F-secure ANTI-VIRUS FOR MICROSOFT EXCHANGE 7.10 ADMINISTRATOR GUIDE

F-Secure Anti-Virus for
Microsoft Exchange
Administrator ’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.
Copyright © 1993-2007 F-Secure Corporation. All rights reserved. Portions Copyright © 1991-2007 Kaspersky Lab.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2007 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www .php.net/. Copyright © 1999-2007 The PHP Group. All rights reserved.
This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file. All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the “Artistic License”.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233 GB2374260
12000040-7K27
Contents
About This Guide 9
How This Guide Is Organized ............................................................................................ 10
Conventions Used in F-Secure Guides.............................................................................. 12
Symbols .................................................................................................................... 12
Chapter 1 Introduction 14
1.1 Overview....................................................................................................................15
1.2 How F-Secure Anti-Virus for Microsoft Exchange Works........................... ... ... .... ... ...16
1.3 Key Features..............................................................................................................19
1.4 F-Secure Anti-Virus Mail Server and Gateway Products ...........................................21
Chapter 2 Deployment 23
2.1 Installation Modes......................................................................................................24
2.2 Network Requirements...............................................................................................25
2.3 Deployment Scenarios...............................................................................................26
2.3.1 Environment with a Single Exchange Server .................................................27
2.3.2 Environments with Exchange Roles Deployed on Multiple Servers...............28
2.3.3 Quarantine Management Considerations.......................................................31
Chapter 3 Installation 33
3.1 System Requirements................... ... ... ... .... ... ... ... .... ... ... ....................................... ... ...34
3.1.1 Operating System Requirements ...................................................... ... .... ... ...35
3.1.2 Microsoft Exchange Server Requirements.....................................................35
3.1.3 SQL Server Requirements ....................................................... ... ...................36
3
3.1.4 Web Browser Software Requirements ...........................................................38
3.2 Improving Reliability and Performance ......................................................................38
3.3 Centrally Administered or Stand-alone Installation? ..................................................39
3.4 Installation Overview..................................................................................................40
3.5 Installing F-Secure Anti-Virus for Microsoft Exchange.................. ... .... ... ... ... ... .... ... ...41
3.6 After the Installation ...................................................................................................53
3.6.1 Importing Product MIB files to F-Secure Policy Manager Console.................54
3.6.2 Configuring the Product..................................................................................55
3.7 Upgrading the Evaluation Version.................... ... .... ... ... .............................................56
3.8 Uninstalling F-Secure Anti-Virus for Microsoft Exchange ..........................................57
Chapter 4 Using F-Secure Anti-Virus for Microsoft Exchange 58
4.1 Administering F-Secure Anti-Virus for Microsoft Exchange .......................................59
4.2 Using Web Console ...................................................................................................60
4.2.1 Logging in for the First Time.................... .... ... ... .............................................60
4.2.2 Modifying Settings and Viewing Statistics with Web Console........................62
4.2.3 Checking the Product Status ......................... ... ... ... .... ... ... ... .... ... ... ... .............63
4.3 Using F-Secure Policy Manager Console ..................................................................63
4.3.1 Modifying Settings and Viewing Statistics in Centrally Administered Mode...63
4.4 Selecting Scanning Methods to Use ..........................................................................65
Chapter 5 Centrally Managed Administration 67
5.1 Overview....................................................................................................................68
5.2 F-Secure Anti-Virus for Microsoft Exchange Settings................................................68
5.2.1 Common Settings...........................................................................................68
5.2.2 Transport Protection.......................................................................................76
5.2.3 Storage Protection................ ... ....................................... ... ... .... ... ... ................88
5.3 F-Secure Anti-Virus for Microsoft Exchange Statistics.............................................116
5.3.1 Common.......................................................................................................117
5.3.2 Transport Protection.....................................................................................118
5.3.3 Storage Protection................ ... ... .... ...................................... .... ... ... ... ... .... ... .119
5.3.4 Quarantine....................................................................................................121
5.4 F-Secure Content Scanner Server Settings.............................................................121
5.4.1 Interface........................................................................................................122
4
5.4.2 Virus Scanning........................................................ .... ... ... ... .... ... ... ... ...........123
5.4.3 Virus Statistics............... .... ... ... ... .... ...................................... .... ... ... ..............125
5.4.4 Database Updates........................................................................................126
5.4.5 Spam Filtering..............................................................................................127
5.4.6 Threat Detection Engine.......... ... .... ... ... ... .... ... ...................................... .... ... .128
5.4.7 Proxy Configuration......................................................................................129
5.4.8 Advanced......................................................................................................130
5.5 F-Secure Content Scanner Server Statistics ...........................................................131
5.5.1 Server...........................................................................................................131
5.5.2 Scan Engines ...............................................................................................132
5.5.3 Common.......................................................................................................133
5.5.4 Spam Control................................................................................................133
5.5.5 Virus Statistics............... .... ... ... ... .... ...................................... .... ... ... ..............134
5.6 F-Secure Management Agent Settings....................................................................134
5.7 F-Secure Automatic Update Agent Settings ............................................................135
Chapter 6 Administration with Web Console 138
6.1 Overview..................................................................................................................139
6.2 Home........................................................................................................................139
6.3 Transport Protection.................................................................................................142
6.3.1 Attachment Filtering........................................ ...................................... .... ... .144
6.3.2 Virus Scanning........................................................ .... ... ... ... .... ... ... ... ...........147
6.3.3 Grayware Scanning......................................................................................151
6.3.4 Archive Processing............................................ ... ... .....................................154
6.3.5 Spam Control................................................................................................156
6.3.6 Security Options...........................................................................................157
6.4 Storage Protection .............................. ... .... ... ... ... .... ... ... ... ....................................... .159
6.4.1 Real-Time and Background Scanning..........................................................159
6.4.2 Manual Scanning .........................................................................................172
6.4.3 Scheduled Scanning ....................................................................................185
6.5 Quarantine ...............................................................................................................196
6.5.1 Options.........................................................................................................197
6.6 Automatic Updates........................... ....................................... ... ... ... .... ... ... ..............206
6.6.1 Communications...........................................................................................208
6.7 Content Scanner Server................ ... ... ... .... ...................................... .... ... ... ... ... .... ....212
5
6.7.1 Options.........................................................................................................214
6.8 General ....................................................................................................................223
6.8.1 Network Configuration .................................................................................224
6.8.2 Administration...............................................................................................226
6.8.3 Notifications..................................................................................................231
6.8.4 Lists and Templates ................................................ .... ... ... ... .... ... .................232
6.8.5 Sample Submission......................................................................................235
Chapter 7 Quarantine Management 237
7.1 Introduction ..............................................................................................................238
7.1.1 Quarantine Reasons.....................................................................................239
7.2 Configuring Quarantine Options...............................................................................239
7.3 Searching the Quarantined Content.........................................................................239
7.4 Query Results Page................................... ... ... ... .... ... ... ....................................... ... .244
7.5 Viewing Details of a Quarantined Message .............................................................246
7.6 Reprocessing the Quarantined Content...................................................................248
7.7 Releasing the Quarantined Content.........................................................................249
7.8 Removing the Quarantined Content.........................................................................250
7.9 Deleting Old Quarantined Content Automatically.....................................................250
7.10 Quarantine Logging..................................................................................................251
7.11 Quarantine Statistics................................................................................................251
7.12 Moving the Quarantine Storage ...............................................................................252
Chapter 8 Updating Virus and Spam Definition Databases 254
8.1 Overview..................................................................................................................255
8.2 Automatic Updates with F-Secure Automatic Update Agent....................................255
8.3 Configuring Automatic Updates ...............................................................................255
Chapter 9 Administering F-Secure Spam Control 257
9.1 Overview..................................................................................................................258
9.2 Spam Control Settings in Centrally Managed Environments ...................................259
9.3 Spam Control Settings in Web Console...................................................................263
9.4 Realtime Blackhole List Configuration .....................................................................266
6
9.4.1 Configuring Realtime Blackhole Lists...........................................................266
9.4.2 Optimizing F-Secure Spam Control Performance........................................268
AppendixA Variables in Warning Messages 270
List of Variables................................................................................................................ 271
AppendixB Services and Processes 273
B.1 List of Services and Processes.............. .... ... ... ... .... ... ... ... ... .... ... ... ... ....................... 274
AppendixC Deploying the Product on a Cluster 277
C.1 Installation Overview............................................................................................... 278
C.2 Creating Quarantine Storage ........................................ ... ........................................279
C.2.1 Creating the Quarantine Storage for a Single Copy Cluster Environment ...279 C.2.2 Creating the Quarantine Storage for a Continuous Cluster Replication Environ-
ment..............................................................................................................286
C.3 Administering the Cluster Installation with F-Secure Policy Manager......................290
C.4 Using the Quarantine in the Cluster Installation.......................................................290
C.5 Uninstallation............................................................................................................292
C.6 Troubleshooting .......................................................................................................292
AppendixD Sending E-mail Alerts And Reports 293
D.1 Overview ................................................................................................................. 294
D.2 Solution ....................................................................................................................294
D.2.1 Creating a Scoped Receive Connector....... ... ... ... ... ....... ... ... .... ... ... ... ... .... ... .295
D.2.2 Grant the Relay Permission on the New Scoped Connector....... ... ... ... .... ... .296
D.2.3 Specify SMTP Server for Alerts and Reports ...............................................296
Chapter E Troubleshooting 297
E.1 Overview..................................................................................................................298
E.2 Starting and Stopping...............................................................................................298
E.3 Viewing the Log File.................................................................................................299
E.4 Common Problems and Solutions............................................................................299
E.4.1 Installing Service Packs........................................... .... ... ... ... .... ... ... ... ... .... ....302
E.4.2 Securing the Quarantine....................................... ... .... ... ..............................303
E.4.3 Administration Issues ...................................................................................303
7
E.5 Frequently Asked Questions....................................................................................304
Technical Support 305
F-Secure Online Support Resources ............................................................................... 306
Web Club ....................... ... .... ...................................... .... ... ...................................... .... ....308
Virus Descriptions on the Web .........................................................................................308
8

ABOUT THIS GUIDE

How This Guide Is Organized.................................................... 10
Conventions Used in F-Secure Guides..................................... 13
9
10

How This Guide Is Organized

F-Secure Anti-Virus for Microsoft Exchange Administrator's Guid e is divided into the following chapters:
Chapter 1. Introduction. General information about F-Secure Anti-V irus
for Microsoft Exchange and other F-Secure Anti-Virus Mail Server and Gateway products.
Chapter 2. Deployment. Instructions and examples how to set up your
network environment before you can install F-Secure Anti-Virus for Microsoft Exchange.
Chapter 3. Installation. Instructions how to install and set up F-Secure
Anti-Virus for Microsoft Exchange.
Chapter 4. Using F-Secure Anti-Virus for Microsoft Exchange.
Instructions how to use and administer F-Secure Anti-Virus for Microsoft Exchange.
Chapter 5. Centrally Managed Administration. Instructions how to
remotely administer F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server when they have been installed in centralized administration mode.
Chapter 6. Administration with Web Console. Instructions how to
administer F-Secure Anti-Virus for Microsoft Exchange with the Web Console.
Chapter 7. Quarantine Manageme nt. Instructio ns how you can man age
and search quarantined mails with the F-Secure Anti-Virus for Microsoft Exchange Web Console.
Chapter 8. Updating V irus and Sp am Definition Databases . Instructions
how to update your virus definition database.
Chapter 9. Administering F-Secure Spam Control. General information
about and instructions on how to configure F-Secure Spam Control.
Appendix A. Variables in Warning Messages. Lists variables that can
be included in virus warning messages.
About This Guide 11
Appendix B. Services and Processes. Describes services, devices and
processes of F-Secure Anti-Virus for Microsoft Exchange.
Appendix D. Sending E-mail Alerts And Reports. Instructions how to
configure the product to send alerts to the administrator by e-mail.
Chapter E. Troubleshooting. Solutions to some common problems.
Technical Support. Contains the contact information for assistance. About F-Secure Corporation. Describes the company background and
products. See the F-Secure Policy Manager Administrator's Guide for detailed
information about installing and using the F-Secure Policy Manager components:
F-Secure Policy Manager Console, the tool for remote
administration of F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server, which enables communication
between F-Secure Policy Manager Console and the managed systems.
12

Conventions Used in F-Secure Guides

This section describes the symbols, fonts, and terminology used in this manual.

Symbols

WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.
IMPORTANT: An exclam ation mark provides important informa tion that you need to consider.
REFERENCE - A book refers you to related information on the topic available in another document.
NOTE - A note provides additional information that you should consider.
l
Fonts
TIP - A tip provides information that can help you perf or m a task more quickly or easily.
An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to
buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book
titles, and titles of other manuals. Arial Italics (black) is used for file and folder names, for figure and table
captions, and for directory tree names. Courier New is used for messages on your compute r screen.
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your
keyboard.
13
PDF Document
For More Information
Arial underlined (blue)
Arial italics is used for window and dialog box names.
This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe® Acrobat® Reader. When pr inting the manual, please print the entire manual, including the copyright and disclaimer statements.
Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and supp o rt contacts.
In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please conta ct us at documentation@f-secure.com
is used for user interface links.
.
1

INTRODUCTION

Overview..................................................................................... 15
How F-Secure Anti-Virus for Microsoft Exchange Works........... 16
Key Features.............................................................................. 19
F-Secure Anti-Virus Mail Server and Gateway Products............ 21
14

1.1 Overview

CHAPTER 1 15
Introduction
Malicious code, such as computer viruses, is one of the main threats for companies today. In the past, malicious code spread mainly via disks and the most common viruses were the ones that infected disk boot sectors. When users began to use office applications with macro capabilities ­such as Microsoft Office - to write documen t s and distribu te them via mail and groupware servers, macro viruses started spreading rapidly.
After the millennium, the most common spreading mechanism has been the e-mail. Today about 90% of viruses arrive via e-mail. E-mails provide a very fast and efficient way for viruses to spread themselves without any user intervention and that is why e-mail worm outbreaks, like Sober, Netsky and Bagle, have caused a lot of damage around the world.
F-Secure Anti-Virus Mail Server and Gateway products are designed to protect your company's mail and groupware servers and to shield the company network from any malicious code that travels in HTTP or SMTP traffic. In addition, they protect your company network against spam. The protection can be implemented on the gateway level to screen all incoming and outgoing e-mail (SMTP), web surfing (HTTP and FTP-over-HTTP) and file transfer (FTP) traffic. Furthermore, it can be implemented on the mail server level so that it does not only protect inbound and outbound traffic but also internal mail traffic and public sources, such as public folders on Microsoft Exchange servers.
Providing the protection already on the gateway level has plenty of advantages. The protection is easy and fast to set up and install, compared to rolling out antivirus protection on hundreds or thousands of workstations. The protection is also invisible to the end users which ensures that the system cannot be by-passed and makes it easy to maintain. Of course, protecting the gateway level alone is not enough to provide a complete antivirus solution; file server and workstation level protection is needed, also.
Why clean 1000 workstations when you can clean one attachment at the gateway level?
16

1.2 How F-Secure Anti-Virus for Microsoft Exchange Works

F-Secure Anti-Virus for Microsoft Exchange is designed to detect and disinfect viruses and other malicious code from e-mail transmissions through Microsoft Exchange 2007 Server. Scanning is done in real time as the mail passes through Microsoft Exchange Server. On-demand scanning of user mailboxes and public folders is also available.
Scanning
Attachments and
Message Bodies
Flexible and Scalable
Anti-Virus Protection
Alerting F-Secure Anti-Virus for Microsoft Exchange has extensive alerting
Powerful and Always
Up-to-date
F-Secure Anti-Virus for Microsoft Exchange scans attachments and message bodies for malicious code. It can also be instructed to remove particular attachments according to the file name or the file extension.
If the intercepted mail contains malicious code, F-Secure Anti-Virus for Microsoft Exchange can be configured to disinfect or drop the content. Any malicious code found during the scan process can be placed in the Quarantine, where it can be further examined. Stripped attachments can also be placed in the Quarantine for further examination.
F-Secure Anti-Virus for Microsoft Exchange is installed on Microsoft Exchange 2007 Server and it intercepts mail traveling to and from mailboxes and public folders. The messages and documents are scanned with the scanning component, F-Secure Content Scanner Server, which also disinfects the infected messages.
functions, which means that the system administrator can specify a recipient, such as the network administrator, to be notified about the infection found in the data content.
F-Secure Anti-Virus for Microsoft Exchange uses the award-winning F-Secure Anti-Virus techniques and scanning engines to ensure the highest possible detection rate and disinfection capability. The F-Secure Anti-Virus definition databases are upda ted typically multiple times a day and they provide F-Secure Anti-Virus for Microsoft Exchange an always up-to-date protection capability.
CHAPTER 1 17
Introduction
F-Secure Anti-Virus scanner consistently r anks at the top when compar ed to competing products. Our team of dedicated virus resea rchers is on call 24-hours a day responding to new and emerging threats. In fact, F-Secure is one of the only companies to release tested virus definition updates continuously, to make sure our customers are receiving the highest quality service and protection.
Virus and Spam
Outbreak Detection
Stand-alone and
Centralized
Administration Modes
Scalability and
Reliability
Easy to
Administer
Massive spam and virus outbreaks consist of millions of messages which share at least one identifiable pattern that can be used to distinguish the outbreak. Any message that contains one or more of these patterns can be assumed to be a part of the same spam or virus outbreak.
F-Secure Anti-Virus for Microsoft Exchange can identify these patterns from the message envelope, headers and body, in any language, message format and encoding type. It can detect spam messages and new viruses during the first minutes of the outbreak.
F-Secure Anti-Virus for Microsoft Exchange can be installed either in stand-alone or centrally administered mode. Depending on how it has been installed, F-Secure Anti-Virus for Microsoft Exchange is managed either with the F-Secure Anti-Virus for Microsoft Exchange Web Console or F-Secure Policy Manager.
F-Secure Policy Manager provides a scalable way to manage the security of multiple applications on multiple operating systems, from one central location. F-Secure Policy Manager is comprised of two components, F-Secure Policy Manager Console and F-Secure Policy Manager Server, which are used to administer applications. They are seamlessly integrated with the F-Secure Management Agents that handle all management functions on local hosts.
If F-Secure Anti-Virus for Microsoft Exchange is installed in stand-alone mode it can be managed with the web-based user interface.
If F-Secure Anti-Virus for Microsoft Exchange has been installed in centrally administered configuration, it is managed with F-Secure Policy Manager. With its graphical user interface, F-Secure Policy Manager Console provides a centralized view of the domains and hosts in your network, lets you configure the security policies for all F-Secure
18
components and set up scheduled scans and run manual scanning operations. F-Secure Policy Manager receives status information from F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server is the server side component that handles communication between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Policy Manager Console. It exchanges security policies, software updates, status information, statistics, alerts, and other information between F-Secure Policy Manager Console and all managed systems.
Figure 1-1 (1) E-mail arrives from the Internet to F-Secure Anti-Virus for Microsoft Exchange, which (2) filters malicious content from mails and attachments, and (3) delivers cleaned files forward.

1.3 Key Features

F-Secure Anti-Virus for Microsoft Exchange provides the following features and capabilities.
Superior Protection Superior detection rate with multiple scanning engines.
Automatic malicious code detection and disinfection. The grayware scan detects spyware, adware, dialers, joke
programs, remote access tools, and any other unwelcome files and programs.
Heuristic scanning detects also unknown Windows and macro
viruses.
The sandbox scanning can detect new unknown viruses and
malware without damaging the system by running code in a safe and isolated environment.
Recursive scanning of ARJ, BZ2, CAB, GZ, JAR, LZH, MSI,
RAR, TAR, TGZ, Z and ZIP archive files.
Automatic and consistent virus definition database updates. Suspicious and unsafe attachments can be stripped away from
e-mails.
Password protected archives can be treated as unsafe. Intelligent file type recognition.
CHAPTER 1 19
Introduction
Virus Outbreak
Detection
The virus outbreak detection is an additional active layer of
protection that automatically detects virus outbreaks and quarantines suspicious messages.
Virus outbreaks are transparen tly detected and infected
messages are quarantined before the outbreak becomes widespread.
Quarantined unsafe messages can be reprocessed
automatically.
20
Transparen cy and
Scalability
Viruses are intercepted before they can enter the network and
spread out on workstations and servers.
Real-time scanning of internal, inbound and outbound mail
messages and Public Folder notes.
Automatic protection of new mailboxes and Public Folders. Total transparency to end-users. Users cannot bypass the
system, which means that messages and documents cannot be exchanged without scanning.
Management Controlling and monitoring the behavior of the products remotely.
Starting predefined operations remotely. Monitoring statistics provided by the products remotely with
F-Secure Policy Manager or F-Secure Anti-Virus for Microsoft Exchange Web Console.
Possibility to configure and manage stand-alone installations with
the convenient F-Secure Anti-Virus for Microsoft Exchange Web Console.
You can manage and search quarantined content with the
F-Secure Anti-Virus for Microsoft Exchange Web Console.
Protection against
Spam
Possible spam messages are transparently detected before they
become widespread.
Efficient spam detection based on different analyses on the
e-mail content.
Multiple filtering mechanisms guarantee the high accuracy of
spam detection.
Spam m essages can be separated from legitimate messages and
processed using the Spam Confidence Levels.
Spam detection works in every language and message format.

1.4 F-Secure Anti-Virus Mail Server and Gateway Products

The F-Secure Anti-Virus product line consists of workstation, file server, mail server, gateway and mobile products.
F-Secure Internet Gatekeeper™ is a high performance, totally
automated web (HTTP and FTP-over-HTTP) and e-mail (SMTP) virus scanning solution for the gateway level. F-Secure Internet Gatekeeper works independently of firewall and e-mail server solutions, and does not affect their performance.
F-Secure Anti-Virus for Microsoft Exchange™ protects your
Microsoft Exchange users from malicious code contained within files they receive in mail messages and documents they open from shared databases. Malicious code is also stopped in outbound messages and in notes being posted on Public Folders. The product operates transparently and scans files in the Exchange Server Information Store in real-time. Manual and scheduled scans of user mailboxes and public polders are also supported.
F-Secure Anti-Virus for MIMEsweeper™ provides a powerful
anti-virus scanning solution that tightly integrates with Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web products. F-Secure provides top-class anti-virus software with fast and simple integration to Clearswift MAILsweeper and WEBsweeper, giving the corporation the powerful combination of complete content security.
F-Secure Internet Gatekeeper for Linux™ provides a
high-performance solution at the Internet gateway level, stopping viruses and other malicious code before they spread to end u sers desktops or corporate servers. The product scans SMTP, HTTP, FTP and POP3 traffic for viruses, worms and trojans, and blocks and filters out specified file types. ActiveX and Java code can also be scanned or blocked. The product receives updates
CHAPTER 1 21
Introduction
22
automatically from F-Secure, keeping the virus protection always up to date. A powerful and easy-to-use management console simplifies the installation and configuration of the product.
F-Secure Messaging Security Gateway™ delivers the
industry’s most complete and effective security for e-mail. It combines a robust enterprise-class messaging platform with perimeter security, antispam, antivirus, secure messaging and outbound content security capabilities in an easy-to-deploy, hardened appliance.
2

DEPLOYMENT

Installation Modes....................................................................... 24
Network Requirements............................................................... 25
Deployment Scenarios............................................................... 26
23
24

2.1 Installation Modes

F-Secure Anti-Virus for Microsoft Exchange can be installed either in stand-alone or centrally administered mode. In stand-alone installation, F-Secure Anti-Virus for Microsoft Exchange is managed with Web Console. In centrally administered mode, it is managed centrally with F-Secure Policy Manager components: F-Secure Policy Manager Server and F-Secure Policy Manager Console.
To administer F-Secure Anti-Virus for Microsoft Exchange in the centrally administered mode, you have to install the following components:
F-Secure Policy Manager Server (on a dedicated machine) F-Secure Policy Manager Console (on the administ ra to r's
machine or on the same machine with F-Secure Policy Manager Server).
For up-to-date information on supported platforms, see F-Secure Policy Manager Release Notes.

2.2 Network Requirements

This network configuration is valid for all scenarios described in this chapter. Make sure that the following network traffic can pass through:
Service Process Inbound ports Outbound ports
CHAPTER 2 25
Deployment
F-Secure Content Scanner Server
F-Secure Anti-Virus for Microsoft Exchange Web Console
F-Secure Update Agent
F-Secure Network Request Broker
F-Secure Management Agent
F-Secure Quarantine Manager
Automatic
%ProgramFiles(x86)%\F-Secure\ Content Scanner Server\fsavsd.exe
%ProgramFiles(x86)%\F-Secure\ Web User Interface\bin\fswebuid.exe
%ProgramFiles(x86)%\F-Secure\ FSAUA\program\fsaua.exe
%ProgramFiles(x86)%\F-Secure\ Common\fnrb32.exe
%ProgramFiles(x86)%\F-Secure\ Common\fameh32.exe
%ProgramFiles(x86)%\F-Secure\ Quarantine Manager\fqm.exe
18971 (TCP) (on localhost only)
25023 DNS (53, UDP and TCP),
- DNS (53, UDP and TCP),
- DNS (53, UDP/TCP),
- DNS (53, UDP/TCP),
- DNS (53, UDP/TCP),
DNS (53, UDP/TCP), HTTP (80) or another known port used for HTTP proxy
1433 (TCP), only with the dedicated SQL server
HTTP (80) and/or another port used to connect to
F-Secure Server
HTTP (80) or another port used to connect to F-Secure Policy Manager Server
SMTP (25)
1433 (TCP), only with the dedicated SQL server
Policy Manager
F-Secure World Map Reporting Service
%ProgramFiles(x86)%\F-Secure\ Content Scanner Server\fswmrsvc.exe
- DNS (53, UDP/TCP), SMTP (25)
26

2.3 Deployment Scenarios

Depending on how the Microsoft Exchange 2007 server roles are deployed in your environment, you might consider various scenarios of deploying F-Secure Anti-Virus for Microsof t Exchange. There are various ways to deploy F-Secure Anti-Virus for Microsoft Exchange that are suitable to different environments:
Environment with a Single Exchange Server, 27. Environments with Exchange Roles Deployed on Multiple
Servers”, 28.
If you want to use centralized quarantine management in a
network where the Exchange server roles have been deploye d on multiple servers, see “Quarantine Management
Considerations”, 31.

2.3.1 Environment with a Single Exchange Server

Figure 2-1 Deployment in an environment with a single Exchange server
If the Exchange server roles have been deployed on a single server, you should deploy F-Secure Anti-Virus for Microsoft Exchange as follows:
CHAPTER 2 27
Deployment
Installing F-Secure Anti-Virus for Microsoft Exchange
Install F-Secure Anti-Virus for Microsoft Exchange on the same server where Exchange Hub and Mailbox Server roles are deployed.
Installing F-Secure Spam Control
If you have a license for F-Secure Spam Control, you should install it on the same server with F-Secure Anti-Virus for Microsoft Exchange.
Administration Modes
You can install the product in st and -alone mo de and a dminister it with the Web Console, or you can install it in centralized administration mode and administer it with F-Secure Policy Manager Console.
28

2.3.2 Environments with Exchange Roles Deployed on Multiple Servers

Figure 2-2 Deployment in an environment with Edge, Hub and Mailbox Server roles deployed on multiple servers
CHAPTER 2 29
Deployment
Figure 2-3 Deployment in an environment with Edge, Hub, Mailbox and Client Access Server roles deployed on multiple servers
If the Exchange server roles have been deployed on multiple servers, you should deploy F-Secure Anti-Virus for Microsoft Exchange as follows:
Installing F-Secure Anti-Virus for Microsoft Exchange
Install F-Secure Anti-Virus for Microsoft Exchange on all the servers where Exchange Edge, Hub and Mailbox Server roles are deployed.
If the Exchange role is changed later, the product has to be reinstalled.
Note that you cannot install the product on a server that has only Client Access and/or Unifield Messaging Server roles deployed.
30
Installing F-Secure Spam Control
If you have a license for F-Secure Spam Control, you can install it on the Edge server. If you do not have an Edge server, you can install F-Secure Spam Control on the Hub server.
Administration Modes
It is recommended to install the product in centralized administration mode:
Install F-Secure Policy Manager Server on a dedicated server.
You can manage the product with F-Secure Policy Manager Console.
When installing the product, configure each instance of the
product to connect to the same F-Secure Policy Manager Server.
You can also install the product in stand-alone mode and administer it with the Web Console. However, it does not provide an ea sy way to have the same settings on all the servers.

2.3.3 Quarantine Management Considerations

CHAPTER 2 31
Deployment
Figure 2-4 Deploying centralized quarantine management in an environment with multiple Exchange servers
If you want to use centralized quarantine management in a network where the Exchange server roles have been deploye d on mu ltiple servers, you should deploy F-Secure Anti-Virus for Microsoft Exchange and the SQL server needed for quarantine database as follows:
Install Microsoft SQL Server on a dedicated server or on th e
server running F-Secure Policy Manager Server.
When installing the product, configure each instance of the
product to use the same SQL server and database.
Make sure that the SQL server, the database name, user name
and password are identical in the quarantine configuration for all F-Secure Anti-Virus for Microsoft Exchange instances.
Make sure that all the servers are allowed to communicate with
the SQL server using mixed mode authentication.
32
In environments with heavy e-mail traffic it is recommended to
use a Microsoft SQL server installed on a separate server. When using the free Microsoft SQL Server 2005 Express Edition included in F-Secure Anti-Virus for Microsoft Exchange, the Quarantine database size is limited to 4 GB.
You can use F-Secure Anti-Virus for Microsoft Exchange Web
Console to manage and search quarantined content. For more information, see “Quarantine Management, 237.
3

INSTALLATION

System Requirements................................................................ 34
Improving Reliability and Performance....................................... 38
Installation Overview.................................................................. 40
Installing F-Secure Anti-Virus for Microsoft Exchange............... 41
After the Installation.................................................................... 53
Upgrading the Evaluation Version.............................................. 56
Uninstalling F-Secure Anti-Virus for Microsoft Exchange........... 57
33
34

3.1 System Requirements

F-Secure Anti-Virus for Microsoft Exchange is installed on the computer running Microsoft Exchange Server and requires the following hardware and software.
Processor: AMD Opteron/Athlon x64 or
Memory: 1 GB Disk space to install: 300 MB
Intel Xeon with Extended Memory 64 Technology (EM64T)
Disk space for processing:
Network: 100Mbps Fast Ethernet NIC, switched
F-Secure Policy Manager version:
The release notes document contains the latest information about the product and might have changes to system requirements and the installation procedure. It is highly recommended to read the release notes before you proceed with the installation.
10 GB or more. The required disk space depends on the number of mailboxes, amount of data traffic and the size of the Information Store.
network connection F-Secure Policy Manager 7.20 or newer.
F-Secure Policy Manager is required only in centrally managed environments.

3.1.1 Operating System Requirements

The product can be installed on a computer with a 64-bit processor running one of the following systems:
Microsoft® Windows Server 2003, Standard x64 Edition with the
latest service pack
Microsoft® Windows Server 2003, Enterprise x64 Edition with the
latest service pack
Microsoft® Windows Server 2003 R2, Standard x64 Edition Microsoft® Windows Server 2003 R2, Enterprise x64 Edition Microsoft® Windows Server 2008 Release Candidate 0

3.1.2 Microsoft Exchange Server Requirements

The product can be installed on any of the following 64-bit versions of Microsoft Exchange Server 2007:
Microsoft® Exchange Server 2007 Standard Edition with or
without Service Pack 1
Microsoft® Exchange Server 2007 Enterprise Edition with or
without Service Pack 1
CHAPTER 3 35
Installation
The 32-bit evaluation version of Microsof t Exchange Server 2007 is not supported.
36

3.1.3 SQL Server Requirements

The product requires Microsoft® SQL Server for the quarantine management. The following versions of Microsoft SQL Server are recommended to use:
Microsoft SQL Server 2000 (Enterprise, Standard or Workgroup
edition) with Service Pack 4
Microsoft SQL Server 2000 Desktop Engine (MSDE) with Service
Pack 4
Microsoft SQL Server 2005 (Enterprise, Standard, Workgroup or
Express edition) with the latest service pack
Microsoft SQL Server 2005 Express Edition Service Pack 2 is distributed with the product and can be installed during F- Secure Anti-Virus for Microsoft Exchange Setup.
When centralized quarantine management is used, the SQL server must be reachable from the network and file sharing must be enabled.
Which SQL Server to Use for the Quarantine Database?
As a minimum requirement, the Quarantine database should have the capacity to store information about all inbound and outbound mail to and from your organization that would normally be sent during 2-3 days.
The upgrade installation does not upgrade the SQL server if you choose to use the existing database.
If you want to upgrade MSDE 2000 to SQL Server 2005 Express, follow the instructions on the Microsoft web page: http://
www.microsoft.com/technet/prodtechnol/sql/2005/ msde2sqlexpress.mspx.
CHAPTER 3 37
Installation
Take the following SQL server specific considerations into account when deciding which SQL server to use:
Microsoft SQL Server
2005 Express Edition
Microsoft SQL
Server 2000/2005
When using Microsoft SQL Server 2005 Express Edition, the
Quarantine database size is limited to 4 GB.
Microsoft SQL Server 2005 Express Edition Service Pack 2
supports Microsoft Windows Server 2008.
It is not recommended to use Microsoft SQL Server 2005
Express Edition if you are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations.
Microsoft SQL Server 2005 Express Edition is delivered together with F-Secure Anti-Virus for Microsoft Exchange, and you can install it during the F-Secure Anti-Virus for Microsoft Exchange Setup.
If your organization sends a large amount of e-mails, it is
recommended to use Microsoft SQL Server 2000/2005.
It is recommended to use Microsof t SQL Server 2000/2005 if you
are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations.
Note that the product does not support Windows Authentication
when connecting to Microsoft SQL Server 2000/2005. The Microsoft SQL Server 2000/2005 that the product will use for the Quarantine database should be configured to use Mixed Mode authentication.
If you plan to use Microsoft SQL Server 2005, you must purchase it and obtain your own license before you start to deploy F-Secure Anti-Virus for Microsoft Exchange. To purchase Microsoft SQL Server 2005, contact your Microsoft reseller.
38

3.1.4 Web Browser Software Requirements

In order to administer the product with F-Secure Anti-Virus for Microsoft Exchange Web Console, one of the following web browsers is required:
Microsoft Internet Explorer 6.0 or later Mozilla Firefox 2.0 or later Opera 9.00 or later Konqueror 3.5 or later
Any other web browser supporting HTTP 1.0, SSL, Java scripts and cookies may be used as well. Microsoft Internet Explorer 5.5 or earlier cannot be used to administer the product.

3.2 Improving Reliability and Performance

You can improve the system reliability and overall performance by upgrading the following components.
Processor If the system load is high, a fast processor on the Microsoft Exchange
Server speeds up the e-mail message processing. As Microsoft Exchange Server handles a large amount of data, a fast processor alone is not enough to guarantee a fast operation of F-Secure Anti-Virus for Microsoft Exchange.
Memory Memory consumption is directly proportional to the size of processed
mails - scanning a single mail may use memory in amounts up to three times the size of the mail concerned. If the average size of mail messages is big, or Microsoft Exchange Server has to process large messages regularly , increasing the amo unt of physical memory increa ses the overall performance.
If large messages are processed only now and then, it might be enough to increase the size of the virtual memory. In this case, large messages will slow the system down.
CHAPTER 3 39
Installation
Hard Drive Hard drive size is an important reliability factor. Hard drive performance is
crucial for Microsoft Exchange Server to perform well. For best performance, a RAID system is recommended; for servers with only moderate load, SCSI hard disks are adequate. If your server has an IDE hard disk, DMA access support is recommended.
Operating
System
It is highly recommended to have the latest service packs for the operating system being used. These fixes make the platfo rm mo re stable and thus increase the reliability of the system.

3.3 Centrally Administered or Stand-alone Installation?

F-Secure Anti-Virus for Microsoft Exchange can be managed either with F-Secure Anti-Virus for Microsoft Exchange Web Console or F-Secure Policy Manager Console. You can select the management method when you install the product.
If you already use F-Secure Policy Manager to administer other F-Secure products, it is recommended to install F-Secure An ti-Virus for Microsoft Exchange in centralized administration mode.
The quarantined mails are managed using the F-Secure Anti-Virus for Microsoft Exchange Web Console in both centrally administered and stand-alone installations. In centrally managed environments all other features are managed with F-Secure Policy Manager.
40

3.4 Installation Overview

F-Secure Anti-Virus for Microsoft Exchange can be installed to the same computer that runs F-Secure Anti-Virus for Servers 7.0. You should uninstall any potentially conflicting products, such as other anti-virus, file encryption, and disk encryption software, which employ low-level device drivers, before you install F-Secure Anti-Virus for Microsoft Exchange.
If you run F-Secure Anti-Virus for Servers 7.0 on the same computer where you install F-Secure Anti-Virus for Microsoft Exchange, make sure that F-Secure Anti-Virus for Servers 7.0 is installed before you install F-Secure Anti-Virus for Microsoft Exchange.
To administer F-Secure Anti-Virus for Microsoft Exchange in centralized administration mode, you need to install F-Secure Policy Manager Console and F-Secure Policy Manager Server. Detailed information on F-Secure Policy Manager Console and F-Secure Policy Manager Server is provided in the F-Secure Policy Manager Administrator's Guide.
You cannot install F-Secure Policy Manager 7.0 on the same server with the product as F-Secure Policy Manager 7.0 is not supported under 64-bit Windows. For up-to-date information on supported platforms, see F-Secure Policy Manager Release Notes.
You need to log in with administrator-level privileges to install F-Secure Anti-Virus for Microsoft Exchange.
Follow these steps to set up F-Secure Anti-Virus for Microsoft Exchange:
Centralized Administration mode:
1. Run F-Secure Policy Manager setup to set up F-Secure Policy Manager Server. See F-Secure Policy Manager Administrator’s Guide for instructions.
2. Install F-Secure Anti-Virus for Microsoft Exchange. For more
information, see “Installing F-Secure Anti-Virus for Microsoft
Exchange”, 41.
3. Import the product MIB files to F-Secure Policy Manager, if they
cannot be uploaded there during the installation. For more information, see “Importing Product MIB files to F-Secure Policy
Manager Console”, 54.
4. Check that F-Secure Automatic Update Agent can retrieve the latest
virus and spam definition databases. For more information, see “Updating Virus and Spam Definition Databases”, 254.
Stand-alone mode:
1. Install F-Secure Anti-Virus for Microsoft Exchange. For more
information, see “Installing F-Secure Anti-Virus for Microsoft
Exchange”, 41.
2. Check that F-Secure Automatic Update Agent can retrieve the latest
virus and spam definition databases. For more information, see “Updating Virus and Spam Definition Databases”, 254.
After the installation is complete, check and configure the product settings.
3.5 Installing F-Secure Anti-Virus for Microsoft
CHAPTER 3 41
Installation
Exchange
Follow these instructions to install F-Secure Anti-Virus for Microsoft Exchange and F-Secure Spam Control.
Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.
2. Select F-Secure Anti-Virus for Microsoft Exchange from the Install
Software menu.
42
Step 2. Read the information in the Welcome screen.
Click Next to continue.
Step 3. Read the licence agreement.
If you accept the agreement, check the I accept this agreement checkbox and click Next to continue.
Step 4. Enter the product keycode.
Click Next to continue.
Step 5. Choose the components to install.
CHAPTER 3 43
Installation
For more information about F-Secure Spam Control, see “Administering
F-Secure Spam Control”, 257. Click Next to continue.
44
Step 6. Choose the destination folder for the installation.
Click Next to continue.
Step 7. Choose the administration method.
If you install F-Secure Anti-Virus for Microsoft Exchange in stand-alone mode, you cannot configure settings and receive alerts and status information in F-Secure Policy Manager Console. Click Next to continue.
CHAPTER 3 45
If you selected the stand-alone installation, continue to Step 10., 47.
If you select the stand-alone mode, use the F-Secure Anti-V irus for Microsoft Exchange Web Console to change product settings and to view statistics. For more information, see “Administration with
Web Console”, 138.
Step 8. Enter the path to the public management key file admin.pub that was
created during F-Secure Policy Manager Console setup.
Installation
You can transfer the public key in various ways (use a shared folder on the file server, a USB device, or send the key as an attachment in an e-mail message). Click Next to continue.
46
Step 9. Enter the IP address or URL of the F-Secure Policy Manager Server you
installed earlier.
Click Next to continue.
If the product MIB files cannot be uploaded to F-Secure Policy Manager during installation, you can import them manually. For more information, see “Importing Product MIB files to F-Secure
Policy Manager Console”, 54.
CHAPTER 3 47
Step 10. Enter an SMTP address that will be used by F-Secure Anti-Virus for
Microsoft Exchange to send warning and informational messages to end-users.
The SMTP address should be a valid, existing address that is allowed to send messages. Click Next to continue.
Step 11. Specify the Quarantine management method.
Installation
If you want to manage the Quarantine database locally, select Local quarantine management. Select Centralized quarantine management if you install the product on multiple servers. Click Next to continue.
48
Step 12. Specify the location of the Quaran tine database.
If you want to install Microsoft SQL Server 2005 Express Edition and the Quarantine database on the same server as the product installation, select (a) Install and use Microsoft SQL Server Desktop Engine.
If you are using Microsoft SQL Server already, select (b) Use the existing installation of MIcrosoft SQL Server or MSDE.
Click Next to continue to either (a) or (b) based on your selection.
a Specify the installation and the database directory for Microsoft
SQL Server 2005 Express Edition.
CHAPTER 3 49
Installation
Enter the password for the database server administra tor account that will be used to create the new database. Click Next to continue.
Specify the name for the SQL database that stores information about the quarantined content.
Enter the user name and the password that you want to use to connect to the quarantine database. Use a different account than the server administrator account. If the ne w account does not exist, the product creates it during the installation.
b Specify the computer name of the SQL Server where you wan t to
create the Quarantine database.
50
Enter the username and password to log on to the server. Click
Next to continue.
If the server has a database with the same name, you can either use the existing database, remove the existing database and create a new one or keep the existing database and cre ate a new one with a new name.
Step 13. Select whether you want to install the product with F-Secure World Map
Support.
The product can collect and send statistics about viruses and other malware to the F-Secure World Map service. if you agree to send statistics to F-Secure World Map, select Yes and click Next to continue. If
CHAPTER 3 51
you enable F-Secure World Map su pport, see “Sending E-mail Alert s And
Reports”, 293.
Step 14. If you selected the centralized administration mode, specify the DNS
name or IP address of the F-Secure Policy Manager Server and the administration port.
Installation
Click Next to continue.
Step 15. If you selected the centralized administration mode, the installation
program connects to specified F-Secure Policy Manager Se rver automatically to install F-Secure Anti-Virus for Microsoft Exchange MIB files. If the installation program cannot connect to F-Secure Policy Manager Server, the following dialog opens.
Make sure that the computer where you are inst alling F-Secure Anti-V irus for Microsoft Exchange is allowed to connect to the administration port on F-Secure Policy Manager Server, or if you use proxy, make sure that the
52
connection is allowed from the proxy to the server. Check that any firewall does not block the connection.
If you want to skip installing MIB files, click Cancel. You can install MIB files later either manually or by running the Setup again.
Step 16. The list of components that will be installed is displayed.
Click Start to install listed components.
Step 17. The installation status of the components is displayed.
Click Next to continue.
Step 18. The installation is complete.
Click Finish to close the Setup wizard.
CHAPTER 3 53
Installation

3.6 After the Installation

This section describes what you have to do after the installation. These steps include:
Importing product MIBs to F-Secure Policy Manager (if that is
required), and
Initial configuration of the product.
54

3.6.1 Importing Product MIB files to F-Secure Policy Manager Console

If you are using the product in centrally managed mode, there are cases when the F-Secure Anti-Virus for Microsof t Exchange MIB JAR file cannot be uploaded to F-Secure Policy Manager Server during the in stallation. In these cases you will have to import the MIB files to F-Secure Policy Manager. You will have to import the MIB files if:
F-Secure Anti-Virus for Microsoft Exchange is located in a
different network segment than F-Secure Policy Manager, and there is a firewall between them blocking access to Policy Manager’s administrative port (8080).
F-Secure Policy Manager Server has been configured so that
administrative connections from anywhere else than the localhost are blocked.
The recommended way is to import the MIBs via F-Secure Policy Manager Console Tools menu. You can do it as follows:
1. Open the Tools menu and select the Installa tion packages... option.
2. Click Import....
3. When the Import Installation Packages dialog opens, browse to
locate the fsavmse710mib.jar file located under the Jars subdirecto ry in the setup package. Then click Open.
4. After importing the new MIB files, restart F-Secure Policy Manager
Console.

3.6.2 Configuring the Product

After the installation, F-Secure Anti-Virus for Microsoft Exchange is functional, but it is using mostly default values. It is highly recommended to go through all the settings of all installed components.
Configure F-Secure Anti-Virus for Microsoft Exchange.
If F-Secure Anti-Virus for Microsoft Exchange has been installed in the centralized administration mode, use F-Secure Policy Manager Console to configure the settings for F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange and distribute the policy. For more information, see “Centrally
Managed Administration”, 67.
If F-Secure Anti-Virus for Microsoft Exchange has been installed in stand-alone mode, use the F-Secure Anti-Virus for Microsoft Exchange Web Console to configure the settings of F-Secure Anti-Virus for Microsoft Exchange. For more information, see “Administration with Web Console, 138.
Specify the mail direction. For more information, see “Network
Configuration”, 56.
Verify that the product is able to retrieve the virus and spam
definition database updates. If necessary, reconfigure your firewalls or other devices that may
block the database downloads. For more information, see “Network Requirements, 25.
CHAPTER 3 55
Installation
56
Network Configuration
The mail direction is based on the Internal Domains and Internal SMTP hosts settings and it is determined as follows:
1. E-mail messages are considered internal if they come from internal SMTP sender hosts and mail recipients belong to one o f the specified internal domains (internal recipients).
2. E-mail messages are considered outbound if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients).
3. E-mail messages that come from hosts that are not defined as internal SMTP sender hosts are considered inbound.
4. E-mail messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host.
If e-mail messages come from internal SMTP sender hosts and contain both internal and external recipients, message s are split and processed as internal and outbound respectively.

3.7 Upgrading the Evaluation Version

If you want to use F-Secure Anti-Virus for Microsoft Exchange af ter your evaluation period expires, you need a new keycode. Contact your software vendor or renew your license online.
After you have received the new keycode, you can either reinstall F-Secure Anti-Virus for Microsoft Exchange with your new keycode (see “Installing F-Secure Anti-Virus for Microsoft Exchange, 41) or register the new keycode from F-Secure Settings and Statistics.
CHAPTER 3 57
Installation
To register the new keycode from F-Secure Settings and Statistics:
1. Open F-Secure Settings and Statistics by double-clicking the
F-Secure icon in the Windows system tray and select F-Secure Anti-Virus for Microsoft Exchange to open the evaluation screen.
2. Eenter the new keycode you have received and click Register
Keycode....
If you do not want to continue to use F-Secure Anti-Virus for Microsoft Exchange after your evaluation license exp ires, you should uninstall the software.
When the license expires, F-Secure Anti-Virus for Microsoft Exchange stops processing e-mails and messages posted to public folders. However, the messages are still delivered to the recipients.

3.8 Uninstalling F-Secure Anti-Virus for Microsoft Exchange

To uninstall F-Secure Anti-Virus for Microsoft Exchange, select Add/
Remove Programs from the Windows Control Panel. To uninstall F-Secure Anti-Virus for Microsoft Exchange completely, uninstall the
components in the following order:
1. F-Secure Anti-Virus for Microsoft Exchange
2. F-Secure Spam Control (if it was installed)
Some files and directories may remain after the uninstallation and can be removed manually.
4
USING F-SECURE A
NTI-VIRUS FOR
ICROSOFT EXCHANGE
M
Administering F-Secure Anti-Virus for Microsoft Exchange........ 59
Using Web Console.................................................................... 60
Using F-Secure Policy Manager Console................................... 63
58
CHAPTER 4 59
Using F-Secure Anti-Virus for Microsoft Exchange

4.1 Administering F-Secure Anti-Virus for Microsoft Exchange

F-Secure Anti-Virus for Microsoft Exchange can be used either in the stand-alone mode or in the centrally administered mode, based on your selections during the installation and the initial setup.
Centralized
Administration
Mode
Stand-alone
Mode
In the centralized administration mode, you can administer F-Secure Anti-Virus for Microsoft Exchange with F-Secure Policy Manager.
You can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, check its current status and to connect to F-Secure Web Club for support.
In centrally managed installations, F-Secure Anti-Virus for Microsoft Exchange Web Console cannot be used for configuring the system or scanning settings, but you can manage the quarantined content with it.
you can use F-Secure Anti-Virus for M icr osoft Exchange Web Console to administer the product; monitor the status, modify settings, manage the quarantine and to start and stop the product if necessary.
60

4.2 Using Web Console

You can open F-Secure Anti-Virus for Microsoft Exchange Web Console in any of the following ways:
Go to Windows St art men u > Programs > F-Secu re Anti-Virus for
Microsoft Exchange > F-Secure Anti-Virus fo r Microsoft Exchange Web Console
Enter the address of F-Secure Anti-Viru s for Microsoft Exchange
and the port number in your web browser. Note that the protocol used is https. For example:
https://127.0.0.1:25023
Open F-Secure Settings and Statistics by double-clicking the
F-Secure icon in the Windows system tray and double-clicking the component name in the list.
F-Secure Anti-Virus for Microsof t Exchange W eb Console does not support Microsoft Internet Explorer 5.5 or older.
When the Web Console login page opens, enter your user name and the password and click Log In. Note that you must have administrator rights to the host where F-Secure Anti-Virus for Microsoft Exchange Web Console is installed.

4.2.1 Logging in for the First Time

Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web Console for the first time, check that Java script and cookies are enabled in the browser you use.
Microsoft Internet Explorer users:
The address of the F-Secure Anti-Virus for Microsoft Exchange Web Console, https://127.0.0.1:25023/ Trusted sites in Internet Explorer Security Options to ensure that F-Secure Anti-Virus for Microsoft Exchange Web Console works properly in all environments.
, should be added to the
Using F-Secure Anti-Virus for Microsoft Exchange
When you log in for the first time, your browser displays a Security Alert dialog window about the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console. You can create a securi ty certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console before logging in, and then install the certificate during the login process.
If your company has an established process for creating and storing certificates, follow that process to create an d stor e the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console.
Step 1. Create the security certificate
1. Browse to the F-Secure Anti-Virus for Microsoft Exchange Web Console installation directory, for example:
C:\Program Files (x86)\F-Secure\Web User Interface\bin\
2. Locate the certificate creation utility, makecert.bat, and double click it
to run the utility.
3. The utility creates a certificate that will be issued to all local IP
addresses, and restarts the F-Secure Anti-Virus for Microsoft Exchange Web Console service to take the certificate into use.
4. Wait until the utility completes, and the window closes. Now you can
proceed to logging in.
CHAPTER 4 61
Step 2. Log in and install the security certificate
1. Open F-Secure Anti-Virus for Microsoft Exchange Web Console.
2. The Security Alert about the F-Secure Anti-Virus for Microsoft
Exchange Web Console certificate is displayed. If you install the certificate now, you will not see the Security Alert window again.
If you are using Internet Explorer 7, click Continue and then
Certificate Error.
3. Click View Certificate to view the certificate information.
4. The Certificate window opens. Click Install Certificate to install the
certificate with the Certificate Import Wizard.
62
5. The Certificate window opens. Click Install Certificate to proceed to
the Certificate Import Wizard.
6. Follow the instructions in the Certificate Import Wizard.
If you are using Internet Explorer 7, in the Place all certificates in the
following store selection, select the Trusted Root Certification Authorities store.
If you are using Internet Explorer 6, you are prom pted to a dd the ne w certificate in the Certificate Root Store when the wizard has completed. Click Yes to do so.
7. If the Security Alert window is still displayed, click Yes to proceed or
log back in to the F-Secure Anti-Virus for Microsoft Exchange Web Console.
8. When the login page opens, log in to Web Console with your user
name and the password.
9. The Web Console displays Getting Started page when you log in for
the first time. Y ou can check and configure the follo wing information in the Getting Started page to complete the installation:
Internal domains and senders E-mail alerts and reports Database updates Product updates

4.2.2 Modifying Settings and Viewing Statistics with Web Console

To change F-Secure Anti-Virus for Microsoft Exchange settings in stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange Web Console and select the variables you want to change from the options tree. For detailed explanations of all variables, see “Administration with Web Console, 138.
Using F-Secure Anti-Virus for Microsoft Exchange

4.2.3 Checking the Product Status

You can check the overall product status on the Home page of F-Secure Anti-Virus for Microsoft Exchange Web Console. Summary and Services tabs in the Home page displays an overview of each component status and most important statistics of the installed F-Secure Anti-Virus for Microsoft Exchange components. From the Home p age you can also open the product logs and proceed to configure the product components.

4.3 Using F-Secure Policy Manager Console

In the centralized administration mode, you can administer F-Secure Anti-Virus for Microsoft Exchange with F-Secure Policy Manager. To open F-Secure Policy Manager Console, select Windows Start menu > Programs > F-Secure Policy Manager Console.
When the Policy Manager Console opens, go to the Advanced Mode user interface by selecting View > Advanced Mode.
F-Secure Policy Manager Console is used to create policies for F-Secure Anti-Virus for Microsoft Exchange installations that are running on selected hosts or groups of hosts.
CHAPTER 4 63
For detailed information on installing and using F-Secure Policy Manager console, see the F-Secure Policy Manager Administrator’s Guide.

4.3.1 Modifying Settings and Viewing Statistics in Centrally Administered Mode

To change F-Secure Anti-Virus for Microsoft Exchange settings in the centrally administered mode, follow these instructions:
1. Select F-Secure Anti-Virus for Microsoft Exchange from the Properties pane.
2. Make sure the Policy tab is selected and assign values to variables
under the Settings branch.
64
3. Modify settings by assigning new values to the basic leaf node
variables (marked by the leaf icons) shown in the Policy tab of the Properties pane. For detailed explan ations of all variables, see “F-Secure Anti-Virus for Microsoft Exchange Settings”, 68
Initially , every variable has a default value, which is displayed in gray. Select the variable from the Properties pane and enter the new value in the Editor pane to change it. You can either type the new value or select it from a list box.
Click Clear to revert to the default value or Undo to cancel the most recent change that has not been distributed.
Settings that are configured during the installation and the initial setup require that you select the Final check box from the Product View pane. For more information, see “Changing
Settings That Have Been Modified During Installation or Upgrade”, 65.
4. After you have modified settings and cretated a new policy, it must be
distributed to hosts. Choose Distribute from the File menu.
5. After distributing the policy, you have to wait for F-Secure Anti-Virus
for Microsoft Exchange to poll the new policy file.
For testing purposes you may also want to change the polling intervals. To do that, select the domain in F-Secure Policy Manager console and set the Incoming Packages Polling Interval and Outgoing Packages Update Interval variables to 30-45 seconds. The variables are located under each of the two trees in the F-Secure Management Agent / Settings / Communications branch. Note that since the default polling interval is 10 minutes, it might take up to 10 minutes for the new setting to take effect. Alternatively, you can click Poll the server now in F-Secure Management Agent.
To view statistics, select the Status tab of the Properties pane. Statistics are updated periodically and can be reset by ch oosing Reset Statistics on the Policy tab of the Properties pane. For more information, see “F-Secure Anti-Virus for Microsoft Exchange Statistics”, 116.
CHAPTER 4 65
Using F-Secure Anti-Virus for Microsoft Exchange
T o m anage the quarantined content, u se F-Secure Anti-Virus for Microsof t Exchange Web Console. For more information, see “Quarantine
Management”, 237.
Changing Settings That Have Been Modified During Installation or Upgrade
If you want to change a setting that has been modified locally du ring installation or upgrade, you need to mark the setting as Final in the restriction editor. The settings descriptions in this manual indicate the settings for which you need to use the Final restriction. You can also check in F-Secure Policy Manager Console whether you need to use the Final restriction for a setting. Do the following:
1. Select the Policy tab and then select the setting you want to check.
2. Select the Status tab to see if the setting has been modified locally.
If the setting is not shown in grayed font in the Status view, then
the product uses the setting from the base po licy an d th er ef or e the Final restriction is not needed.
If the setting is shown in normal black font, then the setting has
been modified locally. You must mark the setting as Final when you change it.

4.4 Selecting Scanning Methods to Use

Virus Scanning
The virus scan uses virus definition databases to detect and disinfect viruses. Virus definition databases are updated typically multiple times a day and they provide an always up-to-date protection capability.
Heuristic Scanning
The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
66
Sandbox Scanning
The sandbox scan emulates and analyzes the code in a safe and isolated environment.
Proactive Virus Threat Detection
The proactive virus threat detection analyzes e-mail messages for possible virus patterns and security threats. All possibly harmful messages are quarantined as unsafe. The proactive virus thr eat detection can detect new viruses during the first minutes of the outbre a k.
Grayware Scanning
The grayware scan detects applications that have annoying or undesirable behavior that can reduce the performance of computers on the network and introduce significant security risks to your organization. Grayware includes spyware, adware, dialers, joke programs, remote access tools, and any other unwelcome files and programs that can perform a variety of undesired and threatening actions, such as irritating users with pop-up windows, logging user key strokes, and exposing the computer to vulnerabilities.
5
CENTRALLY MANAGED A
DMINISTRATION
Overview..................................................................................... 68
F-Secure Anti-Virus for Microsoft Exchange Settings................ 68
F-Secure Anti-Virus for Microsoft Exchange Statistics............. 116
F-Secure Content Scanner Server Settings............................. 121
F-Secure Content Scanner Server Statistics............................ 131
F-Secure Management Agent Settings.................................... 134
F-Secure Automatic Update Agent Settings............................. 135
67
68

5.1 Overview

If F-Secure Anti-Virus for Microsoft Exchange is installed in the centrally administered mode, F-Secure Anti-Virus for Microsoft Exchange is managed centrally with F-Secure Policy Manager. In the centralized administration mode, you can use the F-Secure Anti-Virus for Microsoft Exchange Web Console for the quarantine man agement and to check the current status of F-Secure Anti-Virus for Microsoft Exchange, but you cannot change any settings with it.

5.2 F-Secure Anti-Virus for Microsoft Exchange Settings

In the centralized administration mode, you can change settings and star t operations using F-Secure Policy Manager Console. For more information, see “Using F-Secure Policy Manager Console”, 63.

5.2.1 Common Settings

Notifications
Specify Notification Sender Address that is used by F-Secure Anti-Virus for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
Make sure that the notification sender address is a valid SMTP address. A public folder cannot be used as the notification sender address.
Network Configuration
The mail direction is based on the Internal Domains and Internal SMTP
hosts settings. For more information, see “Network Configuration, 56.
Internal Domains Specify internal domains. Messages coming to
CHAPTER 5 69
Centrally Managed Administration
internal domains are considered to be inbound mail unless they come from internal SMTP sender hosts.
Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net
Internal SMTP Senders
Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that send messages to Exchange Edge or Hub servers via SMTP as Internal SMTP Senders.
Separate each IP address with a space. An IP address range can be defined as:
a network/netmask pair (for example,
10.1.0.0/255.255.0.0), or
a network/nnn CIDR specification (for
example, 10.1.0.0/16).
Y ou can use an asterisk (* ) to match any number or dash (-) to define a range of numbers. For example,
172.16.4.4 172.16.*.1 172.16.4.0-16
172.16.250-255.*
70
If end-users in the organization use other than Microsoft Outlook e-mail client to send and receive e-mail, it is recommended to specify all end-user workstations as Internal SMTP Senders.
If the organization has Exchange Edge and Hub servers, the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed.
IMPORTANT: Do not specify the server where the Edge role is installed as Internal SMTP Sender.
Lists and Templates
Match Lists
Specify file and match lists that can be used by other settings.
List name Specify the name for the match list. Type Specify whether the list contains keywords, file
patterns or e-mail addresses.
Filter Specify file names, extensions, keywords or
email addresses that the match list contains.
Description Specify a short description for the list.
Message Templates
Specify message templates for notifications.
Template name Specify the name for the message template.
Quarantine
CHAPTER 5 71
Centrally Managed Administration
Subject line Specify the subject line of the notification
message.
Message body Specify the notification message text.
For more information about the variables you can use in notification messages, see “Variables
in Warning Messages”, 270.
When the product places content to the Quarantine, it saves the content as separate files into the Quarantine Storage and inserts an entry to the Quarantine Database with information about the quarantined content.
Quarantine Storage Specify the path to the Quarantine storage
where all quarantined mails and attachment s are placed.
If you change the Quarantine Storage setting, select the Final checkbox in the Restriction Editor to override initial settings.
Retain Items in Quarantine
During the installation, F-Secure Anti-Virus for Microsoft Exchange adjusts the access rights to the Quarantine Storage so that only the product, operating system and the local administrator can access it. If you change the Quarantine Storage setting, make sure that the new location has secure access permissions. For more information, see “Moving the Quarantine
Storage”, 252.
Specify how long quarantined e-mails are stored in the Quarantine before they are deleted automatically.
72
The setting defines the default retention period for all Quarantine categories. To change the retention period for different categories, configure Quarantine Cleanup Exceptions settings.
Delete Old Items Every
Quarantine Cleanup Exceptions
Quarantine Size Threshold
Quarantined Items Threshold
Specify how of ten old items are deleted from the Quarantine.
The setting defines the default cleanup interval for all Quarantine categories. To change the cleanup interval for different categories, configure Quarantine Cleanup Exceptions settings.
Specify separate Quarantine retention periods and cleanup intervals for infected files, suspicious files, disallowed attachments, disallowed content, spam messages, scan failures and unsafe files.
Specify the critical size (in megabytes) of the Quarantine. If the Quarantine size reaches the specified value, the product sends an alert to the administrator.
If the threshold is specified as zero (0), the size of the Quarantine is not checked.
Specify the critical number of items in the Quarantine. When the Quarantine holds the critical number of items, the product sends an alert to the administrator.
Notify When Quarantine Threshold is Reached
If the threshold is specified as zero (0), the amount of items is not checked.
Specify the level of the alert that is sent to administrator when threshold levels are reached.
CHAPTER 5 73
Centrally Managed Administration
Released Quarantine Message Template
Automatically Process Unsafe Messages
Max Attempts to Process Unsafe Messages
Final Action on Unsafe Messages
Specify the template for the message that is sent to the intented recipients when e-mail content is released from the quarantine. For more information, see “Lists and Templates”, 70.
The product generates the message only when the item is removed from the Microsoft Exchange Server store and sends it automatically when you release the item to intended recipients.
Specify how often the product tries to reprocess unsafe messages that are retained in the Quarantine. Set the value to Disabled to keep all unsafe to process unsafe messages manually.
Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine.
Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts.
Specify the action to unsafe messages after the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
74
Quarantine Log Directory
Rotate Quarantine Logs Every
Keep Rotated Quarantine Logs
Sample Submission
You can use the product to send samples of unsafe e-mails and new, yet undefined malware to F-Secure for analysis.
Max Submission Attempts
Resend Interval Specify the time interval (in minutes) how long
Connection Timeout Specify the time (in seconds) how long the
Specify the path to the directory where Quarantine logfiles are placed.
Specify how often the product rotates Quarantine logfiles. At the end of each rotation time a new log is created.
Specify how many rotated log flies are kept.
Specify how man y times th e product atte mpt s to send the sample if the submission fails.
F-Secure Anti-Virus for Microsoft Exchange should wait before trying to send the sample again if the previous submission failed.
product tries to contact the F-Secure Hospital server.
Send Timeout Specify the time (in seconds) how long the
product waits for the sample submission to complete.
Content Scanner Server
Edit the Content Scanner Server settings to change the general content scanning options.
CHAPTER 5 75
Centrally Managed Administration
Max Size of Data Processed in Memory
Connection Timeout Specify the time interval (in seconds) how long
Working directory Specify the name and location of the wor kin g
Specify the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds the specified limit, a local temporary file will be used for data transfer .
If the option is set to zero (0), all data transfers via shared memory are disabled.
The setting is ignored if the local interaction mode is disabled.
F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure Content Scanner Server before it stops attempting to send or receive data.
directory, where temporary files are placed. IMPORTANT: This setting must be defined as
Final with the Restriction Editor before the policies are distributed. Otherwise the settin g will not be changed in the product.
During the installation, F-Secure Anti-Virus for Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
76
If F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center and the proxy server requires authentication, the proxy authentication settings can be configured with F-Secure Anti-Virus for Microsoft Exchange Web Console only. For more information , see “Proxy Server”, 216.

5.2.2 Transport Protection

You can configure inbound, outbound and internal message protection separately. For more information about the mail direction and configuration options, see “Network Configuration, 69.
You cannot add automatic disclaimers to messages with the product, you can configure Microsoft Exchange Server to do that. Some malware add disclaimers to infected messages, so disclaimers should not be used for stating that the message is clean of malware.
Attachment Filtering
Specify attachments to remove from inbound, outbound and internal messages based on the file name or the file extension.
Strip Attachments Enable or disable the attachment stripping. List of Attachments to
Strip
Use Exclusions Specify attachments that are not filtered. Leave
Action on Stripped Attachments
Specify which attachments are stripped from messages. For more information, see “Lists and
Templates”, 70.
the list empty if you do not want to exclude any attachments from the filtering.
Specify how disallowed attachments are handled.
Drop Attachment - Remove the attachment from the message and deliver the message to the recipient without the disallowed attachment.
CHAPTER 5 77
Centrally Managed Administration
Drop the Whole Message - Do not deliver the message to the recipient at all.
Quarantine Stripped Attachments
Do Not Quarantine These Attachments
Send Notification Message to Recipient
Send Notification Message to Sender
Specify whether stripped attachments are quarantined.
The default option is Enabled. Specify file names and file extensions which are
not quarantined even when they are stripped.
If the message contains an attachment which is quarantined, all attachments linked to that message are quarantined, regardless of this setting.
Specify the template for the notification message that is sent to the intented recipient when disallowed or suspicious attachment is found.
Note that the notification message is not sent if the whole message is dropped.
Specify the template for the notification message that is sent to the original sender of the messag e when disallowed or suspicious attachment is found. For more information, see “Lists and
Templates”, 70.
Leave notification message fields empty if you do not want to send any notification messages. By default, notification messages are not sent.
For more information, see “Lists and Templates”,
70.
78
Do Not Notify on These Attachments
Notify Administrator Specify whether the administrator is notified
Virus Scanning
Specify inbound, outbound and internal messages and attachments that should be scanned for malicious code.
Scan Messages for Viruses
Specify attachments that do not generate notifications. When the product finds specified file or file extension, no notification is sent.
when the product strips an attachment and the alert level of the notification..
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/Alerting.
Disabling virus scanning disables archive processing and grayware scanning as well.
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
List of Attachments to Scan
Use Exclusions Specify attachments that are not scanned.
Heuristic Scanning Enable or disable the heuristic scan. The
Specify attachments that are scanned for viruses. For more information, see “Lists and
Templates”, 70.
Leave the list empty if you do not want to exclude any attachments from the scan.
heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
Centrally Managed Administration
By default, the heuristic scan is enabled for inbound mails and disabled for outbound and internal mails.
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Sandbox Scanning Enable or disable the sandbox scan. The
sandbox scan emulates and analyzes the code in a safe and isolated environment known as the Sandbox.
By default, the sandbox scan is enabled for inbound mails and disabled for outbound and internal mails.
The sandbox scan may affect the product performance. Disable the sandbox scan if you need the scan to be faster.
CHAPTER 5 79
Attempt to Disinfect Infected Attachments
Action on Infected Messages
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether to drop the infected attachment or the whole message when an infected message is found.
Drop Attachment - Remove the infected attachment from the message and deliver the message to the recipient without the attachment.
80
Drop the Whole Message - Do not deliver the message to the recipient at all.
Quarantine Infected Messages
Do Not Quarantine These Infections
Send Virus Notification Message to Recipient
Send Virus Notification Message to Sender
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not quarantined. For more information, see “Lists
and Templates”, 70.
Specify the template for the notification message that is sent to the intented recipient when a virus or other malicious code is found.
Note that the notification message is not sent if the whole message is dropped.
Specify the template for the notification message that is sent to the original sender of the messag e when a virus or other malicious code is found.
Leave notification message fields empty if you do not want to send any notification messages. By default, notification messages are not sent.
For more information, see “Lists and Templates”,
70.
CHAPTER 5 81
Centrally Managed Administration
Do Not Notify on These Infections
Notify Administrator Specify whether the administrator is notified
Archive Processing
Specify how the product processes inbound, outbound and internal archive files.
Note that scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Archive processing is disabled when virus scanning is disabled.
Specify infections that do not gene rate notifications. When the product finds the specified infection, no notification is sent. For more information, see “Lists and Templates”, 70.
when F-Secure Anti-Virus for Microsoft Exchange finds a virus in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/Alerting.
Scan Viruses Inside Archives
List of Files to Scan Inside Archives
Use Exclusions Specify files that are not scanned inside
Specify whether files inside compressed archive files are scanned for viruses.
Specify files inside archives that are scanned for viruses. For more information, see “Lists and
Templates”, 70.
archives. Leave the list empty if you do not want to exclude any files from the scan.
82
Max Levels in Nested Archives
Action on Max Nested Archives
Action on Password Protected Archives
Specify how many levels of archives inside other archives the product scans when Scan Viruses Inside Archives is enabled.
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Quarantine Dropped Archives
Drop archive - Remove the password protected
archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For more information, see “Quarantine
Management”, 237.
Zero-Day Protection
Select whether Proactive Virus Threat Detection is enabled or disabled. Proactive virus threat detection can identify new and unknown e-mail
malware, including viruses and worms. When proactive virus threat detection is enabled, the product analyzes
inbound e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe.
Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected.
When proactive virus threat detection is disabled, inbound mails are only scanned by antivirus engines.
Grayware Scanning
Specify how the pr oduct processes grayware items in inbound, outbound and internal messages.
Note that grayware scanning increases the scanning overhead. By default, grayware scanning is enabled for inbound messages only.
CHAPTER 5 83
Centrally Managed Administration
Grayware scanning is disabled when virus scanning is disabled.
Scan Messages for Grayware
Action on Grayware S pecify the action to take on items which contain
Enable or disable the grayware scan.
The default value is Enabled for inbound messages and Disabled for outbound and internal messages.
grayware. Pass Through - Leave grayware items in the
message.
84
Drop Attachment - Remove grayware items from the message.
Drop the Whole Message - Do not deliver the message to the recipient.
Grayware Exclusion List
Quarantine Grayware Specify whether grayware attachments are
Do Not Quarantine This Grayware
Send Warning Message to Recipient
Send Warning Message to Sender
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
quarantined. Specify grayware that ar e never placed in the
quarantine. For more information, see “Lists and
Templates”, 70.
Specify the template for the notification message that is sent to the intented recipient when a grayware item is found in a message.
Note that the notification message is not sent if the whole message is dropped.
Specify the template for the notification message that is sent to the original sender of the messag e when a grayware item is found in a message.
Leave notification message fields empty if you do not want to send any notification messages. By default, notification messages are not sent.
Do Not Notify on This Grayware
For more information, see “Lists and Templates”,
70.
Specify the list of keywords for grayware types that are not notified about.
Notify Administrator Specify whether the administrator is notified
S pam Control
To change settings used when inbound messages are scanned for spam, see “Administering F-Secure Spam Control, 257.
CHAPTER 5 85
Centrally Managed Administration
If the product finds a grayware item with a name that matches the keyword, the recipient and the sender are not notified about the grayware item found.
Leave the list empty if you do not want to exclude any grayware types from notifications.
when F-Secure Anti-Virus for Microsoft Exchange finds a grayware item in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/ Alerting.
You can configure Spam Control settings for inbound messages, and only if you have F-Secure Spam Control installed.
The threat detection engine of F-Secure Anti-Virus for Microsoft Exchange can identify spam and virus patterns from the message envelope, headers and body during the first minutes of the new spam or virus outbreak.
If you enable the heuristic spam analysis, all messages that the threat detection engine does not classify as spam are further analyzed for spam. When the heuristic spam analysis is disabled, only the threat detection engine filters messages for spam.
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering. For information on configuring Realtime Blackhole Lists, see
Configuration”, 266.
Realtime Blackhole List
86
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not. Trojans and other malicious code can disguise themselves with filename
extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File T ype Recognition strengthens the security but can degrade the system performance.
Security Options
Configure security options to limit actions of malformed and problematic messages.
Action on Malformed Mails
Max Levels of Nested Messages
Specify the action for non-RFC compliant e-mails. If the message has an incorrect structure, the product cannot parse the message reliably.
Drop the Whole Message - Do not deliver the message to the recipient.
Pass Through - The product allows the message to pass through.
Pass Through and Report - The product allows the message to pass through, but sends a report to the administrator.
Specify how many levels de ep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
CHAPTER 5 87
Centrally Managed Administration
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS (Denial-of-Service) attacks.
Action on Mails with Exceeding Nesting Levels
Quarantine Problematic Messages
Specify the action to t ake on in bound message s with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting.
Drop the Whole Message - Messages with exceeding nesting levels are not delivered to the recipient.
Pass Through - Nested messages are scanned up to level specified in the Max Levels of Nested Messages setting. Exceeding nesting levels are not scanned, but the message is delivered to the recipient.
Specify if mails that contain malformed or broken attachments are quarantin ed for later analysis or recovery.
Trusted Senders and Recipients
You can use trusted senders and recipients lists to exclude some messages from the mail scanning and processing completely.
Trusted Senders
Trusted Recipients
Specify senders who are excluded fr om the m ail scanning and processing.
Specify recipients who are excluded from the mail scanning and processing.
88

5.2.3 Storage Protection

Edit general Storage Protection settings to configure how mailboxes and public folders are scanned in the Exchange Store with real-time, background, manual and scheduled scanning.
Real-Time and Background Scanning
The real-time and background scanning can automatically scan messages that have been created or received.
General Real Time Scanning Settings
Specify which messages you want to scan during the real time scanning.
Scan Only Messages Created Within
Scan Timeout Specify how long to wait for the real time scan
Specify which messages are scanned with the real time scanning, for example; Last hour, Last day, Last week. Messages that have been created before the specified time are not scanned.
result. After the specified time, the client that tries to access the scanned message gets the "virus scanning in progress" notificaion.
CHAPTER 5 89
Centrally Managed Administration
General Background Scanning Settings
Specify which messages you want to scan during the background scan.
Background Scanning
Scan Only Messages with Attachments
Scan Only Unprocessed Messages
Scan Only Messages Received Within
Enable or disable background scanning. Background scanning methodically scans specified messages stored in the database.
Specify whether to scan all messages or only messages with attachments. When the setting is Enabled, only messages that contain attachments are scanned on background scanning.
Specify whether to scan all messages or only messages that have not been processed yet. When the setting is Enabled, only unprocessed messages are scanned on background scanning.
Specify which messages are scanned on the background scan, for example; Last hour, Last day, Last week. Messages that have been received before the specified time are not scanned.
Virus Scanning
Specify messages and attachments in the Microsoft Exchange Storage that should be scanned for malicious code.
Disabling virus scanning disables archive processing and grayware scanning as well.
Scan Mailboxes Specify mailboxes that are scanned for viruses.
Disabled - Do not scan any mailboxes. Scan All Mailboxes - Scan all mailboxes.
90
Scan Only Included Mailboxes - Scan mailboxes specified in the Included Mailboxes list.
Scan All Except Excluded Mailboxes - Scan all mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses
when the Scan Mailboxes setting is set to Scan Only Included Mailboxes.
Excluded Mailboxes Specify mailboxes that are not scanned when
the the Scan Mailboxes setting is set to Scan All Except Excluded Mailboxes.
Scan Public Folders Specify public folders that are scanned for
viruses.
Disabled - Do not scan any public folders. Scan All Folders - Scan all public folders. Scan Only Included Folders - Scan public
folders specified in the Included Folders list. Scan All Except Excluded Folders - Scan all
public folders except those specified in the
Excluded Folders list.
Included Folders Specify public folders that are scanned for
viruses when the Scan Public Folders setting is set to Scan Only Included Folders.
Excluded Folders Specify public folders that are not scanned wh en
the the Scan Public Folders setting is set to
Scan All Except Excluded Folders.
List of Attachments to Scan
Specify attachments that are scanned for viruses. For more information, see “Lists and
Templates”, 70.
Centrally Managed Administration
Use Exclusions Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Heuristic Scanning Enable or disable the heuristic scan. The
heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Sandbox Scanning Enable or disable the sandbox scan. The
sandbox scan emulates and analyzes the code in a safe and isolated environment known as the Sandbox.
Sandbox scanning may affect the product performance. We recommend that you disable the Sandbox scan if you need the scan to be faster.
CHAPTER 5 91
Attempt to Disinfect Infected Attachments
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
92
Quarantine Infected Attachments
Do Not Quarantine These Infections
Replacement Text Template
Specify whether infected and suspicious attachments are quarantined.
Specify infections that are never placed in the quarantine. For more information, see “Lists and
Templates”, 70.
Specify th e template for the text that replaces the infected attachment when the infected attachment is removed from the message. For more information, see “Lists and Templates”, 70.
Archive Processing
Specify how the prod uct processes archive files in Microsoft Exchange Storage.
Archive processing is disabled when virus scanning is disabled.
Scan Viruses Inside Archives
List of Files to Scan Inside Archives
Use Exclusions Specify files inside archives that are not
Specify if files inside archives are scanned for viruses and other malicious code.
Specify files that are scanned for viruses inside archives.
scanned. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested Archives
Specify how many levels de ep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
CHAPTER 5 93
Centrally Managed Administration
Specify the number of levels the product goes through before the action selected in Action on Max Nested Archives takes place. The default setting is 3.
Action on Max Nested Archives
Action on Password Protected Archives
Quarantine Dropped Archives
Specify the action to t ake on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop - Archives with exceeding nesting levels are removed.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For more information, see “Quarantine
Management”, 237.
Grayware Scanning
Specify how the produ ct processes grayware items in Microsoft Exchange Storage.
Grayware scanning is disabled when virus scanning is disabled.
94
Scan Messages for Grayware
Action on Grayware S pecify the action to take on items which contain
Grayware Exclusion List
Quarantine Grayware Specify whether grayware attachments are
Do Not Quarantine These Grayware
Replacement Text Template
Enable or disable the grayware scan.
grayware. Report only- Leave grayware items in the
message and notify the administrator. Drop attachment - Remove grayware items from
the message. Specify the list of keywords for grayware types
that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
quarantined. Specify grayware that ar e never placed in the
quarantine. For more information, see “Lists and
Templates”, 70.
Specify th e template for the text that replaces the grayware attachment when the grayware attachment is removed from the message. For more information, see “Lists and Templates”, 70.
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not. Trojans and other malicious code can disguise themselves with filename
extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File T ype Recognition strengthens the security but can degrade the system performance.
Manual Scanning
You can scan mailboxes and Public Folders for viruses and strip attachments manually at any time. You can start the manual scan with controls under the F-Secure Anti-Virus for Microsoft Exchange / Operations / Manual Scanning branch.
To start the manual scan, click Start and dist rib ut e the po licy. To start the manual scan, click Stop and distribute the policy.
General
Specify which messages you want to scan during the manual scan.
Scan Mailboxes Specify mailboxes that are scanned for viruses.
CHAPTER 5 95
Centrally Managed Administration
Disabled - Do not scan any mailboxes. Scan All Mailboxes - Scan all mailboxes. Scan Only Included Mailboxes - Scan mailboxes
specified in the Included Mailboxes list. Scan All Except Excluded Mailboxes - Scan all
mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses
when the Scan Mailboxes setting is set to Scan Only Included Mailboxes.
Excluded Mailboxes Specify mailboxes that are not scanned when
the the Scan Mailboxes setting is set to Scan All Except Excluded Mailboxes.
Scan Public Folders Specify public folders that are scanned for
viruses.
Disabled - Do not scan any public folders. Scan All Folders - Scan all public folders.
96
Scan Only Included Folders - Scan public folders specified in the Included Folders list.
Scan All Except Excluded Folders - Scan all public folders except those specified in the
Excluded Folders list.
Included Folders Specify public folders that are scanned for
viruses when the Scan Public Folders setting is set to Scan Only Included Folders.
Excluded Folders Specify public folders that are not scanned wh en
the the Scan Public Folders setting is set to
Scan All Except Excluded Folders.
Incremental Scanning Specify which messages are scanned for
viruses during the manual scan.
All Messages - Scan all messages. Only Recent Messages - Scan only messages
that have not been scanned during the previous manual scanning.
Attachment Filtering
Specify attachments that are remove from messages during the manual scan.
Strip Attachments Enable or disable the attachment stripping. List of Attachments to
Strip
Use Exclusions Specify attachments that are not filtered. Leave
Quarantine Stripped Attachments
Specify which attachments are stripped from messages. For more information, see “Lists and
Templates”, 70.
the list empty if you do not want to exclude any attachments from the filtering.
Specify whether stripped attachments are quarantined.
CHAPTER 5 97
Centrally Managed Administration
Do Not Quarantine These Attachments
Replacement Text Template
Specify file names and file extensions which are not quarantined even when they are stripped.
If the message contains an attachment which is quarantined, all attachments linked to that message are quarantined, regardless of this setting.
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For more information, see “Lists and Templates”, 70.
Virus Scanning
Specify messages and attachments that should be scanned for malicious code during the manual scan.
Scan Messages for Viruses
List of Attachments to Scan
Use Exclusions Specify attachments that are not scanned.
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Specify attachments that are scanned for viruses. For more information, see “Lists and
Templates”, 70.
Leave the list empty if you do not want to exclude any attachments from the scan.
Heuristic Scanning Enable or disable the heuristic scan. The
heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
98
Sandbox Scanning Enable or disable the sandbox scan. The
sandbox scan emulates and analyzes the code in a safe and isolated environment known as the Sandbox.
Sandbox scanning may affect the product performance. We recommend that you disable the Sandbox scan if you need the scan to be faster.
Attempt to Disinfect Infected Attachments
Quarantine Infected Attachments
Do Not Quarantine These Infections
Replacement Text Template
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected or suspicious attachments are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not quarantined. For more information, see “Lists
and Templates”, 70.
Specify th e template for the text that replaces the infected attachment when the infected attachment is removed from the message. For more information, see “Lists and Templates”, 70.
CHAPTER 5 99
Centrally Managed Administration
Archive Processing
Specify how the product processes archive files during the manual scan.
Scan Archives Specify if files inside archives are scanned for
viruses and other malicious code.
List of Files to Scan Inside Archives
Use Exclusions Specify files inside archives that are not
Max Levels in Nested Archives
Action on Max Nested Archives
Specify files that are scanned for viruses inside archives.
scanned. Leave the list empty if you do not want to exclude any files from the scan.
Specify how many levels dee p to scan in nested archives, if Scan Viruses Inside Archives is enabled.
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Action on Max Nested Archives takes place. The default setting is 3.
Specify the action to t ake on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop - Archives with exceeding nesting levels are removed.
100
Action on Password Protected Archives
Quarantine Dropped Archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For more information, see “Quarantine
Management”, 237.
Grayware Scanning
Specify how the product processes grayware items during the manual scan.
Scan Messages for Grayware
Action on Grayware S pecify the action to take on items which contain
Enable or disable the grayware scan.
grayware.
Grayware Exclusion List
Report only- Leave grayware items in the
message and notify the administrator. Drop attachment - Remove grayware items from
the message. Specify the list of keywords for grayware types
that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Loading...