McAfee SMEFCE-AI-DA, SaaS Email Protection Administration Manual

McAfee SaaS Email Protection Administrator Guide

Updated: November 2012

Proprietary and Confidential

Email Protection Administrator Guide

This document contains information that is proprietary and confidential to McAfee. No part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission from McAfee. All copies of this document are the sole property of McAfee and must be returned promptly upon request.

McAfee, Inc. 9781 South Meridian Blvd., Suite 400 Englewood, CO 80112 USA Direct +1 720-895-5700 Fax +1 720-895-5757

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 2

Email Protection Administrator Guide

Contents

Overview..................................................................................................................... 1

Differences in Administration for Service Providers ............................................ 1

Account Management Necessary for Email Protection ........................................ 1

MX Record Validation ...........................................................................................2

Alias Domain Names ............................................................................................2

Auto-creation of Users .............................................................................................2

Email Filtering Policies ............................................................................................ 2

Types of Inbound Email Filtering ..........................................................................3

Types of Outbound Email Filtering ....................................................................... 8

Configurable Actions for Filtered Email ................................................................8

User-level Policy Configurations ..........................................................................10

Quarantine ...............................................................................................................10

Customizing the Interface ......................................................................................11

Licensed Branding ..............................................................................................11

Language Localization ........................................................................................12

Outbound Disclaimer ..........................................................................................12

Notifications ........................................................................................................ 13

Monitoring and Reporting ......................................................................................13

Optional Utilities ..................................................................................................... 13

Spam Control for Outlook® ............................................................................... 13

Disaster Recovery Services ...................................................................................14

Fail Safe ............................................................................................................. 14

Email Continuity ..................................................................................................14

Access Email Protection Administration 15

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iii

Email Protection Administrator Guide

Who Can Access Email Protection Administration windows ............................. 15

Other Documents You Might Need .......................................................................19

Email Protection Documents ..............................................................................19

Web Protection Service Documents ................................................................... 20

Message Archiving Documents ..........................................................................20

User Guides ........................................................................................................20

Ensure You Can Receive Email from Your Service Provider .............................20

Log on to the Control Console ..............................................................................20

Reset Your Password from the log on window ................................................... 21

Check the Status of Email Protection on the Overview 25 Set up Your Servers 29

Confirm Your Inbound Servers Setup .................................................................29

Set up Additional Inbound Servers .......................................................................29

Delete an Inbound Server ...................................................................................30

Add IP Address of Outbound Server, If Necessary .............................................31

Delete an Outbound Server ................................................................................32

Set up a Smart Host (If Outbound Mail Defense is Turned on) .......................... 32

Add an Outbound Email Disclaimer ....................................................................32

Redirect Your MX Records .................................................................................... 33

Check Your MX Record ..........................................................................................34

Set up User Creation Mode — SMTP Discovery or Explicit ................................36

Customize Inbound Mail Filters 39

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iv

Email Protection Administrator Guide

Enterprise or Service Provider Customer ............................................................ 39

Create a Custom Policy (Enterprise Customer Only) ..........................................41

Configure a Virus Filter ..........................................................................................43

Set Email Protection to Notify Users about Emails with Viruses ........................44

Configure a Spam Filter .........................................................................................45

Define the Action to Take on Spam ....................................................................46

Define Additional Words That Indicate Spam .....................................................47

Set up Spam Quarantine Reports ......................................................................50

Configure a Content Filter .....................................................................................53

Turn Off a Default Content Filter ........................................................................55

Custom Content Group .......................................................................................56

Notify Users about Spam Content ......................................................................57

Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons .............58

Configure Web Hyperlink Filters (ClickProtect) .................................................. 60

Define an Attachment Filter ...................................................................................62

Filter by Attachment File Types ......................................................................... 62

Filter by Attachment File Name ..........................................................................65

Filter Zip File Attachments ..................................................................................66

Notify Users about Attachment Violations ..........................................................67

Allow or Deny Email to or from Specific Addresses ...........................................68

Allow Email from a Specific Address .................................................................. 69

Deny Email from a Specific Address ................................................................. 70

Deny Email to a Specific Recipient ....................................................................72

Save a Copy of an Allow, Deny, or Recipient Shield List ...................................73

Add Allow, Deny, or Recipient Shield Addresses with a Batch File .................... 73

Email Authentication ..............................................................................................73

Transport Layer Security ....................................................................................73

Enforced SPF ..................................................................................................... 75

Define the Format and Text of Notifications to Users .........................................80

Variables within a Notification .............................................................................80

Define the Format and Text of Virus Notifications ..............................................81

Define the Format and Text of Content Violation Notifications ...........................83

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission v

Email Protection Administrator Guide

Define the Format and Text of Attachment Violation Notifications ..................... 84

Email Authentication ...........................................................................................85

Disaster Recovery .................................................................................................. 87

Assign a Group to the Custom Policy .................................................................. 88

Customize Outbound Mail Filters 89

Create a Custom Outbound Policy .......................................................................89

Configure a Virus Filter ..........................................................................................90

Configure a Content Filter .....................................................................................90

Email Encryption for Content Groups .................................................................91

Define an Attachment Filter ...................................................................................92

Define the Format and Text of Notifications to Users .........................................92

Assign a Group to the Custom Policy .................................................................. 92

Managing Quarantine Reports 93

Set up Quarantine Reports .................................................................................... 93

Monitor Users’ Quarantined Email ........................................................................93

Primary Email Addresses, Aliases, and Public Domain Addresses ....................94

Search for Quarantined Email ............................................................................ 94

Interpret the Search Results ...............................................................................95

Sort the Search Results ......................................................................................96

Delete Quarantined Messages ...........................................................................97

Release Quarantined Messages ........................................................................97

View Quarantines Messages ..............................................................................97

Monitor Your Own Quarantine ............................................................................99

Set up Disaster Recovery Services 101

Administer Disaster Recovery Services .............................................................101

Set up Spooling for Disaster Recovery ............................................................. 101

Set up Notifications of Disaster Recovery ........................................................102

User-Level Policy Configuration 103 System Reports 105

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vi

Email Protection Administrator Guide

Email Protection Reports .....................................................................................105

View an Email Protection Report ........................................................................106

Traffic Overview ................................................................................................107

Traffic: Enforced TLS Report ............................................................................109

Traffic: Encryption ................................................................................................110

Threats: Overview ............................................................................................111

Threats: Viruses ............................................................................................... 113

Threats: Spam ....................................................................................................... 115

Threats: Content ...................................................................................................117

Threats: Attachments ...........................................................................................119

Enforced TLS: Details .......................................................................................... 121

Enforced SPF Report ............................................................................................122

ClickProtect: Overview .........................................................................................123

ClickProtect: Click Log ........................................................................................ 125

Quarantine: Release Overview ............................................................................126

Quarantine: Release Log .....................................................................................128

View Details of Log Items ....................................................................................130

User Activity ..........................................................................................................131

Event Log .............................................................................................................. 133

Audit Trail .............................................................................................................. 134

Inbound Server Connections ...............................................................................135

Disaster Recovery: Overview ..............................................................................137

Disaster Recovery: Event Log .............................................................................138

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vii

Email Protection Administrator Guide

Administer MSP Connector ................................................................................. 139

Configure the MSP Connection ........................................................................139

Add Domains to the MSP Connection .............................................................. 141

Turn on Exception Notifications for the MSP Connection .................................142

View an MSP Connector Audit Report .............................................................143

Administer Performance Reports .......................................................................147

Performance Report Descriptions ....................................................................148

Tips and Frequently Asked Questions 153

FAQs ................................................................................................................153

Tips/Techniques ............................................................................................... 159

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission viii

Email Protection Administrator Guide Differences in Administration for Service

1. Overview

McAfee® Saas Email Protection provides security services that safeguard corporations from unsolicited spam email (junk mail), viruses, worms, and unwanted content at the network perimeter before they can enter the internal network.

Multiple layers of McAfee Saas Email Protection provide secure and complete email filtering to protect your users. You can enable or disable specific layers by changing the licensed packages of features and/or through configuring the specific email policies in the Control Console, the comprehensive graphical interface into McAfee Saas Email Protection.

This document describes the tasks necessary to configure and maintain your McAfee Saas Email Protection.

Differences in Administration for Service Providers

This document is for use by Enterprise customers only. Service Provider customers do not administer groups for Email Protection and therefore, do not assign groups to email filtering policies. Instead, Service Provider customers assign policies directly to domains.

The capabilities for managing policies and groups, as described in this document, apply only to Enterprise customers.

Account Management Necessary for Email Protection

Account Management is a set of administrative windows you use to configure and manage the entities that use or are affected by Email Protection (Email Protection), as well as the Web Protection Service (WDS) and Message Archiving products. These entities include:

• Domains

•Users

• Other administrators, including other Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers

In addition, for Email Protection only, you use Account Management to administer groups of users that share a common email filtering policy.

For more information, see Account Management Administrator Guide.

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 1

Auto-creation of Users Email Protection Administrator Guide

MX Record Validation

You can validate that the MX Records that are configured for your domain are properly redirected by entering the specific DNS and/or IP address for your MTA server. The Control Console displays the MX Record configuration as reported by the authoritative DNS server.

See Check Your MX Record.

Alias Domain Names

You can configure alias domain names that act as virtual domains using the configurations and email addresses defined in the primary Domain name. Email addresses are created automatically for alias domains (for example, jsmith@yourcompanyalias.com is automatically created for jsmith@yourcompany.com), allowing the single user to receive email for both addresses.

For more information, see Account Management Administrator Guide.

Auto-creation of Users

The Email Protection automatically creates new user accounts if all the following is true:

• SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a convenient way to add users to your service. However, this capability might also add users who are not real users at your company and not add users who are real.

• SMTP discovery creates users that receive eight valid emails within a 24 hour period.

• A user account does not exist for the email address in the designated Domain.

• The emails were not addressed to an alias domain name.

For more information, see Set up User Creation Mode — SMTP Discovery or Explicit.

Email Filtering Policies

Email Protection has default inbound and outbound mail filters to block and clean malicious email and to quarantine email that might be malicious. The filters are configured by using policies, which are the parameters for the filters default policies are automatically assigned to each of your domains.

You can customize the default inbound policy for any and each domain, or any and each group, to fit your business Email Protection.

For more information, see Customize Inbound Mail Filters.

2 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Email Filtering Policies

Types of Inbound Email Filtering

Email Protection can filter both inbound and outbound email. Inbound filtering that is available to be configured is as follows:

• Anti-Spam Filtering

• Real-time Blackhole List

• Anti-Virus Filter

• Content Filtering and ClickProtect

• Attachment Filtering

• Multi-Level Allow and Deny Lists

Anti-Spam Filtering

Spam is usually defined as unsolicited (and usually unwanted) and commercial email sent to a large number of addresses. However, what one recipient may consider as spam, another recipient would consider as legitimate email.

In addition, spam has become a tool of hackers and electronic terrorists who deliberately attempt to gather proprietary information from computer systems and/or attempt to cause harm to a company’s email system. Typically, these types of spammers deliberately use naming standards, hijacked From: addresses, scrambled content, etc., to bypass spam filters such as blacklists and keyword lists.

Using Stacked Classification Framework®, Email Protection provides the most comprehensive and effective spam-blocking product on the market today—blocking 98% of spam and providing an industry-leading low false positive rate (legitimate email marked as spam).

The Stacked Classification Framework aggregates the most effective spam filters and techniques in the industry into a spam likelihood. As appropriate, email is assigned a high or medium likelihood of being spam. A separate email action can be assigned to each likelihood.

The spam classification techniques include the following:

Spam FilterType Description

IP Reputation Connection Manager

Bayesian Statistical Filtering

This filter operates at the front of the Stacked Classification Framework. It rates the reputation of every incoming email, based on IP reputation data collected by your Email Protection provider on an on-going basis. Connections are dropped for all messages which originate from IP addresses that are determined to carry a reputation for sending spam.

Statistical algorithms built by your Email Protection provider identify and quantify the possibility that an email is spam based on how often elements in that email have appeared in identified spam emails.

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 3

Email Filtering Policies Email Protection Administrator Guide

Spam FilterType Description

Industry Heuristics Email Protection incorporates thousands of successful industry-

wide spam-fighting rules to recognize characteristics of spam.

Proprietary Heuristics Email Protection experts write and update thousands of proprietary

rules to block spam, including fraudulent phishing spam, using real-time data from your service provider’s Threat Center.

URL Filtering URL filtering works by comparing embedded links found in emails

with URLs associated with identified spam.

Reputation Analysis Email Protection constantly monitors inbound email to build a list

of IP addresses and domain names to rate the reputation of the sender based upon the percentage of spam emails received from that address in the past.

Reputation-Based RBL Filtering

Sender Policy Framework (SPF)

Using up to 31 real-time blackhole lists (RBLs) of known spammers provided by the industry, Email Protection creates a single RBL indicator to help gauge the likelihood of an email being sent by a known spammer. By using multiple black lists to create a single vote and by rating the reputation of each RBL based on its accuracy at distinguishing spammers from senders of legitimate email helps to minimize the possibility of a non-spammer being blocked by mistake.

The SPF classifier helps identify and block fraudulent spoofing emails – those sent by spammers with forged “From” addresses – from entering your email network. For each inbound email, the SPF classifier will look up the sending domain’s Domain Naming System (DNS) record and its list of authorized IP addresses.

Emails that carry an IP address not found on the authorized list will be included within the Stacked Framework Classification System for the detection of spam. By determining whether or not the relationship between the DNS record and the IP address is legitimate, Email Protection is able to more accurately filter out fraudulent spoofed emails. As a result, Email Protection reduces risk for users who might be duped by the email into divulging confidential personal information.

Real-time Blackhole List

The Real-time Blackhole List (RBL) is a system for creating intentional network outages (blackholes) for the purpose of limiting the transport of known-to-be-unwanted mass email. The RBL is a database of IP addresses that are reported to be spam sources.

4 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Email Filtering Policies

Anti-Virus Filter

Email Protection provides highly effective, organization-wide virus and worm protection. By identifying viruses and worms at your network perimeter—before they enter or leave your messaging infrastructure— Email Protection minimizes outbreak and infection risks to your enterprise messaging infrastructure. You can configure whether infected emails are quarantined, denied, or stripped of infection.

• Provides maximum protection using multiple, industry-leading anti-virus engines to allow Email Protection to customize the protection to meet the latest threats.

• Virus definition updates every 5 minutes provide up-to-the-minute defense against the latest threats.

• Provides safe, external virus scanning and quarantine management for protection against viruses before they reach your network. Protects your users, networks, and data from harm

Content Filtering and ClickProtect

Email Protection protects your organization and reduces liability and risk by automatically identifying unwanted and malicious content before it enters or leaves your network.

You can enable any of the following types of content filtering:

Content Filter Type Description

Predefined Content Keyword Groups

Customized Content Keyword Groups

Multiple Levels of HTML Filtering

Graphic Image Replacement

You can enable or disable predefined content keyword groups provided by Email Protection:

•Profanity

• Sexual Overtones

• Racially Insensitive

You can define customized content keyword groups containing terms and phrases to satisfy the business and security Email Protection of your organization.

You can designate the level of HTML filtering to be used (low, medium, or high), with predefined actions for each level. Depending on the level, malicious HTML tags and scripting options embedded in email are stripped.

You can enable or disable the automatic replacement of images with a transparent 1x1 pixel GIF within HTML emails.

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 5

Email Filtering Policies Email Protection Administrator Guide

Content Filter Type Description

Stripping of Spam Beacons or

Web bugs

Spam beacons and web bugs are typically transparent, 1x1 pixel graphics embedded in HTML content that send information about your system to the source (usually a URL) of the spam beacon or web bug. Typically, web bugs are used on Web sites to monitor surfing behavior, but now spammers are hiding them in their mass mailings as spam beacons. If the graphic is not removed before an email is opened, the spam beacon sends a signal back to the spammer’s URL that lets the spammer know whether the email was opened and if the recipient’s email address is valid. If the spammer gets this signal, the recipient is marked as a valid email address and is guaranteed to receive more spam in the future.

You can enable or disable the auto

matic stripping of spam beacons

or Web bugs within HTML emails.

Disabling hyperlinks within email

ClickProtect

with

ClickProtect allows you to monitor and disable or enable whether Web hyperlinks received in emails can be clicked and followed by the user. With multiple levels of ClickProtect policy control, Administrators can customize the desired level of protection. This feature supports blocking phishing sites and accidental downloads of viruses and worms.

Attachment Filtering

Email Protection provides you the ability to control the types and sizes of allowed attachments entering your email network. You can control attachment filtering using any of the following:

Attachment Filter

Type

Attachment Filtering

File Type

Attachment Filtering

Size

Custom Attachment Rules by

Filename

Filtering for Files

ained within a Zip

Cont File Attachment

Encrypted or “High Risk” Zip

File

Attachment Rules

Description

You can enable or disable filtering of attachments by file type. File type is determined using the file extension, MIME content type, and binary composition.

You can designate a maximum allowed size for each enabled attachment type.

You can configure custom rules using filenames that override the global settings for an attachment file type. You can designate that the rule use the entire filename or any part of the filename.

You can configure custom rules to cause Email Protection to analyze the files within a zip file attachment, if possible, to determine if a file in the zip file violates attachment policies. If the zip file cannot be analyzed, you can designate the email action to be applied.

You can configure custom rules for emails with encrypted zip files and/or zip files that are considered high risk (too large, too many nested levels, etc.).

6 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Email Filtering Policies

Multi-Level Allow and Deny Lists

Email Protection allows you to define lists of emails that will always be denied (blacklists) or will always be accepted (whitelists) at multiple levels. In addition, you can enable thirdparty Real-time Blackhole List to be used to filter unwanted emails.

The administrator-level lists override the user-level lists in a top-down manner: global lists first, policy set lists next, and lastly user-level lists. For example, if the same address is added to a user-level Allow list and the policy set Deny list, the address is always denied.

At the same level, the Allow list overrides the Deny list. For example, if you designate a range of email addresses (for example, by designating an entire domain) in the Deny list, but then designate a single email address from that domain in the Allow list, the email from that single address will be always accepted while the email from any other address in the domain in the Deny list will be always denied.

The same address string cannot be added multiple times in the same list or added to both the Allow and Deny lists.

Be aware that emails that have been quarantined by Email Protection may not need to be added to Deny lists because they are already being blocked from entering your email network.

Following are the types of Allow and Deny lists that are available in Email Protection:

Allow/Deny List

Type

Global Deny List If your Email Protection provider determines that a Sending

SMTP has sent too many invalid incoming emails within a specified time period, it will add the IP address for that Sending SMTP to a Global Deny List for a designated time period (default is 2 hours). During the denial period, all emails received from that Sending SMTP will be automatically denied. This process helps to protect against dictionary harvest and Denial of Service attacks. This process can be disabled at the system level.

Policy set-level Sender Deny Lists and Sender Allow Lists

Sender Deny lists indicate sender addresses from which email is denied automatically. Sender Allow lists indicate sender addresses from which email is allowed without spam, content, or attachment filtering (virus filtering is always enabled unless specifically disabled).

You can designate a single email address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file.

Each policy set affects the email filtering for all user accounts in the groups that are subscribed to that policy set.

Description

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 7

Email Filtering Policies Email Protection Administrator Guide

Allow/Deny List

User-level Deny Lists and Allow Lists

Recipient Shield List You can define a list of recipient em

Maintained by you and/or the user, Deny lists indicate sender addresses from which email is denied automatically. Allow lists indicate sender addresses from which email is allowed without spam filtering (all other enabled filtering will be applied).

You can designate a single email address, entire domains or IPs, or

se wildcards to designate ranges of addresses. Optionally, you

u can save these lists to a spreadsheet file.

These lists affect only the emails received for the designated user account

want to specify special email actions (for example, you want to deny all emails for a user who is an ex-employee). You can also specify the email action to take if the recipient email address is invalid in your system (permfailed by your email server as an invalid recipient).

and its alias addresses (user-level lists).

Description

ail addresses for which you

Types of Outbound Email Filtering

You can add outbound filtering to each package, helping to ensure the safety and appropriateness of information being sent from your corporate email system to valued customers or business partners.

Filter Type Description

Content Filtering

Attachment Filtering

Virus

canning

This feature automatically prevents inappropriate, confidential content from leaving your corporate email system, allowing you to monitor and enforce your corporate email policies.

Outbound attachments can be filtered by size, by MIME content type, or by policies.

Outbound virus scanning stops viruses and worms from leaving your corporate email system, preventing your enterprise from being the source of email-borne viruses to customers, suppliers, and partners.

binary content, according to your corporate email

malicious, or

Configurable Actions for Filtered Email

In Email Protection, email filtering policies control how emails are filtered within a specific Domain and how Email Protection will respond during email filtering and reporting. Depending on the feature package that is licensed for a domain, specific email filters will be available to be enabled and configured. Also, depending on the enabled email filter, various actions must be configured that define how Email Protection will respond if an email violates the specific filter policy.

8 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Email Filtering Policies

Based on the defined policy configuration, each email that violated the specified policy can have any of the following actions taken, depending on the type of policy:

Action Description

Quarantine The email is added to the respective quara

ntine area and is not sent to the recipient email address. If the email violated a spam policy, the email is reported in the user’s Spam Quarantine Report.

Tag The subject line of the email has a descri

ptive phrase (for example, “[SPAM]”) added to the beginning of the subject text and the email is sent to the recipient email address.

Deny Delivery The email is blocked automatically. Depending on the sending system’s

nfiguration, the email sender may or may not be notified with a 5xx

co Deny email.

Do Nothing or Allow

elivery

The email is forwarded to the recipient email address with no processing applied. The values in the reports and the

Overview

window will be incremented for the relevant email policy to indicate that an email did trigger the specific policy.

Silent Copy A copy of the email is forwarded to a list of designated email address

with no notification to the sender or recipient.

Strip Attachment If the email had an attachment that vi

olated configured policies, this action causes that attachment to be removed from the email and the email is be sent to the recipient email address. Text is inserted into the email notifying the recipient that an attachment has been stripped. Only the attachment that violated the policy is stripped.

Clean If the email had an attachment that

contained a virus or worm, this action attempts to remove the virus or worm and preserve the attachment. If the clean is successful, text is inserted into the email notifying the recipient that an attachment had contained a virus and was cleaned. If this action is selected, a second fall-back action also must be designated in case the Clean action fails. This action is specific to the virus filtering policies.

Custom X-Header If the email was determined to have a high or medium likelihood of

Disable Filter A non-administrator user cannot disable virus filtering if it is licensed

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 9

spam, you can configure that a custom X-header be inserted into

being the email. This X-header can be used by your email servers to perform additional actions within your network, such as redirecting the email. Each spam likelihood can have a different custom X-header. This action is specific to the spam filtering policies.

and enabled

for a specific Domain or policy set. Only Administrators

can enable or disable virus filtering for a specific Domain or policy set.

You can designate that Email Protection first attempts to remove the

from an infected attachment, and if the clean fails, perform

virus another action. You can designate that only the infected attachment is stripped. and the remaining email contents and attachments are sent to the recipient.

User-level Policy Configurations Email Protection Administrator Guide

Notifications for Filtered Email

You can enable or disable email notifications to the sender and/or recipient email addresses of email that was filtered because of virus, content keywords, or attachment.

For more information, see one of the following:

• Set Email Protection to Notify Users about Emails with Viruses

• Notify Users about Spam Content

• Notify Users about Attachment Violations

User-level Policy Configurations

By default, policy configurations are defined for each domain and group. All emails received for all user accounts within a domain or group are processed using the same policy configurations.

Optionally, user-level policy configurations can be defined for individual users that override the Domain/Group policies. Thus, if there is a conflict between a user-level policy and any of the other types of policy configurations, the user-level policy setting will be used. These user-level policy configurations allow customization of email actions for each user.

User-level policies are confined to the following policies:

• Enable or disable email processing for spam, virus, content keyword, attachments, and/or HTML content.

• Specify actions to take for emails if they are determined to have a high or medium likelihood of being spam.

• Configure the spam quarantine reporting

To manage the policy for an individual user, see User-Level Policy Configuration.

To establish user control of policies, see Set up Spam Quarantine Reports.

User also can have some control over their policies.

Quarantine

Email Protection provides multiple quarantine areas with different security accesses to store and support review of suspect email outside of your email network.

Emails that violate configured policies and that have the Quarantine action applied are sorted into multiple quarantines to ease email management and support security levels:

• Spam Quarantined Messages – Accessible to all users, with users with role of User or Reports Manager allowed to access only their own personal spam quarantine

10 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Customizing the Interface

• Virus Quarantined Messages – Accessible to only Administrators and Quarantine Managers

• Attachment Quarantined Messages – Accessible to only Administrators and Quarantine Managers

• Content Keyword Quarantined Messages – Accessible to only Administrators and Quarantine Managers

Within each quarantine, you can do any of the following:

• Delete selected emails or all emails

• Release selected emails or all emails for delivery to the recipient

• View selected email in a Safe View window

• Add the sender email addresses to the recipients’ user-level Allow list and release the emails (available only for quarantined spam emails)

Emailed Reports of Quarantined Spam Emails

Optionally, emails are sent to users to indicate that spam emails that have been quarantined, using either of the following types of emails:

• Spam Quarantine Report Spam Quarantine Reports are HTML-based email notifications of quarantined spam

emails that sent to users. Multiple links in the Reports allow management of quarantined spam email based on policy set-level and user-level configurable control settings. When the user clicks a link, the designated action is performed and the user is automatically logged into the Control Console.

• Spam Quarantine Summary Spam Quarantine Summaries are optional text-based email notifications of

quarantined spam email sent to users, to support email applications that are not HTML-compatible. The user clicks the link provided in the email and is automatically logged into the Control Console. Once logged in, the user can navigate to the relevant window to manage the spam quarantine and modify personal settings.

Customizing the Interface

Licensed Branding

There are multiple branding levels that control the appearance and URL addresses used within the Control Console and Spam Quarantine Reports and Summaries:

• Standard – Branding uses images and addresses provided by your service provider.

• Private – You control the images and addresses.

• Cobrand – Branding uses images provided by you and your service provider., and addresses provided by you.

• White Label – Branding uses no identifying images and uses addresses provided by you.

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 11

Customizing the Interface Email Protection Administrator Guide

Branding levels other than Standard must be licensed separately.

For more information, see Rebrand Your User Interface in Account Management Administrator Guide.

Language Localization

Within the Control Console, windows and features available to the non-administrative user (whose role is User) can be provided in translated form supporting multiple languages. When the user logs in via the log on window, he or she can select the desired language in the Language field. Thereafter, all spam quarantine reporting emails and window and field labels will be provided in the designated language.

The following languages are supported:

• Brazilian Portuguese

• Chinese Simplified

• Chinese Traditional

•Danish

•Dutch

• English

•Finnish

•French

•German

• Italian

• Japanese

• Korean

• Norwegian

• Portuguese

• Russian

• Spanish

•Swedish

•Turkish

This feature is available only to non-administrative user accounts. This feature must be enabled at the system level to be available.

As a Customer Administrator, you can set the language for a user on the user’s Preferences window. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide.

Outbound Disclaimer

You can define text that will be appended to the email content to support liability or legal requirements for your organization. Every email that was sent from your organization to Email Protection for email filtering will have the designated text added to the end of the email content. This feature requires that outbound filtering be licensed.

12 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Monitoring and Reporting

See Add an Outbound Email Disclaimer.

Notifications

You can customize the content of the notification email for each combination of the type of filter and each type of email action (quarantine, deny, or strip).

See Define the Format and Text of Notifications to Users.

Monitoring and Reporting

Email Protection provides near-real-time monitoring for most reports of system usage, email filtering, etc., for the designated Domain and date or date range. Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv).

There are multiple reports available for viewing in the Control Console:

For more information, see System Reports.

Optional Utilities

Your service provider provides additional, free tools that provide additional support for your email network.

Spam Control for Outlook®

If you receive email that you feel should have been filtered as spam, you can use the Spam

Control for Outlook packages the email data, forwards it to your service provider’s Threat Center, and then deletes it from your Microsoft Outlook mailbox. This utility only works for the Outlook mail client.

You can download this utility at the following location:

http://www.mxlogic.com/services/spam_blocking/spam_control.html

plug-in. The Spam Control for Outlook plug-in automatically

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 13

Disaster Recovery Services Email Protection Administrator Guide

Disaster Recovery Services

Fail Safe

The Fail Safe Disaster Recovery Service provides protection against lost emails in the case when your inbound email server (a.k.a. Customer MTA server) may be unavailable to receive email. If you have multiple inbound servers configured in Email Protection, all of these servers must be unavailable before Fail Safe is invoked.

When your inbound servers becomes unavailable, Fail Safe begins spooling email, which means Fail Safe stores your emails in a temporary location until your inbound server becomes available. Once any of your inbound servers become available, Fail Safe begins unspooling the emails. That is, Fail Safe restores these stored emails to the inbound server using the first in, first out order.

The messages Fail Safe stores are not available until the messages have been unspooled. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days.

For more information, see Administer Disaster Recovery Services.

Email Continuity

Email Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Email Continuity delivers the messages. Users can access their messages through a Web-based interface while messages are in Email Continuity only.

Email Continuity also has unlimited storage capacity and removes messages that have been in Email Continuity storage for more than 60 days.

For more information, see Administer Disaster Recovery Services.

14 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Who Can Access Email Protection Admin-

2. Access Email Protection Administration

As a customer of Email Protection, you can have administrators who access the Control Console with different levels of privileges within Account Management and Email Protection.

Who Can Access Email Protection Administration windows

The levels of administrative users you can add are as follows:

Administrative level Description

Reports Manager The Reports Manager can view, for an assigned domain, reports

available with Email Protection. The Reports Manager can also manage his or her own user preferences and all other tasks a user can perform.

Group Administrator The Group Administrator can add and remove members from one

re groups if assigned to those groups. A Group Administrator

or mo can also create, edit, and modify Email Protection policies for the assigned groups. Finally, a Group Administrator can view user lists and user details. A Group Administrator does not need to be a member of a group in order to have these capabilities.

Note: A Group edit user information

Quarantine Manager The Quarantine Manager, for an assigned domain, can manage the

same areas as domain, all users’ Quarantine for spam and other problematic messages, only if Email Protection is enabled.

Domain Administrator The Domain Administrator, for an assigned domain, can manage

same areas as a Quarantine Manager, plus manage server setup

the and authentication rules for the domain.

Customer Administrator The Customer Administrator can manage

customer’s Account Management for all domains.

Group Adsministrator The Group Administrator can, within the Group Administrator’s

assigned groups if assigned to those groups. A Group Administrator can also create and modify Email Protection policies for the assigned groups. A Group Administrator does not need to be a member of a group in order to have these capabilities.

Administrator cannot add or remove a group nor

a Report Manager, plus manage, for the assigned

all aspects of the

domain, add and remove members from one or more

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 15

Who Can Access Email Protection Administration windows Email Protection Administrator Guide

The following figure summarizes the levels of administrators, plus users, in an Email Protection configuration.

Table 1: Email Protection Window Access Privileges

Window Access Feature

Enablement

Required

Overview No Ye s Ye s No No

Policies tab

Policy Sets No Ye s No No Ye s

Anti-virus: Action No Ye s No No Ye s

Anti-virus: N

otifications

Anti-SPAM: Classification

Anti-SPAM:

ent Groups

Cont

Anti-SPAM:

orting

Rep

No Ye s No No Ye s

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Admnistrator

Group

Content: Content

oups

16 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

No Ye s No No Ye s

Email Protection Administrator Guide Who Can Access Email Protection Admin-

Window Access Feature

Enablement

Required

Content: Custom Content Groups

Content: Notifications

Content: HTML Shield

Content: Click Protect

Attachments: File Types

Attachments: File Name Policies

Attachments: Additional Policies

Attachments: Additional Notifications

No Ye s No No Ye s

Customer

Administrator

Ye s No No Ye s

Domain

Administrator

Quarantine

Manager

Admnistrator

Group

Allow/Deny: Sender Allow

Allow/Deny: Sender Deny

Allow/Deny: Recipient Shield

Enforced TLS: Actions

Enforced TLS: Notifications

Notifications: Content

Notifications: Attachment

Group Subscriptions

Disaster Recovery Ye s No No Ye s

Quarantine Tab No Ye s Ye s Yes No

No Ye s No No Ye s

SetupTab No

November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 17

Who Can Access Email Protection Administration windows Email Protection Administrator Guide

Window Access Feature

Enablement

Required

Inbound Servers Setup

Outbound Servers Setup

Outbound Disclaimer

Disaster Recovery Setup

No Ye s Ye s No No

Ye s. Depending on your purchased package, this service might need to be enabled.

Yes. Either FailSafe or Email Continuity must be enabled or included in your package.

Customer

Administrator

Ye s Ye s No No

Domain

Administrator

Quarantine

Manager

Admnistrator

Group

MX Records Setup No Yes Ye s No No

User Creation Settings

Reports tab

Traffic Overview No Ye s Ye s Ye s No

Threats Overview No Ye s Ye s Ye s No

Threats: Viruses No Ye s Ye s Ye s No

Threats: Spam No Ye s Ye s Ye s No

Threats: Content No Ye s Ye s Ye s No

Threats: Attachments

ClickProtect:Over view

ClickProtect: Click Log

No Ye s No No No

No Ye s Ye s Ye s No

18 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012

Email Protection Administrator Guide Other Documents You Might Need

Window Access Feature

Enablement

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Admnistrator

Required

Quarantine: Release Overview

Quarantine: Release Log

User Activity No Ye s Ye s Ye s No

Event Log No Ye s Ye s Ye s No

Audit Trail No Ye s Ye s Yes No

Inbound Server Connections

Disaster Recovery: Overview

Disaster Recovery: Event Log

No Ye s Ye s Ye s No

Yes. Either FailSafe or Email Continuity must be enabled.

Ye s Ye s Ye s No

Group

McAfee SMEFCE-AI-DA, SaaS Email Protection Administration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual