC Spam Filtering Job” on
page 122.
General
5.6 Policy Configuration
Under Policy Configuration, define your AntiVir jobs based on your company’s
own policies.
Using a range of conditions (or filters), you can specify the messages that will be
intercepted, the actions to be performed and scheduled, and the priority of each
job (i.e. the order in which jobs are run). All conditions can be configured within
the jobs. Together, the AntiVir jobs form your company’s policy.
5.6.1 Job Types
There are 10 different job types, which you can find under Policy Configuration
Æ Mail Transport Jobs Æ right click Æ New:
Job Type Function
AntiVir Virus Scanning Scans messages for viruses.
AntiVir Attachment Filtering
Checks messages for denied file attachments The
various file formats are identified with fingerprints.
AntiVir Attachment/Size
Filtering
Avira GmbH AntiVir Exchange Server 47
Checks messages for denied file attachments and
for file size, and denies files larger than the specified size.
General
Job Type Function
AntiVir E-Mail Size Filtering
AntiVir Wall E-Mail
Address Filtering
AntiVir Wall Content Filtering
AntiVir Wall Spam Filtering
AntiVir Wall DCC Spam
Filtering
AntiVir Wall Recipient
Limit Filtering
AntiVir Wall Xblock Image
Filtering
Checks messages for size and denies files that are
larger than the allowed maximum size (per message size).
Checks messages for address restrictions.
Checks messages and attachments for restricted
text content.
Checks messages for spam using a range of criteria.
Checks messages for spam using a DCC server. Use
this job only for testing. DCC analysis is included in
the AntiVir Wall Spam Filtering Job as combined
criterion and has only to be enabled.
Checks messages for a maximum permissible number of recipients per message (the recipient in the
To field of each message are counted).
Checks messages for offensive images.
For each job type, you can define individual conditions, all of which must apply
for the specified action to be executed. Address filtering can be performed by all
job types. You can, for example, create a job that quarantines and deletes all messages (without forwarding them to their recipient) that were sent from the
domains *@gmx.net and *@hotmail.com, are larger than 500 KB and belong to the
fingerprint category Sound. This would be a AntiVir Attachment/Size Filte-
ring Job.
AntiVir is delivered with a number of standard jobs, which can be adapted to your
requirements. Of course, you can also create your own jobs. Preconfigured jobs are
available under Policy Configuration Æ Sample Jobs. With the mouse, drag
the desired job to Mail Transport Jobs. There is no limit to the number of jobs
you can create. The order in which the jobs will be processed is shown in the job
list in Mail Transport Jobs. For additional information, refer to “Job Processing
Sequence” on page 49.
A job can be enabled or disabled. To prevent a job being run, you can simply
disable it: you do not have to permanently delete it from your configuration.
For each job, on the Actions tab, you can specify the actions to be executed when
a message meets the defined criteria or is virus-infected.
48 AntiVir Exchange Server Avira GmbH
5.6.2 Actions
General
In addition to the job-specific actions, you can use the following standard
actions.
.
Copy to Quarantine A copy of the message is placed in the speci-
fied quarantine folder, where it can be
viewed any time.
Delete e-mail The infected/denied message is permanently
deleted from the server. If selected, a copy is
first placed in quarantine.
Delete attachment The infected attachments are permanently
deleted from the server.
Add a subject extension A configurable supplement is added to the
Subject line to indicate that the message has
been processed.
Send notifications to Notifications can be sent to the following
Run external Program Runs an external program.
Add X-header field A field is added to the message header, which
Mail umleiten The e-mail is resent to the defined recipi-
5.6.3 Job Processing Sequence
The order in which jobs are processed is shown in the job list under Policy Configuration Æ Mail Transport Jobs. New jobs are added at the end of the list and
can be moved to the desired position with the and arrows in the icon bar
or via the context menu (All Tasks Æ Move up/Move down).
groups and individuals:
z Administrators
z Sender
z Recipients
z Other persons
can be filled with a value from one of the
variables.
ents. As an option: the message can also be
sent to the actual recipient.
Avira GmbH AntiVir Exchange Server 49
General
Meaningful order:
If you need to decrypt e-mails with AntiVir Crypt, the import and decryption jobs
should be the first ones executed, as the mails cannot be further processed otherwise. Without decryption, a virus scan job should be placed at the first position in
order to make sure that any mails quarantined (by another job) and possibly delivered from there are virus-free.
Mails that could be resent include the mails processed by jobs with blocking functions for specific fingerprints or anti-spam jobs (with summary reports sent to
the users, see “Defining Quarantine Summary Reports” on page 44. For instance,
if a mail is quarantined by an anti-spam job, it will be labeled Spam in the Quarantine, but it cannot be excluded that it is virus-infected if no virus scan job has
been run previously.
We recommend to assign a high position to jobs with simple blocking functions,
e.g. for very large mails or unknown archives, in order to exclude the mails affected from further processing and avoid unnecessary server loads. For instance,
assign a high position to a AntiVir Wall Recipient Limit job, so that mails
addressed to too many recipients are discarded before other jobs are run and possibly change the list of recipients, thus falsifying the Recipient Limit job result.
5.7 AntiVir Monitor
The AntiVir Monitor is used to observe all AntiVir servers, quarantines and
badmail folders. In addition, it provides access to statistical evaluations. The
AntiVir Monitor lists all servers configured under Basic Configuration Æ Anti-
Vir Servers. AntiVir Monitor accesses the servers via the network using SOAP/
SSL encryption. To enable access to a server, first enter the server under Basic
Configuration Æ AntiVir Servers and then refresh the AntiVir Monitor view.
For details on how to add a server, please refer to “Individual Server Settings” on
page 27. Also make sure your Quarantine has been set up according to the instruc-
tions under “Configuring the Quarantine” on page 43.
You can view detailed information on the Avira AntiVir Exchange version, configuration, etc. for each server: In AntiVir Monitor, right-click the desired server
and select Properties.
The AntiVir Monitor requires a logon as authorized user. If you are not logged on
to the server locally, a logon dialog will prompt you for a user name and password
to access the corresponding domain.
The AntiVir Monitor access rights are set in the properties of the access.acl file in
the folder ...\Avira GmbH\AntiVirExchange\AppData\. Select the
Security tab and give the desired users at least write access.
The login dialog for another server appears only if your current user name does
not have a sufficient access rights for the second server. It is possible to log on to
several servers at the same time using different user names and thus to access
every AntiVir Monitor on each server.
50 AntiVir Exchange Server Avira GmbH
During the AntiVir installation, the access rights are assigned according to the
rights to the corresponding drive, i.e. the administrator will usually have access
automatically.
To observe data in the AntiVir Monitor:
1. Click on the desired server.
2. Authenticate yourself with a user name and a password with sufficient
3. Click the area you wish to view, e.g. Standard Quarantine or Badmail. All
4. Filter the mails using the Filter Options icon .
5. Double-click on a mail to open it.
6. Resend bei Bedarf erneut.
5.7.1 Quarantines
If you have enabled the Copy to quarantine action in a job, all affected messages
are copied into a quarantine1 nd the AntiVir Monitor displays all information
available on individual mails.
General
rights to access the AntiVir data on the server’s file system.
available mails will be displayed (up to a maximum of 10,000).
Click on a quarantine to view a list of mails. If you right-click on a mail, the following options are available:
Copying mails is also possible via drag & drop. With the mouse, simply drag the
selected mail into another quarantine.
Within a quarantine, you can filter messages according to numerous selection criteria. To do so, right-click View Æ Filter or click on the icon . The following
dialog appears:
1. Refer to “Configuring the Quarantine” on page 43
Avira GmbH AntiVir Exchange Server 51
General
You can reset the options in one of three ways:
1. Under Filter options, select No Filter.
2. Right-click View Æ Show all objects.
3. Click in the toolbar.
The AntiVir Monitor view displays a maximum of 10,000 e-mails at a time (the
most recent ones). To view older e-mails, select appropriate filter options to restrict the e-mails displayed.
5.7.1.1 Example of a Quarantined Message
To view this information, double-click the quarantined message or right-click and
select Properties.
The Message tab contains a summary of the important information:
Icons used on these tabs:
Send message from quarantine
Delete message in quarantine
Create, edit or delete message label
Next message in quarantine/badmail
Previous message in quarantine/badmail
52 AntiVir Exchange Server Avira GmbH
General
To add the message sender to an address list, click the Add button. The address
lists shown with this button are defined separately for each address list. For
further information, see “Address Lists” on page 30. When you add the sender’s
address to the address list, a message appears:
To copy the message to another quarantine on this server, click Copy.
The Processing Log tab shows the name of the job that has quarantined the message, the job type, the server, the reason for quarantining the message as well as
other processing details:
The Resent Log tab displays details on the resend process:
Avira GmbH AntiVir Exchange Server 53
General
5.7.1.2 Example of a Mail in the Information Store Quarantine
To view this information, double-click the message in the Information Store quarantine or right-click and select Properties.
The Item tab contains a summary of the important information:
54 AntiVir Exchange Server Avira GmbH
General
Icons used on these tabs:
Delete item in quarantine
Create, edit or delete item label
Save item in the file system
Next item in quarantine
Previous item in quarantine
To copy the item to another quarantine on this server, click Copy.
The Processing tab shows the name of the job that has quarantined the item, the
job type, the server, the reason for quarantining the item as well as other processing details:
5.7.1.3 Sending From Quarantine
If you want to send a quarantined message to its original recipient or another
user, you can resend it directly from the quarantine without having it rechecked
by AntiVir job:
1. In the AntiVir Monitor, open a list of quarantined messages.
2. Right-click the desired message.
3. Now select All Tasks Æ Resend Quarantine item
As an alternative, you can send the message directly from the Properties dialog
by clicking the icon.
Avira GmbH AntiVir Exchange Server 55
General
4. The following dialog appears:
5.7.1.4 Badmail
No address lists are available to select an address for resending from quarantine.
If you do not want any jobs to process the message, select the Deliver the
e-mail bypassing any AntiVir jobs on this server option. When you forward a message from quarantine, it is likely to be urgent even though it contains restricted words or attachments, so you probably want this to be your
default setting.
This is a global setting. If you have enabled jobs that are to scan mail resent
from quarantine, set this option to Resubmit the e-mail to all AntiVir jobs
on this server. Otherwise, the Check e-mails resent from quarantine job
setting does not apply and all messages are forwarded without further checking.
The instruction Resubmit the e-mail to all AntiVir jobs applies also to those
jobs for which the option Quarantined e-mails: Check e-mails resent from
quarantine has been enabled. Even if you want to reprocess quarantined mail,
all jobs for which Ignore e-mails resent from quarantine is selected will be
excluded from processing.
Messages that cannot be processed by AntiVir jobs – such as messages with
unknown formats – are referred to as badmail. Because Avira AntiVir Exchange
cannot read these messages, little is known about badmail. This mail may therefore also contain undetected viruses.
There is only one badmail folder on each server, and you can not create further
badmail folders. Otherwise, the same functions and options apply to badmail as
for quarantined mail.
56 AntiVir Exchange Server Avira GmbH
5.7.2 AntiVir Reports
With Avira AntiVir Exchange’s Reporting and Statistics functions, you can
retrieve detailed information on e-mail processing. Eight predefined reports and
one advanced statistics report are available. The advanced statistics report can be
defined individually. The reports can be accessed through the AntiVir Monitor.
The reports list the policy violations detected (e.g. viruses, undesired file attachments) both graphically and in list form. Specific reports are available for the
most current issues. In addition, information on AntiVir quarantines is also
shown. Reports can be created for freely selectable periods. They can be printed
and exported with a wide range of options for further processing.
Report data is temporarily stored during processing and written to the evaluation
database at half-hour intervals, i.e. processed e-mails do not immediately in the
reports.
Click AntiVir Reports and double-click the required report in the right pane to
open it. In the window that now appears, enter the desired timespan for the
report. Click to export the analysis in one of several formats for importing
into another application.
General
Avira GmbH AntiVir Exchange Server 57
General
58 AntiVir Exchange Server Avira GmbH
6AntiVir
6.1 Overview
AntiVir checks messages for viruses, for the type and size of its attachments and
for the total message size.
In that context, a distinction is made between scanning on the transport level
(inbound/outbound messages) and scanning in the MS Exchange database (public
and private Information Store).
Job types
z Virus scanning in inbound and outbound messages
z Virus scanning in MS Exchange databases
AntiVir
Job: AntiVir Virus Scanning
(on access & proactive/background)
Job: Information Store scan
z Blocking specific file types in attachments
Job: AntiVir Attachment Filtering
z Limiting message size
Job: AntiVir E-mail Size Filtering
z Limiting attachment type and/or size
Job: AntiVir Attachment/Size Filtering
Create a separate job for each restriction type. The job types cannot be changed
later on.
The diagram below illustrates the working principle:
Avira GmbH AntiVir Exchange Server 59
AntiVir
6.2 Virus Scanning
One or more third-party scan engines are used for virus scanning. With the exception of AntiVir powered by Avira, you must install these virus scanners yourself
on the Exchange server so that AntiVir can use them.
You must therefore also configure the scan engines for AntiVir. Open the Basic
Configuration –> Utility Settings and enter your scan engines under Scan
Engines. This menu item is the interface between your scan engine(s) and Anti-
Vir. AntiVir usupports scan engines from the following manufacturers:
z Avira
z Sophos
z Norman
z Trend Micro
z Symantec
z McAfee
z F-Secure
z Command Software
The AntiVir Virus Scanning job starts the selected scan engines as defined in
the configured conditions. The conditions determine the messages for which a job
will be performed. If you have selected several scan engines, the mails are checked
by all of them, cleaned if they are infected. If configured, further actions are performed as previously defined:
The example below illustrates the working principle of a virus scanning job. The
job checks, for instance, an e-mail with the result “virus found”. It triggers a virus
alarm and initiates a series of actions specified under Actions. You can, for
instance, specify the following:
1. If a virus is found, clean the original mail and deliver it to the recipient.
2. If the mail could not be cleaned, a copy of it is placed in your selected quarantine folder and the original is deleted without being forwarded.
3. Notifications with the relevant information from the scan engine and the
AntiVir job are then sent to the administrator, sender and recipient.
The following actions are possible:
z Scan for Viruses
z Clean infected message
z Add a subject extension
z Copy the entire message into quarantine
z Remove infected attachments from the message
z Delete the affected message without delivering it
z Run an external application
z Notify the administrator
z Notify the sender
z Notify the recipient
z Notify any other, user-definable persons
z Add X-header field
z Redirect mail
60 AntiVir Exchange Server Avira GmbH
6.2.1 Scanning in the Information Store
In addition to virus scanning at transport level, AntiVir Exchange is also able to
scan data in the public or private MS Exchange Information Store.
There are three basic types of Information Store scanning:
z On-demand scan
When a client tries to open a mail, a comparison is performed to ensure that
text body and attachment have been checked by the current virus signature
file. If they have not, the message is scanned before being forwarded to the
client. On-demand scanning is the most commonly used task for Information Store scanning.
z Proactive scan
The proactive scan catches new messages before these are accessed by a client through an on-demand scan. Used in addition to on-demand scanning,
it can help to speed up client access.
z Background scan
A background scan checks all elements of the Information Store. It can be
activated separately for the public and private Information Stores and scans
all elements that were not yet scanned with the current scanner signature
file.
AntiVir
In addition to a scheduled execution, the background scan is run whenever the
database is loaded (for example when a server is started).
The Information Store scan is a global function that applies to the entire server,
so that only one AntiVir Information Store scan job exists on each server (as
opposed to any number of AntiVir virus scanning jobs).
If a virus is found in a mail, various actions tailored to the Information Store scan
can be performed:
z Blocking an object
Object blocking denies access to the entire message object. Current Microsoft mail clients generate a message when the user tries to open a blocked
message, while other and older clients may respond differently. The blocked
message can always be deleted, however.
z Replacing
You can replace infected elements with an information text. The infected
element is then deleted.
z Do not mark infected
In exceptional cases, you may decide that an infected element is not to be
flagged infected. Subsequent virus scans will then find the virus again. This
action is intended for testing only, as it provides no protection for users and
the system.
Avira GmbH AntiVir Exchange Server 61
AntiVir
Virus scanning in the MS Exchange Information Store is performed by the Microsoft Virus Scanning API version 2.0/2.5. For further information, visit http://
support.microsoft.com/kb/285667/DE/.
Messages blocked by the Information Store scan may result in error messages
during Information Store backups.
Exiting or uninstalling Avira AntiVir Exchange and terminating the Information Store scan jobs releases any elements that were blocked due to virus infection as well as disabling the Information Store’s active virus protection.
6.2.2 AntiVir powered by Avira
The AntiVir Engine is found automatically and is enabled by default.
Default parameters:
/decomp (decompress PKLite and LZExe archives)
/verbosescan (scan complete file)
Additional parameters:
/paranoid (interpret warning from heuristic analysis as virus)
If you are using a proxy server, change the savapi.ini file for online updates of
the virus patterns:
1. Stop the SAVAPI service.
2. Go to folder AntiVirExchange\Engine\.
3. Open the savapi.ini file with Notepad and add the following parameters:
– Use proxy server for updates
If this value is enabled (1), the engine tries to download the updates
through the specified proxy. By default, no proxy server is used.
Example: ProxyEnabled=0 (= disabled).
– Proxy server address
Here, you can enter the full name or IP address of the proxy server used
for the update. This value is used only when “ProxyEnabled” is set to “1”.
Example: ProxyUrl=proxy.mydomain.com
– Proxy port address
The port specified here is used for updates through the proxy server. This
value is used only when “ProxyEnabled” is set to “1”. Enter the proxy server’s port number here.
Example: ProxyPort=3128
– User name for proxy server (proxy authentication)
Enter the user name here under which the update service logs on to the
proxy server. This value is used only when “ProxyEnabled” is set to “1”.
Example: ProxyUserName=fmaier
62 AntiVir Exchange Server Avira GmbH
– Password for proxy server (proxy authentication)
Enter the password for the proxy server login user name here. This value
is used only when “ProxyEnabled” is set to “1”.
Example: ProxyPassword=passwort
– Search interval for new updates
This value specifies the number of minutes after which the update service searches for new versions on the server entered under Update URL.
The default value is 120 minutes (2 hours). An automatic update of the
engine and virus signatures is automatically performed immediately
after the first action (virus scan). If this value is zero, automatic updating
is disabled.
Example: UpdateInterval=120
6.2.3 Enabling Virus Scanning – Example
Under Policy Configuration Æ Mail Transport Jobs, you will find the Virus
Scanning With AntiVir Engine. Double-click this job to open it.
AntiVir
6.2.3.1 General Settings
Under the General tab, enter your own name for the job. You can identify a disabled job by the red cross in the lower corner of the job symbol. Set the job to Enab-
led. Once you have saved your settings with OK and closed the job, the job is
enabled and the red cross disappears.
By default, the Subject Extension is pre-set to AntiVir checked. This text is
added to the subject of each mail checked by the job.
This job is also applied to messages resent from quarantine. The Processing
action for sending from quarantine applies to all jobs and has priority. If, therefore, you resend a message with the Deliver the e-mail bypassing any AntiVir
Avira GmbH AntiVir Exchange Server 63
AntiVir
jobs on this server option, it is not processed by any job. You should therefore
set the Processing action to Resubmit the e-mail to all AntiVir jobs on this
server.
For further information on sending quarantined mail, refer to “Icons used on
these tabs:” on page 55.
This job is mission-critical
If a job is Mission-critical, any errors – such as a missing virus scanner – result
in the processed message being placed in the badmail area. Enable this option for
critical jobs such as virus scanning.
Until the fault is rectified, all affected e-mails, both inbound and outbound, are
placed in the badmail area!
A job is not Mission Critical when any processing errors are to be ignored for the
corresponding mail, in which case it is passed to the next job for further processing. All processing errors are recorded in the Windows Event Log. If the same
processing error occurs five times in succession, the job is disabled and automatically restarted after 15 minutes. Do not enable this option for company-critical
jobs such as adding an individual signature with AntiVir Trailer (deselect checkbox).
The default settings for almost all jobs are not Mission Critical. All the jobs
which can be classified as company-critical jobs, should be determined in the company policy.
Write processing log
The Processing Log provides information on how e-mails were processed by the
job. Enable this function if you need some sort of evidence (e.g. that mails were
encrypted) or if you wish to test the job.
With this option enabled, information on whether and how the job has processed
the mail is written into a text file for each mail. This log text file is stored in the
Avira AntiVir Exchange installation directory in the Log folder. Logging is defined
for each job, but the text file contains the information for all jobs for which Write
processing log is enabled. A separate text file is created for each day.
Name of the text file:
Audit_all_<date of last modification>.log, e.g. Audit_all_20050909.log.
Individual pieces of information on the e-mail processed are separated by semicolon and therefore be evaluated manually or automatically:
1. Date and time when the mail was processed
2. Job ID
3. Job name
4. Message ID
5. SMTP sender
6. SMTP recipient
64 AntiVir Exchange Server Avira GmbH
7. AntiVir filtering result
a) Restricted - E-mail matches the restrictions defined
b) Unrestricted - E-mail does not match the restrictions defined
Recipient groups are resolved, with a separate line written for each recipient.
6.2.3.2 Setting up Address Conditions
Under the Addresses tab, specify the senders or recipients to which this job is to
apply. You can select addresses from existing lists or from your own. For details on
how to make the best use of address lists and details, see description under
“Address Lists” on page 30.
6.2.3.3 Setting up Content Conditions
Under the Conditions tab you can set the requirements as to which mails or
documents a job is to be run for.
The content conditions and the address conditions set in the Adresses tab must
simultaneously come true for a job to be run (logical AND).
AntiVir
6.2.3.4 Defining Actions
Under the Actions tab, specify the actions to be taken when the job finds a
virus-infected message.
This job scans messages for viruses but does not attempt to clean infected messages and attachments. Though all virus scanners are capable of cleaning infected
objects, it is advisable to quarantine infected attachments immediately, as, in
practice, viruses are usually received in spam and rarely from infected, known
communication partners.
Avira GmbH AntiVir Exchange Server 65
AntiVir
Extra archive scan with AntiVir Exchange unpacker: If you are using a virus
scanner that does not have an integrated unpacker, enable this option. AntiVir
Exchange’s built-in unpacker will then extract the compressed files before passing
them to the virus scanner.
After you have defined what is to be checked, specify two different actions:
1. One to be performed in case a virus was found and the file could not be cleaned,
2. and another in case the file was cleaned successfully (if you have selected
this option).
In the first case, the following actions are available:
In this example, a copy of the message is placed in quarantine and the infected
attachments are deleted. The message is delivered to its recipient only if the message body is virus-free and the attachment could be deleted. A notification on the
virus is sent to the administrator. You can select this notification from the list
menu of available notification templates, which you can format using the HTML
toolbar or by entering appropriate HTML code yourself.
Check whether the infected mails addressed to your company are often also
spam. If they are, it is best to delete the entire message and not just the attachment. This saves filtering of the remaining message text.
If you have selected the Scan options: Scan e-mail body option and a virus is
found in the text body, the entire message including any attachments is deleted
if you have selected the Delete and don’t deliver the restricted attach-
ment(s) option (attachments are not delivered without text body). The affected message section is usually deleted separately. If only the attachment was
infected, only the attachment is deleted.
66 AntiVir Exchange Server Avira GmbH
AntiVir
To define further actions, click Add:
Note about Redirect mail: When you redirect a TNEF message to an external
address, the recipient will get a blank message that may contain an attached file
called winmail.dat. Exchange uses the TNEF format when an Outlook user
(not Outlook Express!) sends a message within an Exchange organization. This
format is not used for Internet communications or by other mail programs.
Select Notification for a notification to a user-defined recipient or Start exter-
nal program to perform different actions and click Next:
To select additional recipients or enter your own addresses, click the address
book icon. When you have entered a recipient, click Finish.
Avira GmbH AntiVir Exchange Server 67
AntiVir
For starting an external application, enter its name and path, any optional parameters and a timeout:
In the second case – the virus was removed – the following actions are available:
In this example, the message is delivered, the Subject text is appended, and a notification is sent to the administrator for tracking purposes.
68 AntiVir Exchange Server Avira GmbH
6.2.3.5 Selecting Servers
Under the Server tab, select the server or servers on which the job is to be enabled.
AntiVir
Click Select. A dialog similar to the one for selecting scan engines appears.
If a server is not listed, it may not be correctly configured. For further information on configuring AntiVir servers, refer to “Individual Server Settings” on
page 27.
6.2.3.6 Entering Job Details
Under the Details tab, you can add a job description:
Save the configuration of the AntiVir Exchange Management Console each
time you have modified the settings. Click on the button. The configuration is
saved in the ConfigData.xml file located in the Avira GmbH\AntiVirExchange\Config folder. Pending changes are indicated by an asterisk (*) next to the
top node
6.3 Virus Scan in the Information Store – Sample Job
Under Policy Configuration in the Information Store jobs area, you will find
an Information Store scan job for each server. Double-click this job to open it.
When you enable or disable the Information Store scan job, it takes up to two
minutes for the Exchange Store to register the change.
Avira GmbH AntiVir Exchange Server 69
AntiVir
6.3.1 General Settings
Under the General tab you can enable on-demand scanning for both the private
and the public Information Store.
In addition to on-demand scanning, you can also enable proactive and background
scanning. For further information, refer to “Scanning in the Information Store”
on page 61.
For details on the Mission Critical option, refer to This job is mission-critical
6.3.2 Scheduling
Use the Schedule tab to define a schedule for restarting the scan. When scanning
is restarted, all elements in the Information Store are checked one more time.
This applies to all three scan modes. If you have enabled background scanning,
this scan may take a long time and use a lot of processor capacity. It is therefore
advisable to restart scanning during periods of low system usage and following
pattern file updates.
To create a schedule entry click Add. Then select a start time and the days on
which restarting is to be performed. Confirm with OK.
70 AntiVir Exchange Server Avira GmbH
6.3.3 Defining Actions
Under the Actions tab, specify the actions to be taken if the job finds an infected
mail.
Extra archive scan with AntiVir Exchange unpacker: If you are using a virus
scanner that does not have an integrated unpacker, enable this option. AntiVir
Exchange’s built-in unpacker will then extract the compressed files before passing
them to the virus scanner.
AntiVir
Three different actions are possible:
1. Virus found/Removing not successful: Specifies the actions if virus was
found and the file could not be cleaned.
a) Specify whether a copy of the object is to be quarantined and labeled. A
separate default quarantine is available for the Information Store.
b) With the second option, the object can be blocked, replaced or ignored.
Also refer to “Scanning in the Information Store” on page 61.
c) The final option defines whether a notification is sent to the administra-
tor(s).
Avira GmbH AntiVir Exchange Server 71
AntiVir
d) Use the Add button to define further actions, for instance sending notifi-
cations to other users or starting an external application.
2. Removing successful: Specifies the actions to be taken if the file was cleaned successfully.
The following actions are available:
a) Use the first option to specify whether a copy of the object is to be qua-
rantined and labeled. The copy is created before cleaning so that the
object is quarantined in its original state.
b) In addition you can define whether a notification is sent to the administ-
rator(s).
3. Object unscannable: This option allows to control the behavior of AntiVir
Exchange when it finds encrypted objects, which cannot be opened for scanning.
72 AntiVir Exchange Server Avira GmbH
6.3.4 Job Details
For details on entering the job details, refer to “Entering Job Details” on page 69
durchgeführt.
AntiVir
Two options are available. In the Information Store scan field, select one
of two settings:
a) Treat as error
The object will be rescanned with the next scan. If previous scans have
not treated the object as uninfected, access is denied.
b) Treat as uninfected
The object is treated as if it were virus-free. It is not rescanned before
virus scanning is restarted.
You can also notify the administrator and add further actions ny clicking on
the Add button.
6.3.5 Server Status
Under
with the current status of the Information Store scan and the option for a manual
restart.
The General tab shows the following:
AntiVir Monitor Æ Server Æ <servername>
shows the Server Status,
z Whether the scanner DLL for the Information Store scan is loaded. When
the DLL indicates Loaded, the Information Store scan is enabled.
z The Information Store scan version. This number is incremented with every
restart.
z The date of the last version update and the time and date of the last restart.
Avira GmbH AntiVir Exchange Server 73
AntiVir
Under the Information Store Scan tab, you can restart background scanning:
When scanning is restarted, all elements in the Information Store are checked one
more time. This applies to all three scan modes. If you have enabled background
scanning, this scan may take a long time and use a lot of processor capacity. It is
therefore advisable to restart scanning during periods of low system usage and
following pattern file updates.
6.4 File Restrictions for Attachments
Files can be restricted according to their type and size: you can deny specific file
types and you can specify maximum message and attachment sizes. Both the size
and the type of attachments can also be checked with a single job.
6.4.1 By Type
AntiVir must be able to identify files according to their type. This is done with file
1
fingerprints
or the file extension (for example for *.vbs files). The result of this scan is compared with the denied/allowed fingerprints under AntiVir Restrictions and blocked
or delivered accordingly. For denied files, the job actions are then performed, for
instance for a mail with a denied attachment:
1. The denied attachment is copied to the quarantine folder.
2. The message text is delivered to the recipient.
3. Notifications are sent to the administrator and the sender.
, which contain a binary file pattern (for example for *.exe files) and/
An AntiVir Attachment Filtering job can perform the following actions:
z Add a subject extension
z Place the entire message into quarantine
z Remove affected attachments from the message
z Delete the affected message without delivering it
1. refer to “Configuring Fingerprints” on page 75.
74 AntiVir Exchange Server Avira GmbH
z Run an external application
z Notify the administrator
z Notify the sender
z Notify the recipient
z Notify any other, user-definable persons
z Add X-header field
z Redirect mail
6.4.2 By Message Size
E-mails can be checked for and denied according to their total size. The e-mail size
limit is specified under the E-mail Size tab.
An AntiVir E-Mail Size Filtering job can perform the following actions:
z Add a subject extension
z Place the entire message into quarantine
z Delete the affected message without delivering it
z Run an external application
z Notify the administrator
z Notify the sender
z Notify the recipient
z Notify any other, user-definable persons
z Add X-header field
z Redirect mail
AntiVir
6.4.3 By Type and/or Attachment Size
Attachments can be checked for size and messages delivered or denied accordingly. The maximum attachment size is specified on the Fingerprint/Size tab. This
job can check and deny attachment types while at the same time filtering by
attachment size.
AntiVir Attachment/Size Filtering jobs can perform the same actions as
attachment filtering jobs.
6.4.4 Configuring Fingerprints
Fingerprints consist of a name pattern and/or a binary pattern.
z Filename pattern: used to define file types by filenames and file extensions
(*.exe, etc.)
z Binary pattern: used to define file types using unique binary file informa-
tion.
Malicious users can manipulate filenames by simply changing the extension to a
different file type. To prevent file type filtering being fooled by this type of manipulation, you can use the binary pattern which uniquely identifies file formats.
The binary pattern is therefore the most reliable method for identifying file types.
Avira GmbH AntiVir Exchange Server 75
AntiVir
Filename patterns, however, can be used to quickly react to new virus attacks:
As soon as the extension of the file containing a virus is known (for example
Nimda Virus = readme.exe), a virus infection can be prevented even before a virus
pattern update is available from the publisher of your antivirus application. A new
fingerprint with the filename pattern is simply created to identify the virus.
You can also block individual files:
If your company employs custom software that uses its own file formats, you can
also create fingerprints for these files, which you can use, for example, to prevent
files of this type being sent as e-mail attachments to recipients outside the company.
You can sort fingerprints and group them into logical categories. Fingerprint categories are listed alphabetically.
1. Click under Basic Configuration Æ Utility Settings and click Finger-
prints to view all available categories in the right pane.
2. Click a single category to open it. The individual fingerprints appear in the
right pane.
3. You can drag individual fingerprints from the right pane into a different
category in the left pane.
4. To view the Properties of a fingerprint in the right pane, double-click or
right-click the fingerprint.
To copy fingerprints from the All Fingerprints category, drag them to the
desired category. When you drag fingerprints from any of the other categories,
they are moved! To copy from other categories, hold the Ctrl key while dragging. A plus symbol then appears in the cursor.
When you delete a fingerprint from any category with the Del key, it is permanently deleted and can not be restored. To remove a fingerprint from a category
without permanently deleting it, right-click it and select Remove finger-
print(s) from this category. Make sure that the fingerprints you want to
delete or remove are no longer used by an AntiVir job.
To create a new fingerprint category, click on Fingerprints in the left pane, rightclick and select New Æ Fingerprint Category. For a new fingerprint, right-click
the category and select New Æ Fingerprint.
The Jobs tab lists the jobs that use the fingerprint.
6.4.4.1 Creating Fingerprints with Name Patterns
If a file’s binary pattern is not known, it can be identified quickly using a name
pattern. When you open the General tab under Properties for a fingerprint (see
“Configuring Fingerprints” on page 75), the following dialog appears (with a Mic-
rosoft fingerprint in the example below):
76 AntiVir Exchange Server Avira GmbH
AntiVir
The fingerprint is called Microsoft Access Project and belongs to the Microsoft
Office category, which is shown in the Categories pane.
Select the Pattern Settings tab.
In the Name pattern field, enter the file extension for this name pattern.
You can define several filename patterns for each fingerprint. Multiple entries
must be separated with a semicolon (;).
You can use the “*” wildcard for multiple characters, for instance to define a fingerprint with the filename pattern “*.vbs”. You can also specify complete filenames in this field. If you enter, for instance, “Att01.cdf ” here, the created
fingerprint, when specified in a job, denies all files with that name.
Avira GmbH AntiVir Exchange Server 77
AntiVir
If you have selected the Check Binary and Name Pattern option, both the
filename pattern (file extension) and the binary pattern of the checked file must
correspond with the data in the fingerprint properties. Make sure that you have
specified this information. If you have not selected this option, but both patterns have been specified in the fingerprint properties, only one of the patterns
must match to identify the file format. For further information on entering
name and binary patterns, refer to “Selecting Fingerprints” on page 83.
6.4.4.2 Creating Binary Patterns for Fingerprints
Description
Binary patterns contain the following information:
z Start position
z End position
z Hexadezimalen values
1. Start position: The position within a file from which a pattern search is
performed.
The following values are possible:
"1" Start at the first byte of the file
"1", "2", ... Start at the first byte, second byte, etc. of the file
"-1" ... Start at the last byte of the file
"-6" ... Start at the sixth byte from the end of the file
2. End position: The position within a file up to which the pattern search is
performed.
The following values are possible:
"-1" Search to the end of the file
"1","2", ...
Search up to byte 1, byte 2, etc. of the file
end
"-11" ... Search to the eleventh byte from the end of the file
3. Hexadezimale values: The pattern to be searched for between the start
and end positions.
Fingerprints can consist of several binary patterns.
Go to the fingerprint Properties (see “Configuring Fingerprints” on page 75) and
select the Pattern Settings tab. Click Add.
Enter the start position, the end position and the hexadecimal search value.
78 AntiVir Exchange Server Avira GmbH
AntiVir
The start position is the point in the file from which the specified binary pattern
will be searched for. The position of the first byte in the file, i.e. the beginning of
the file, is offset 1. The second byte then has an offset of 2, etc. The end position
is the offset up to which the pattern is searched for.
If the number in one or both of these fields is prefixed with a minus sign (“-”), the
bytes are counted in reverse. The entry -1, for example, is the last byte of the file. 2 would then be the last but one byte, etc. The file size is irrelevant for this purpose. A start position of 1 and an end position of -1 means that the entire file will
be searched for the specified pattern. You can also enter two negative values for
example -6 as start position and -1 as end position. The search is then performed
from the last byte to the sixth from last byte, regardless of the byte size of the file.
A positive start position and a negative end position are always possible, for
example 11 as start position (the eleventh byte) and -10 as end position (the tenth
byte from the end). You can not enter a negative start position and a positive end
position.
Example: Windows/OS2 Bitmap Files (*.bmp)
When you open the pattern settings for a bitmap file, the following dialog
appears:
Avira GmbH AntiVir Exchange Server 79
AntiVir
For details on the Check Binary and Name Pattern option, refer to “Configu-
ring Fingerprints” on page 75.
Now click Edit to open the first entry. The following dialog appears:
The start position is “1”, the end position “3”. This means that the file is searched
for the binary pattern “42 4D” between the first and the third byte, i.e. between
offset 1 and offset 3. The binary pattern is entered as a hexadecimal number in
the lower field. The pattern in this example corresponds to the letters “BM”. This
is part of the ID of a Windows/OS2 bitmap file. This is still not a complete pattern.
To complete the binary pattern for a bitmap file, you must add one more entry,
which looks like this:
Here, a search is performed for the pattern “00000000” between offsets 7 and 11.
Only when both binary patterns have been found in a file, does the file match the
pattern and can be identified as a bitmap. For each additional search pattern, click
Add.
If you want to identify fingerprint binary patterns that are not included in the
supplied list of file patterns, please contact the publisher of the software to
which the file type applies, e.g. Adobe for Acrobat (*.pdf) files or contact our
Support.
80 AntiVir Exchange Server Avira GmbH
6.4.4.3 Further Fingerprint Examples
Example of a simple fingerprint: ZIP file
Start End Hex value
1 4 504B0304
Example of a more complex fingerprint: Windows Meta File
Start End Hex value
1 13 576F72642E446F63756D656E74
1 -1 57006F007200640044006F00630075006D0065006E0074
1 10 D0CF11E0A1B11AE10000
6.4.5 Denying File Attachments by Type – Example
AntiVir
Under Policy Configuration –> Sample Jobs, you will find various jobs for blocking different file formats.
z Block Archives, Except ZIP Files
Blocks all compressed formats except ZIP files
z Block Suspicious Attachments
Blocks known malicious attachments such as Nimda.
z Block Image Files
Blocks image formats
z Block Video Files
Blocks video formats
z Block Sound Files
Blocks sound formats
z Block Executable Files
Blocks exe, com, files, etc.
We will use the Block Video Files job as an example. Drag this job to the Mail
Transport Jobs folder and open it there with a double-click.
6.4.5.1 General Settings
On the General tab, enter your own name for the job. You can identify a disabled
job by the red cross in the lower corner of the job symbol. Set the job to Enabled.
Once you have saved your settings with OK and closed the job, the job is enabled
and the red cross disappears.
Avira GmbH AntiVir Exchange Server 81
AntiVir
By default, the Subject Extension is pre-set to AntiVir checked. If enabled, this
text is added to the subject of each mail checked by the job.
This job does not process mails that are being resent from Quarantine (AntiVir
Monitor Æ <Select e-mail> Æ All Tasks Æ Resend Quarantine item), even if
the Resubmit the e-mail to all AntiVir jobs has been enabled. The option
Ignore e-mails resent from quarantine means that this job is systematically
skipped when a mail is resent from Quarantine.
For further information on sending quarantined mail, refer to “Icons used on
these tabs:” on page 55. For details on the Mission Critical option, refer to This
job is mission-critical. The Write processing log option is described under Write
processing log.
6.4.5.2 Setting up Address Conditions
Under the Addresses tab, specify the senders or recipients to which this job is to
apply. You can select addresses from existing lists or from your own. For details on
how to make the best use of address lists and details, see description under
“Address Lists” on page 30
6.4.5.3 Setting up Content Conditions
Under the Conditions tab you can set the requirements as to which mails or
documents a job is to be run for.
.
The content conditions and the address conditions set in the Adresses tab must
simultaneously come true for a job to be run (logical AND).
82 AntiVir Exchange Server Avira GmbH
6.4.5.4 Selecting Fingerprints
under the Fingerprints tab, select the denied fingerprints:
AntiVir
Scan inside compressed attachments means that the internal unpacker opens
archives and checks the files it contains for the specified fingerprints. If this
option is not selected, only the archive is checked and identified as compressed
format.
Fingerprint conditions: Click Video or No fingerprints selected to select a
fingerprint category or an individual fingerprint from the list. You get the following view:
With the Add and Remove buttons, you can assign entire categories or individual
fingerprints to the list of denied and/or allowed fingerprints. To do so, doubleclick the category in the left pane or click the + sign to open it.
You can enter a category such as “Video” under Denied Fingerprints and
define one or more fingerprints from that category as exception under Allowed
Fingerprints. To keep a clear overview, do not use the same job for too many
categories.
Avira GmbH AntiVir Exchange Server 83
AntiVir
For further information on fingerprints, refer to “Configuring Fingerprints” on
page 75.
6.4.5.5 Defining Actions
Under the Actions tab, specify the actions to be taken when the job finds an
attachment with a denied fingerprint.
In this example, a copy of the message is placed in quarantine and the infected
attachments are deleted. The message is delivered to its recipient, but the denied
attachments are removed. A notification about the denied fingerprint is sent to
the administrator. You can select this notification from the list menu of available
notification templates, which you can format using the HTML toolbar or by entering appropriate HTML code yourself.
To define further actions, click the Add button. For a description of the procedure, refer to „AntiVir, Job example: “Defining Actions” on page 65“.
6.4.5.6 Selecting servers/Job Details
For details on selecting servers and entering job details, refer to
vers” on page 69 and “Entering Job Details” on page 69.
6.4.6 Limiting Message Size - Example
Under Policy Configuration Æ Sample Jobs you will find the Block E-mails
Larger 100 MB job.
The message size limit applies to the e-mail as a whole, including subject, text
body, header and attachments.
“Selecting Ser-
Drag this job to the Mail Transport Jobs folder and open it there with a doubleclick.
84 AntiVir Exchange Server Avira GmbH
6.4.6.1 General Settings
Under the General tab, you can enter your own name for the job. You can identify
a disabled job by the red cross in the lower corner of the job symbol. Set the job to
Enabled. Once you have saved your settings with OK and closed the job, the job is
enabled and the red cross disappears.
AntiVir
By default, the Subject Extension is pre-set to AntiVir checked. If enabled, this
text is added to the subject of each mail checked by the job.
This job does not process mails that are being resent from Quarantine (AntiVir
Monitor Æ <Select e-mail> Æ All Tasks Æ Resend Quarantine item), even if
the Resubmit the e-mail to all AntiVir jobs has been enabled. The option
Ignore e-mails resent from quarantine means that this job is systematically
skipped when a mail is resent from Quarantine.
For further information on sending quarantined mail, refer to “Icons used on
these tabs:” on page 55. For details on the Mission Critical option, refer to This
job is mission-critical. The Write processing log option is described under Write
processing log.
6.4.6.2 Setting up Address Conditions
Under the Addresses tab, specify the senders or recipients to which this job is to
apply. You can select addresses from existing lists or from your own. For details on
how to make the best use of address lists and details, see description under
“Address Lists” on page 30.
6.4.6.3 Setting up Content Conditions
Under the Conditions tab you can set the requirements as to which mails or
documents a job is to be run for.
The content conditions and the address conditions set in the Adresses tab must
simultaneously come true for a job to be run (logical AND).
Avira GmbH AntiVir Exchange Server 85
AntiVir
6.4.6.4 Specifying Message Size
Under the E-Mail Size tab, enter the e-mail size limit in kilobytes:
With the setting above, the maximum permissible size of each incoming and outgoing e-mail is 100,000 kilobytes.
6.4.6.5 Defining Actions
Under the Actions tab, specify the actions to be taken when the job finds an email that exceeds the maximum size.
In this example, a copy of the message is placed in quarantine and the message is
deleted without being delivered to its recipient. A notification about the excessive
message size is sent to the administrator. You can select this notification from the
list menu of available notification templates, which you can format using the
HTML toolbar or by entering appropriate HTML code yourself.
86 AntiVir Exchange Server Avira GmbH
To define further actions, click the Add button. For a description of the procedure, refer to „AntiVir, Job example: “Defining Actions” on page 65“.
6.4.6.6 Selecting servers/Job Details
AntiVir
For details on selecting servers and entering job details, refer to
vers” on page 69 and “Entering Job Details” on page 69.
Save the configuration of the AntiVir Exchange Management Console each
time you have modified the settings. Click on the button. The configuration is
saved in the ConfigData.xml file located in the Avira GmbH\AntiVirEx-
change\Config folder. Pending changes are indicated by an asterisk (*) next
to the top node
6.4.7 Denying Attachment Types and Size – Example
Under Policy Configuration Æ Sample Jobs you will find different jobs for blocking several file formats and corresponding file size.
z Block Office Files > 10 MB
Microsoft Office Files larger than 10 MB
z Block Sound Files > 5 MB
Sound Files larger than 5 MB
z Block Video Files > 5 MB
Video Files larger than 5 MB
.
Unlike message size checking, attachment format and size checking applies to
attachments only; subject, text body and message header are not taken into
account.
“Selecting Ser-
We will use the Block Office Files > 10 MB job as an example. Drag this job to
the Mail Transport Jobs folder and open it there with a double-click.
Avira GmbH AntiVir Exchange Server 87
AntiVir
6.4.7.1 General Settings
Under the General tab, enter your own name for the job. You can identify a disabled job by the red cross in the lower corner of the job symbol. Set the job to Enab-
led. Once you have saved your settings with OK and closed the job, the job is
enabled and the red cross disappears.
By default, the Subject Extension is pre-set to AntiVir checked. If enabled, this
text is added to the subject of each mail checked by the job.
This job does not process mails that are being resent from Quarantine (AntiVir
Monitor Æ <Select e-mail> Æ All Tasks Æ Resend Quarantine item), even if
the Resubmit the e-mail to all AntiVir jobs has been enabled. The option
Ignore e-mails resent from quarantine means that this job is systematically
skipped when a mail is resent from Quarantine.
For further information on sending quarantined mail, refer to “Icons used on
these tabs:” on page 55. For details on the Mission Critical option, refer to This
job is mission-critical. The Write processing log option is described under Write
processing log.
6.4.7.2 Setting up Address Conditions
Under the Addresses tab, specify the senders or recipients to which this job is to
apply. You can select addresses from existing lists or from your own. For details on
how to make the best use of address lists and details, see description under
“Address Lists” on page 30
.
88 AntiVir Exchange Server Avira GmbH
6.4.7.3 Setting up Content Conditions
Under the Conditions tab you can set the requirements as to which mails or
documents a job is to be run for.
The content conditions and the address conditions set in the Adresses tab must
simultaneously come true for a job to be run (logical AND).
6.4.7.4 Specifying Fingerprint and Size
Under the Fingerprint/Size tab, enter the maximum permissible e-mail size and
the fingerprint format:
AntiVir
Unlike for simple fingerprint checking, the Scan inside compressed attachments option is not available here. To limit the size of compressed files, enter
their formats in this job.
Fingerprint/size conditions: To specify the size in kilobytes, click 10000. To
select a fingerprint category, an individual fingerprint or the maximum size from
the list of fingerprints, click on Microsoft Office.
The following view is displayed:
Avira GmbH AntiVir Exchange Server 89
AntiVir
With the Add and Remove buttons, you can assign entire categories or individual
fingerprints to the list of denied and/or allowed fingerprints. To do so, doubleclick the category in the left pane or click the + sign to open it.
You can enter a category such as “Microsoft Office” under Denied Finger-
prints and define one or more fingerprints from that category as exception
under Allowed Fingerprints. To keep a clear overview, do not use the same job
for too many categories.
For further information on fingerprints and on entering name and binary patterns, refer to “Configuring Fingerprints” on page 75.
6.4.7.5 Defining Actions
Under the Actions tab, specify the actions to be taken when the job finds an email that was denied by an attachment/size job.
90 AntiVir Exchange Server Avira GmbH
In this example, a copy of the message is placed in quarantine, the infected attachments are deleted, and the message is delivered without its attachment. A notification on the restriction is sent to the administrator. You can select this
notification from the list menu of available notification templates, which you can
format using the HTML toolbar or by entering appropriate HTML code yourself.
To define further actions, click the Add button. For a description of the procedure, refer to „AntiVir, Job example: “Defining Actions” on page 65“.
6.4.7.6 Selecting servers/Job Details
AntiVir
For details on selecting servers and entering job details, refer to
vers” on page 69 and “Entering Job Details” on page 69.
Save the configuration of the AntiVir Exchange Management Console each
time you have modified the settings. Click on the button. The configuration is
saved in the ConfigData.xml file located in the Avira GmbH\AntiVirExchange\Config folder. Pending changes are indicated by an asterisk (*) next to the
top node.
“Selecting Ser-
Avira GmbH AntiVir Exchange Server 91
AntiVir
92 AntiVir Exchange Server Avira GmbH
7AntiVir Wall
7.1 Overview
AntiVir Wall is used to filter e-mails or attachments according to their text content, check images for offensive contents, classify e-mails according to their content, limit the number of inbound or outbound e-mail addresses and to limit the
number of recipients per e-mail.
Job types
z Filtering by e-mail address
Job: AntiVir Wall E-Mail Address Filtering
z Filtering by message or attachment content
Job: AntiVir Wall Content Filtering
z Spam filtering
Job: AntiVir Wall Spam Filtering
z Spam filtering using DCC server
Job: AntiVir Wall DCC Spam Filtering
z Checking for offensive images with Xblock
Job: AntiVir Wall Xblock Image Filtering
z Restricting the number of recipients
Job: AntiVir Wall Recipient Limit Filtering
AntiVir Wall
Create a separate job for each restriction type. The job types cannot be changed
later on.
For details on setting up jobs, refer to the sample jobs, such as “Blocking Senders
and/or Recipients – Example” on page 95. The diagram below illustrates the wor-
king principle:
Avira GmbH AntiVir Exchange Server 93
AntiVir Wall
7.2 Address Filtering
Address filtering focuses on the senders and recipients of the e-mails. You can
deny specific senders, so that no mail from these addresses is delivered to your
users, and you can deny specific recipients, so that none of your employees (or
only selected people) can send mail to them.
The following objects can be used for address filtering:
z Mail-Enabled Active Directory user
z Mail-Enabled Active Directory groups
z Mail-Enabled Active Directory contacts
z User-definable SMTP addresses including wildcards
z [INTERNAL] – domains defined as internal in Avira AntiVir Exchange
z [EXTERNAL] – all addresses that are not [INTERN]
z “Administrator” – the e-mail addresses defined as Administrator in Avira
AntiVir Exchange.
Senders and recipients are defined by the corresponding e-mails fields. A sender
can be either an employee of your company sending e-mail to someone outside or
someone outside sending an e-mail to an employee of your company. You can
define both senders and recipients as individuals or groups.
For address filtering, you can normally use the following wildcards:
z Asterisk (*)
The asterisk is the wildcard for one or more letters and numbers. It can be
used several times within a word or expression.
z Question mark (?)
The question mark represents a single character. It can also be used several
times within a word or expression.
Example: To specify a denied sender, you can enter something like “tom*@*.*” as a
disallowed sender instead of individual e-mail addresses. That means that all mail
sent by any Tom with any extension (such as family name) and from any domain
is denied. This includes your own employee Tom Jones, to whose mails the same
restrictions will be applied. To specify a particular domain, you can enter
“*@domain.com”. All senders or recipients from this domain are then denied. Be
careful when you create an address filtering job for multiple servers that denies an
entire domain. It is not always obvious which addresses are private and which
business in nature. Keep in mind that smaller companies may have e-mail addresses for example under ISP domains, such as @demon.co.uk or @aol.com.
Address filtering is a simple means for filtering out e-mails sent from known spam
addresses. The usual suspects can be intercepted at the server and deleted at once.
Because the processing condition is the same as the job restriction condition for
address filtering, a subject extension – if defined – is added to passed e-mails
even if the message does not meet the processing condition.
94 AntiVir Exchange Server Avira GmbH
Loading...