Professional Documents
Culture Documents
COPYRIGHT
Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Contents
Preface
About this guide . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . What's in this guide . . . . . . . . . . . . Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5 5 5 6 6
7
. . . . . . 7 . . . . . . 8 . . . . . . 9 . . . . . . 9 . . . . . 10 . . . . . 11
Dashboard
Launching the dashboard . . . . . . . . . . . . . . . . . . . . . Statistical information of detected items . . . . . . . . . . . . . . . Product versions and updates . . . . . . . . . . . . . . . . Detections report . . . . . . . . . . . . . . . . . . . . . On-demand scan and its views . . . . . . . . . . . . . . . . . . Viewing On-demand scan tasks . . . . . . . . . . . . . . . Creating an on-demand scan task . . . . . . . . . . . . . . Status reports . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling a new status report . . . . . . . . . . . . . . . Configuration reports . . . . . . . . . . . . . . . . . . . . . . Scheduling a new configuration report . . . . . . . . . . . . Graphical reports . . . . . . . . . . . . . . . . . . . . . . . . Viewing graphical reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
13 14 15 16 17 18 18 19 19 20 21 22 22
. . . . . . . . . . .
Detected Items
Detection types . . . . . . . Viewing detected items . . . . Search filters . . . . . . . . View results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
25 26 26 27
Policy Manager
Inheritance and advanced views . . . . . . . . . . . . . . . . . . Subpolicies . . . . . . . . . . . . . . . . . . . . . . . . . . Creating subpolicies . . . . . . . . . . . . . . . . . . . . Setting policies . . . . . . . . . . . . . . . . . . . . . . . . . Listing all the scanners . . . . . . . . . . . . . . . . . . Creating a new rule for a specific user . . . . . . . . . . . . Core scanners and filters . . . . . . . . . . . . . . . . . . . . . Configuring scanner settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
. 30 . 30 31 31 . 31 . 33 . 33 . 34
Contents
Filter settings for a policy . . . . . . . . . . . . . . . . . Alert settings and disclaimer text . . . . . . . . . . . . . . . . . Miscellaneous settings for a policy . . . . . . . . . . . . . . Creating a new alert . . . . . . . . . . . . . . . . . . . . . . . Enabling Product Health Alerts . . . . . . . . . . . . . . . . . . Shared Resource . . . . . . . . . . . . . . . . . . . . . . . . Configuring the shared scanners, filters, and alert settings . . . . Configuring filter rules and time slots . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. 41 . 48 . 48 50 . 52 . 52 . 53 56
59
59 60 61 62 63 63 63 64 64 65 65 67 67 69 70 70 70 70 71 71 71 72 72 72
. . . . . . . . . . .
6 A B
Frequently Asked Questions Appendix A Using file filtering rule and actions in a real-time scenario Appendix B Using the McAfee Security for Microsoft Exchange Access Control
73 77
Configuring repositories and proxy settings . . . . . . . . . . . . . . . . . . . . . . . 82 Adding a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Index
85
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Finding product documentation
Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code
Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.
McAfee Security for Microsoft Exchange uses advanced heuristics against viruses, unwanted content, potentially unwanted programs, and banned file types or messages. McAfee Security for Microsoft Exchange protects your Microsoft Exchange server from various threats that could adversely affect the computers, network, or employees. It also scans: Subject line and body of the email messages Email attachments (based on file type, file name, and file size) Text within the email attachments
The software also includes the McAfee Anti-Spam add-on component that protects your users from spam and phishing emails. McAfee Security for Microsoft Exchange uses Postgress 8.4.7 with this release which runs under the SYSTEM account. Contents Overview Features Why McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server
Overview
McAfee Security for Microsoft Exchange has increased protection profile to provide the best protection for your Microsoft Exchange servers. Global Threat Intelligence A global threat correlation engine and intelligence base of global messaging and communication behavior, that significantly increases spam detection. It is an Always-on real-time protection that safeguards and secures you from emerging threats. Global Threat Intelligence prevents damage and data theft even before a signature update is available. It provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. McAfee Stack Upgrade The latest McAfee Agent and engine for the highest level of protection. Single product support McAfee Security for Microsoft Exchange 7.6 supports Microsoft Exchange versions 2003, 2007, and 2010 (see System requirements in the Installation guide for more details) . Installation and configuration have been simplified and includes customized silent installs, installing only the components needed on the particular server role, and two built-in configuration profiles.
Features
The main features of McAfee Security for Microsoft Exchange are described in this section. Protection from viruses Scans all email messages for viruses and protects your Exchange server by intercepting, cleaning, and deleting the viruses that it detects. McAfee Security for Microsoft Exchange uses advanced heuristic methods and identifies unknown viruses or suspected virus-like items and blocks them. Protection from spam Helps you save bandwidth and the storage space required by your Exchange servers by assigning a spam score to each email message as it is scanned and by taking pre-configured actions on those messages. Protection from phishing Detects phishing emails that fraudulently try to obtain your personal information. Capability to detect packers and potentially unwanted programs Detects packers that compress and encrypt the original code of an executable file. It also detects potentially unwanted programs (PUPs), that are software programs written by legitimate companies to alter the security state or privacy state of a computer. Content filtering Scans content and text in the subject line or body of an email message and an email attachment. McAfee Security for Microsoft Exchange supports content filtering based on regular expressions (regex). File filtering Scans an email attachment depending on its file name, type, and size of the attachment. McAfee Security for Microsoft Exchange can also filter files containing encrypted, corrupted, password-protected, and digitally signed content. Background scanning Facilitates scanning of all files in the information store. You can schedule background scanning to periodically scan a selected set of messages with the latest engine updates and scanning configurations. In McAfee Security for Microsoft Exchange, you can exclude mailboxes that you don't want to be scanned. Product Health Alerts These are notifications on the current status of the product's health. You can configure and schedule these alerts. Integration with McAfee ePolicy Orchestrator 4.5 or 4.6 Integrates with ePolicy Orchestrator 4.5 or 4.6 to provide a centralized method for administering and updating McAfee Security for Microsoft Exchange across your Exchange servers. This reduces the complexity of, and the time required to, administer and update various systems. Web-based user interface Provides a user-friendly web-based interface based on DHTML. Policy Management The Policy Manager menu option in the product user interface lists different policies you can set up and manage in McAfee Security for Microsoft Exchange. Centralized scanner, filter rules, and enhanced alert settings Using scanners, you can configure settings that a policy can apply when scanning items. Using File Filtering rules, you can set up rules that apply to a file name, file type, and file size. On-demand/time-based scanning and actions Scans email messages at convenient times or at regular intervals. Multipurpose Internet Mail Extensions (MIME) scanning A communications standard that enables you to transfer non-ASCII formats over protocols (such as SMTP) that support only 7-bit ASCII characters. Quarantine management You can specify the local database to be used as a repository for quarantining infected email messages. You can choose to store quarantined messages on your own server running McAfee Quarantine Manager, which is called the Off-box quarantine.
Introducing McAfee Security for Microsoft Exchange Why McAfee Security for Microsoft Exchange
Auto-update of virus definitions, extra DATs, anti-virus and anti-spam engine regularly provides updated DAT files, anti-virus scanning engine, and anti-spam engine to detect and clean the latest threats. Retention and purging of old DATs Retain old DAT files for periods you define or purge them as needed. Support for Site List editor Specify a location from which to download automatic updates for McAfee Security for Microsoft Exchange. Support for Small Business Server McAfee Security for Microsoft Exchange is compatible with Small Business Servers. Detection reports Generates status reports and graphical reports that enable you to view information about detected items. Configuration reports Summarizes product configuration such as information about the server, version, license status and type, product, debug logging, on-access setting, on-access policies, and gateway policies. You can specify when your server sends the configuration report to the administrator. Denial-of-service attacks detection Detects additional requests or attacks flooding and interrupting the regular traffic on a network. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.
Introducing McAfee Security for Microsoft Exchange Why McAfee Security for Microsoft Exchange
Type of threat
Description
Email messages from unwanted Disgruntled ex-employees and unscrupulous individuals who know sources the email addresses of your employees can cause distress and distraction by sending unwanted emails. Non-business use of email If most employees use recipient email addresses not within their organization, such emails are likely to be for personal or non-business use. Employees might disclose confidential information related to unreleased products, customers or partners. Offensive words or phrases can appear in email messages and attachments. Besides causing offense, they can provoke legal action too.
Transfer of "entertainment" files Large video or audio files intended for entertainment might reduce your network performance. Inefficient file types Some files use large amounts of memory and can be slow to transfer, but alternatives are often available. For example, GIF and JPEG files are much smaller than their equivalent BMP files. Transferring large files can reduce your network performance. A deliberate surge of large files can seriously affect the performance of your network, making it unusable to its legitimate users. Vulgar language or terms must not be used in emails. Viruses and other potentially unwanted software can quickly make computers and data unusable. This type of content cannot be scanned. Appropriate policies must be specified to handle it.
Pornographic text Viruses and other potentially unwanted software Corrupt content / encrypted content
Default policies
McAfee Security for Microsoft Exchange helps you mitigate electronic threats with special sets of rules and settings called policies that you can create to suit your organization. When first installed, McAfee Security for Microsoft Exchange contains the following default policies: On-Access On-Demand (Default) On-Demand (Find Viruses) On-Demand (Remove Viruses) On-Demand (Find Banned Content) On-Demand (Remove Banned Content) On-Demand (Full Scan) Gateway
You can customize these policies to handle specific threats to your organization precisely. To learn more about setting policies, see Policy Manager.
10
Introducing McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server
As you create further policies, each additional policy records whether any of its current settings are inherited from the Master Policy. A change to the Master Policy (such as an increased level of anti-virus protection or a new file filtering rule) is instantly propagated to other policies too. The Master Policy also indicates how many other policies have inherited its settings.
How McAfee Security for Microsoft Exchange protects the Exchange Server
McAfee Security for Microsoft Exchange accesses all email messages that are read from and written to the mailbox by your Exchange server.
If these checks find any viruses or banned content within the email message, McAfee Security for Microsoft Exchange takes the specified action. If no items are detected, McAfee Security for Microsoft Exchange passes the information back to the virus-scanning interface to complete the original message request within Microsoft Exchange.
Real-time detection
The McAfee Security for Microsoft Exchange software integrates with your Exchange server and works in real-time to detect and delete viruses or other harmful or unwanted code. It also helps you maintain a virus-free environment by scanning the databases on your Exchange server. Each time an email message is sent to or received from a source, McAfee Security for Microsoft Exchange scans the email message to compare it with a list of known viruses and suspected virus-like behavior and intercepts and cleans the infected file before it spreads. It can also scan content within the email message (and its attachments), using rules and policies defined in the software.
11
Introducing McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server
12
Dashboard
It is important for the administrators to know how well their server is being protected from spam, phish, viruses, potentially unwanted programs, and unwanted content. The user interface provides critical functions for Microsoft Exchange administrators. The dashboard in McAfee Security for Microsoft Exchange provides information about statistics, products installed including engine and DAT files, name, version and patch information for the product, server protection status, license agreement, scanned items and most common hoaxes. Contents Launching the dashboard Statistical information of detected items On-demand scan and its views Status reports Configuration reports Graphical reports
13
The McAfee Security for Microsoft Exchange dashboard is divided into two panes: The left pane has links to Dashboard, Detected Items, Policy Manager and Settings & Diagnostics that you can administer. The right pane displays information corresponding to the item you select in the left pane.
The items displayed are: Clean Spam Phish Viruses Potentially Unwanted Programs Banned File types/Messages Unwanted Content
14
From the Graph section, you can select one of the options from the drop-down list: Spam Summary View spam statistics and graph. Phish Summary View phish statistics and graph. <Select Detections> Select the counters in the Detections section by clicking on the item. This enables you to view the statistics and graph of the selected counters. icon of an
You can use: Magnify Graph Specify the magnification percentage of the Detections graph. This helps you view an enlarged graph. Time range Specify for which time period you would like to review statistics. The options are Last 24 Hours, Last 7 Days, and Last 30 Days. View statistics as a bar graph. View statistics as a pie chart. and Determine which statistics counters are displayed on the bar graph or pie chart. To add a counter click . To remove a counter, click . If the buttons do not appear, a specific graph type has been selected. You can re-activate the buttons by selectingGraph. Reset Reset the statistics of detected items.
From the Scanning section, you can monitor: The average time taken to scan an email message (in milliseconds). Total number of email messages scanned since the statistic counters were reset.
Update Information
This tab provides information about anti-virus DAT, anti-virus engine, extra drivers, anti-spam engine version, their status and when they were last updated. McAfee Security for Microsoft Exchange uses the McAfee update website to automatically update its anti-virus DAT, engine and rules on a daily basis. If McAfee Security for Microsoft Exchange is managed by ePolicy Orchestrator, there is no need to update the product from the dashboard. You can update the anti-virus DATs, anti-virus engine, and anti-spam engine through an AutoUpdate task using the ePolicy Orchestrator server. 1 2 Click Edit Schedule to display the Edit Schedule page, where you set the update schedule frequency. Click Show Status. The Task Status page appears, where you can view the status of a update task. The page displays the name of the task, when it started, time required to finish the task, when the scheduled task was completed or if the task is in progress.
Click Update Now to update McAfee Security for Microsoft Exchange to the latest DAT, engine, extra drivers, and anti-spam engine version immediately.
15
Anti-virus DATs, engine, and extra drivers versions are always shown in the dashboard. If the McAfee Anti-Spam add-on component is installed, version information for anti-spam rules and engine is displayed.
Product Information
This tab provides information on the product name and the product version. It provides information on service packs or hotfixes that are installed. It also provides information on the presence of McAfee Anti-Spam add-on component.
For anti-spam and antiphish functionality, you must install the McAfee Anti-Spam add-on component. For more information on installing the McAfee Anti-Spam Add-On, see the McAfee Security for Microsoft Exchange v7.6 - Installation Guide.
Licenses
This tab provides information on the type of license being used for McAfee Security for Microsoft Exchange, when it expires, and the number of days for it to expire.
It also shows license information of the McAfee Anti-Spam add-on component if you have installed/ activated it.
Detections report
The Reports section provides information on the scanned items, posted virus descriptions, and the top hoaxes.
Reputation Score The authenticity level of the source of the email based on up to date information available pertaining to a particular source. Reason The reason why the email was quarantined (quarantine queue type).
16
Settings and actions can be specified in on-demand policies, which can be found under Policy Manager. There are six sets of policies that can be used for an on-demand task. These are: On-Demand (Default) The default settings for all scanners and filters. On-Demand (Find Viruses) Anti-virus settings and filters. These policies provide an easy means to check the viral content in databases. On-Demand (Remove Viruses) Anti-virus settings and filters. These policies provide an easy means to remove the viral content in databases. On-Demand (Find Banned Content) Content scan settings. These policies are particularly useful if you want to see the effect of newly created/assigned content scan rules. On-Demand (Remove Banned Content) Content scan settings. These policies are particularly useful if you want to see the effect of newly created/assigned content scan rules and remove banned content. On-Demand (Full Scan) Settings for all scanners and filters. These policies will be the typically used for scanning at regular intervals.
17
Show Status Click Show Status for a running on-demand scan (this tab is visible after you click Run Now). The Task Status page appears with the General tab displaying the progress of the task. Click Settings tab to view more details. Stop Stops the selected on-demand scan task that is running.
For instructions on creating an on-demand scan task, see the Creating an on-demand scan task section.
18
Click Next. The page appears. a b Select the policy from the type of Policy to use drop-down list. Select Resumable Scanning, if you want to resume a scan from the point where it was stopped.
If the Restart from last item option is selected, you can start a task at any time and resume scanning from where it last stopped. For example, when scanning multiple folders, if the scan stops and is resumed, it resumes scanning the folder from where it stopped last.
6 7
Click Next. Type a name for the on-demand task. Click Finish to complete the process of creating an on-demand scan task.
Status reports
A status report is a scheduled report sent to an administrator at a specific time. The report contains detection statistics within that specified time frame. You can choose a time, recipient email address or distribution list to send the report to, and a subject for the email. Reports are sent in HTML or CSV format. The following columns of information are displayed for Status Reports. Table 2-3 Columns in a Status report Option Name Status Last Run Next Run Action Refresh New Report Definition Name of the status report. Indicates whether the report is being generated or has been stopped. Indicates when the report was last generated. Indicates when the report is next scheduled. Indicates what action was taken for each item. To refresh the display with latest reports. To schedule a new status report.
19
Days Specify the time how frequently, in days, the report task should take place and at what time of the day. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Weeks Specify how frequently, in weeks, the report task should take place. You can also specify on which days and at what time of day the task should take place. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Months On either the first, second, third, fourth or a last day, select a checkbox by clicking on a desired month(s) and specify a time at which a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
You can use Stop task after it has run for to specify the maximum number of hours and minutes a task can run before it is stopped. Limiting the amount of time a report can run helps preserve system resources. By default there is no limit on report task time.
4 5 6 7
Click Next. The Report Settings page appears. In Recipient Email, specify the recipients email address to whom the report is to be sent. In Subject line for report, specify the subject line in the report that is sent to the recipient. In Number of Rows, specify the number of rows (n) to be displayed in the status report. Each row in the status report displays the total number of detections for a particular day. The report contains the detection count for the last (n) days, excluding the day when the status report is triggered. For example: If you specify two, the status report will contain two rows displaying detections for the last two days, excluding today. In Type of Report, specify the format of the status report, which is sent to the recipient. The available options are CSV or HTML. Click Next. The Please enter a task name page appears.
8 9
10 Type a meaningful name for the task. 11 Click Finish to complete the process of creating an on-demand scan task. 12 Click Back to return to the previous pages. 13 Click Cancel to remove all settings and return to the main Status Reports page.
Configuration reports
A configuration report is a scheduled report sent to an administrator at a specific time. The configuration report will have a summary of product configurations such as: server information, version information, license status and type, product information, debug logging information, on-access settings, and on-access policies. The following columns of information are displayed. Table 2-4 Configuration report Option Name Status Last Run Next Run Action Definition Name of the configuration report. Indicates whether the report is being generated or has been stopped. Indicates when the report was last generated. Indicates when the report is next scheduled. Indicates what action was taken for each item.
20
Table 2-4 Configuration report (continued) Option Refresh New Report Definition To refresh the display with latest reports. To schedule a new configuration report.
In the Who to report to page, fill in the form, then click Next. a b In Recipient Email, specify the recipients email address to whom the report is to be sent. In Subject line for report, specify the subject line in the report that is sent to the recipient.
When prompted, type a meaningful name for the task, then click Finish.
21
Graphical reports
You can use Graphical Reports to view information about items that have triggered one or more scanners and find out how many detections match your search criteria. You can also find out what percentage of the total detections each detection represents by using a series of filters to specify the type of detections that are of interest. You can use the following tabs: Simple When you want to use only a few search filters and view the results as a bar graph. Advanced When you want to use more complex search filters and view the results as either a bar graph or a pie chart.
22
Top 10 Infected Files Lists the files that are most commonly detected as infections. Top 10 Detections Includes all the above detection categories.
Click Search. The search results are shown in the View Results pane. In Magnify Graph, you can specify the magnification percentage of the graph. This helps in viewing an enlarged and clearer graph.
Spam score is a number that indicates the amount of potential spam contained within an email message. The engine applies anti-spam rules to each email messages it scans. Each rule is associated with a score. To assess the risk that an email message contains spam, these scores are added together to give an overall spam score for that email message. The higher the overall spam score, the higher the risk that the email messages contains spam.
Secondary filters are available only for the primary filter Reason, you can select any one of the following.
If you do not want to specify a secondary filter, make sure the secondary filter field is empty. For more information about the search filters, see the Search filters section.
Table 2-6 Secondary Filters Filter Anti-Virus Banned Content File Filter Anti-Spam Potentially Unwanted Program Description Whether it was an anti-virus program that detected the harmful email. Certain content in the email that is banned. Whether it was a file filter that detected a harmful file in an email. The anti-spam rule version that executed the scan. Are software programs that could alter the security or privacy policies of a computer on which they have been inadvertently installed.
23
Table 2-6 Secondary Filters (continued) Filter Phish Packer Mail Size Encrypted Signed Corrupted Denial of Service Protected Content Password Protected Blocked MIME 4 5 6 Description Phish or Phishing is a method used by individuals to obtain personal information by unfair or fraudulent means. A program that can compress executable files and possibly encrypt the original code. The size of the email (in kilobytes). Email content that has been encrypted. Whether the email has a signature. Email content that is corrupted. Is an incident in which a user or an organization is deprived of the services of a resource they would normally expect to have. Email content that is protected. The content (attachment) can be viewed only with the help of a password. Emails are blocked due to certain Multipurpose Internet Mail Extension (MIME) settings.
Select All Dates or a Date Range from the drop-down lists. Select Bar Graph or Pie Chart as required. If you select Pie Chart, select a filter from the drop-down list to Query on: Table 2-7 Options for Query on Filter Recipients Sender Filename Detection Name Subject Reason Rule Name Policy Name Description To query on a valid email address of the recipient. To query on a valid email address of the sender. To query on the name of the quarantined file. To query by the name of a detected item. To query on the subject line of the email. To query on a reason for which the item was detected. To query on the name of the rule that triggered the detection. To query on the name of the policy that made the detection.
In Maximum Results, specify the maximum number of segments you want to appear in the pie chart. For example, if you are interested only in viewing the three most frequently assigned spam scores, type 3.
Query on and Maximum Results are available only for pie chart.
Click Search. The search results are shown in the View Results pane.
24
Detected Items
You can use Detected Items to view information about email messages that contain spam, phish, viruses, potential unwanted programs, banned file types or messages, and unwanted content. Use the search filters to find email messages that are of interest and view the results of the search. Contents Detection types Viewing detected items Search filters View results
Detection types
Detection or Detected item is something identified by security software as a potential threat, such as a virus, spam, phish, unwanted content, banned file type, fraudulent website, or an intrusion. Table 3-1 Detection types Detection types Spam Description Spam is an unwanted email message, specifically unsolicited bulk message. Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise select to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender. Phish is a method of fraudulently obtaining personal information (such as passwords, social security numbers, credit card details and so on) by sending spoofed email messages that look like they have come from a trusted source such as legitimate companies or banks. Typically, phishing email messages request that recipients click the link in the email to verify or update contact details or credit card information. Virus is a program or code that replicates and infects other programs, boot sector, partition sector, or document that supports macros by inserting itself or attaching itself to that medium. Potentially unwanted programs are the software programs written by legitimate companies that might alter the security state or the privacy posture of the computer on which they are installed. This software can, but does not necessarily include spyware, adware, dialers, and can be downloaded in conjunction with a program wanted by the user. This is any content that triggers a content scanning rule. It might include offensive, abusive, unpleasing words or even company's confidential information. Certain types of file attachments are prone to viruses. The ability to block attachments by file extension is another layer of security for your mail system. Both internal and external email messages are checked for banned content.
Phish
Viruses
25
Click Search. A list of quarantined items matching your search criteria are displayed in the View Results section.
Click Clear Filter to return to the default search filter settings.
Search filters
Use these search filters in combination with other available criteria to narrow your search of detected items. The filter options vary according to the detected item selected.
Option definitions
The available search filters are: Table 3-2 Search filters Search filter Definition Action taken You can search for an item based on the action that was taken on it (deleted/cleaned/ intercepted/quarantined and so on).
Anti-Spam Engine You can search for an item based on the anti-spam engine that scans email messages for spam and phishing attacks, using anti-spam, anti-phishing, and extra rules. Anti-Spam Rule Anti-Virus DAT You can search for an item based on the anti-spam rules that are updated every few minutes to catch the latest spam campaigns sent by spammers. You can search for an item based on the anti-virus DAT version with a distinctive signature.
Anti-Virus Engine You can search for an item based on the anti-virus engine that had a sequence of characters unique to a virus/unwanted content. Banned Phrases Detection Name File Name Folder Policy Name Reason Reasons You can search by the content of banned phrases. You can search for a detected item based on its name. You can search by the name of the detected file in the quarantined item. You can search by the folder where quarantined items are stored. You can search for an item by a policy name that detected the item. You can search for an item based on the reason why it was detected. You can search by a rule or rules that were triggered by a particular email.
26
Table 3-2 Search filters (continued) Search filter Definition Recipients You can search for an item through the recipient's email address. Reputation Score You can search by the authenticity level of the source of the email based on up to date information available. Rule Name Scanned by Sender Sender IP Server Spam Score You can search for an item based on the rule that triggered one or more scanners/filters. You can search for an item by the scanner name that detected the item. You can search for an item by the sender's email address. You can search for an item by the IP address of the sender's system. You can search for an item based on a specific server version. Spam score is a number that indicates the amount of potential spam contained within an email message. The engine applies anti-spam rules to each email messages it scans. Each rule is associated with a score. To assess the risk that an email message contains spam, these scores are added together to give an overall spam score for that email message. The higher the overall spam score, the higher the risk that the email messages contains spam. You can search for an item based on its status. You can search for an item based on the subject line of the email message. A ticket number is a unique alphanumeric identifier assigned to a specific detection and delivered as a notification through email. It helps identify the associated detection.
Each item selected under Detected Items will have a corresponding set of search filters. For instructions to view the detected items, see the Viewing detected items section.
View results
In the View Results pane, you can view the results of the search based on the parameters you defined. You can then execute various actions on these detected items. Table 3-3 Types of actions Action Release Definition To release a quarantined item. Select an applicable record from the View Results pane and click Release. The original email message is released from the database for delivery to the intended recipient. To download a quarantined item. Select an applicable record from the View Results pane and click Download. To export and save records in .CSV format. Select an applicable record from the View Results pane and click Export to CSV File. To select additional column headers to be listed in the View Results pane.
Submit to McAfee Labs To submit a quarantined item to McAfee Labs. Select an applicable record from the View Results pane, then click Submit to McAfee Labs. This option is enabled only for specific quarantined items which may be of interest to the McAfee team for further investigation. View Forward To view the quarantined item. To forward the quarantined items to recipients as required.
27
Table 3-3 Types of actions (continued) Action Add to allow senders Add to block senders Definition To add a sender's email address to the list of addresses from which emails should be allowed. To add a sender's email address to the list of addresses from which emails should be blocked.
Each record in the View Results pane has an image, which indicates: Icon Description A record which can be released or downloaded. A record which cannot be released or downloaded. A record which can be submitted to McAfee Labs for investigation. For instructions to view the detected items, see the Viewing detected items section.
28
Policy Manager
Policy Manager is a product feature that allows you to configure/manage different policies and actions in the product. It determines how different types of threats are treated when detected. Each policy specifies the settings and actions that are used by the policy and the actions taken when a detection is triggered for the data in the Exchange environment. The settings are given names and can be used by many policies at the same time. However, the actions are specific to a particular policy. For example, you can create anti-virus policies and create multiple child policies from it. However, you can have a different action for each policy. The different policies that you can set up are listed under the Policy Manager. Each type of policy has a default Master Policy. The Master Policy cannot be deleted because there must always be one policy from which others can be created. The Master Policy is configured to cover most situations, however you can create subpolicies to meet specific requirements.
Types of policies
Table 4-1 Types of policies Policy On-Access Description Create policies for email messages every time they are opened, copied or saved to determine if they contain a virus or other potentially unwanted code. On-access scanning is also called real-time scanning. Create policies that are activated at set intervals or on demand, to find a virus or other potentially unwanted code. Create policies that are activated at set intervals or on demand, to find a virus or other Potentially Unwanted Programs (PUPs) and other possible threats. Create policies that are activated at set intervals or on demand, and which remove viruses, Potentially Unwanted Programs (PUPs) and other possible threats. Create policies that are activated at set intervals or on demand, to find a banned content that you do not want to appear in email messages. Create policies that are activated at set intervals or on demand, and which remove content that you do not want to appear in email messages. For example, if an email message contains a particular word or phrase, you can set up a policy to automatically replace the content of that email message with an alert message. You can use this type of policy to prevent unwanted information entering or leaving your organization. Create full scan policies that are activated at set intervals to scan for viruses, spam, phishing emails, banned/unwanted content and other harmful codes. Create policies for email messages every time they are opened, copied or saved to determine if it is a spam, phish, MIME files or HTML files.
On-Demand (Default) On-Demand (Find Viruses) On-Demand (Remove Viruses) On-Demand (Find Banned Content) On-Demand (Remove Banned Content)
Shared Resource Set up resources that can be used by more than one policy. This is more efficient than setting up the same resource separately for each policy. For more information, see the Shared Resources section. For Example, instead of creating two disclaimers; one for the Internal mail policy and another for External mail policy, you can create a single disclaimer that can be used by both policies. The disclaimer is a resource that is shared by more than one policy.
29
Contents Inheritance and advanced views Subpolicies Setting policies Core scanners and filters Alert settings and disclaimer text Creating a new alert Enabling Product Health Alerts Shared Resource
Inheritance view
Once you have created subpolicies, McAfee Security for Microsoft Exchange needs to determine which policy is going to be applied for an email. For this purpose, every policy is assigned a priority. For deciding a policy to be applied to the email, attributes of the email are used to evaluate rules for each policy in the order of priority. If the rules of the policy are satisfied, that policy is applied to the email. However, if the rules of the policy are not satisfied, McAfee Security for Microsoft Exchange moves on to evaluating the next priority policy. If none of the subpolicies can be applied to the email, the Master Policy is used to scan the email. Using inheritance, you can create policies which inherit their settings and actions from another policy, The policy that inherits the settings is known as the subpolicy, and the policy from which it inherits those settings is know as the parent policy. Inheritance should not be confused with sharing of settings. An inherited policy uses the same named setting and action as the parent policy. If the parent policy starts using a different setting, the same named setting is used by the subpolicy. Similarly any changes to the actions in the parent policy is also reflected in the subpolicies. Up to three levels of inheritance is supported. This allows customization of product behavior for different groups of users in an organization/domain.
Advanced view
The Advanced View enables you to use the arrow icon within the Move column to change the order in which the subpolicies are applied. Using Advanced View in conjunction with Inheritance View allows a greater level of customization while maintaining a lesser number of settings.
If you apply multiple policies to a single user, you might want to prioritize which policy takes precedence.
Subpolicies
You can create subpolicies to have specialized behavior for groups of users in the Exchange server environment. Subpolicies allow you to create customized actions for detecting items while using shared settings.
30
Creating subpolicies
Use this task to create subpolicies for situations not covered by the Master Policy. Task 1 2 3 4 5 6 7 8 9 From Policy Manager, select a menu item for which you want to create a Subpolicy. Click Create Sub-policy. The Create a Sub-policy page appears. Type a Sub-policy name that identifies the policy and what it does. Type a Description for the policy (optional). Select the Parent policy for the sub-policy. Click Next. The Create a Sub-policy - Trigger Rules page appears. Specify the conditions when the policy should trigger. Select Any of the rules apply, All rules apply or None of the rules apply for the specific user. Click New Rule and select the required policy rule.
10 Click Add to select the trigger rule. 11 Click Next. The Create a Sub-policy - Scanner and Filters page appears. 12 Select Inherit all settings from the parent policy to inherit all properties of the parent policy, else select the policy to inherit from another policy by clicking Initialize selected settings with values copied from another policy. 13 Click Finish.
Setting policies
You can set up policies that determine how different types of threats are treated when detected. Each policy specifies the settings and actions that are used by the policy when a detection is triggered for the data in an Exchange server environment. The settings are given names and can be used by many policies at the same time. However, the actions are specific to a particular policy. Tasks Listing all the scanners on page 31 In the List All Scanners tab, you can configure different types of policy settings. Creating a new rule for a specific user on page 33 Use this task to create a new rule and specify the conditions for the rule to be applied for a particular user.
31
Select the policy that you want to view and configure. You can then use Selection to select the type of configuration settings you want to view and configure for the selected policy. You can configure a policy so that it applies only for a specific user. The Scanners, Filters, and Miscellaneous settings displayed vary corresponding to the option selected under Policy Manager. Table 4-2 Policy configuration Option Policy Add Scanner/Filter Definition To select the policy you want to configure. To configure the policy so that it applies only at specific times. For example, you can create anti-virus setting that is applicable on weekends.
Only some filters can be turned off. Filters that cannot be turned off act as a prerequisite for other scanners and filters. For example, when we identify a digitally signed email, we need to decide if we should scan the attachments of the email or not. If settings for signed emails were turned off, we cannot take this decision.
Core Scanners
To configure the policy for each type of scanner. Typical core scanner options include: Anti-Virus Scanner Content Scanning File Filtering
Filters Disclaimer Text To configure the policy for each type of filter. Typical filters include: Corrupt Content Protected Content Encrypted Content Signed Content Password Protected Files Miscellaneous settings To configure the alert settings and disclaimer messages for polices. Miscellaneous options include: Alert Settings Disclaimer Text Tasks Adding scanner/filter on page 32 Use this task to add a scanner or filter. Mail Size Filtering Scanner Control MIME Mail Settings HTML Files
Adding scanner/filter
Use this task to add a scanner or filter. Task 1 2 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master Policy, then select List All Scanners | Add Scanner/Filter.
The Add Scanner/Filter option is available only for the submenu item On-Access.
From Specify the category drop-down list, select the required scanner or filter.
32
4 5
From When to use this instance section, select an existing time slot or create a new one. Click Save.
Scanners
You can use Core Scanners to configure a policy for each type of scanner. Typical core scanners include: Anti-Virus Scanner Anti-Spam Content Scanning File Filtering Anti-Phishing
Filters
You can use Filters to configure a policy for each type of filter. Typical filters include: Corrupt Content Protected Content Encrypted Content Signed Content Password Protected Files Mail Size Filtering Scanner Control MIME Mail Settings HTML Files
33
Miscellaneous
You can use Miscellaneous to configure: Alert Settings Disclaimer Text
34
Select additional scanner option(s) available in Scanner options. You can select: Scan archive files (ZIP, ARJ, RAR...) Find unknown file viruses Find unknown macro viruses Enable McAfee Global Threat Intelligence file reputation This enables the threat intelligence gathered by McAfee Labs that would prevent damage and data theft before a signature update is available. Select the Sensitivity level from the options available. Scan all files for macros Find all macros and treat as infected Remove all macros from document files
On the Advanced tab under Custom malware categories, specify the items to be treated as malware. There are two ways to select malware types: Select the malware types from the list of checkboxes. Select Specific detection names, type a malware category, then click Add.
When typing a malware category name, you can use wildcards for pattern matching.
10 Select the Do not perform custom malware check if the object has already been cleaned option, if the cleaned items must not be subjected to the custom malware check. 11 In Clean options, specify what happens to files that are reduced to zero bytes after being cleaned. Select any one of these options: Keep zero byte file To keep files that have been cleaned and is of zero bytes. Remove zero byte file To remove any file that has zero bytes after being cleaned. Treat as a failure to clean To treat zero byte files as if they cannot be cleaned, and apply the failure to clean action.
12 In Packers tab, select: Enable detection To enable or disable the detection of packers. Exclude specified names To specify which packers can be excluded from being scanned. Include only specified names To specify which packers you want the software to detect. Add To add packer names to a list. You can use wildcards to match names. Delete To remove packer names you have added. This link is activated if you click Add.
13 In PUPs tab, select: Enable detection To enable or disable the detection of PUPs. Click the disclaimer link and read the disclaimer before configuring PUP detection. Select the program types to detect To specify whether each type of PUP in the list should be detected or ignored. Exclude specified names To specify which PUPs can be excluded from being scanned. For example, if you have enabled spyware detection, you can create a list of spyware programs that you want the software to ignore.
35
Include only specified names To specify which PUPs you want the software to detect. For example, if you enable spyware detection and specify that only named spyware programs should be detected, all other spyware programs are ignored. Add To add PUP names to a list. You can use wildcards to match names. Delete To delete PUP names that you have added. This link is activated if you click Add.
The McAfee website http://vil.nai.com/vil/default.aspx contains a list of PUP names. Use the Search in Category option to select PUPs.
14 Click Save to return to the policy page. 15 In Actions to take, click Edit. In the following tabs, specify the anti-virus scanner actions that must be taken if a virus (or virus-like behavior) is detected: Cleaning Select Attempt to clean any detected virus or trojan to activate various actions. Select the action(s) to be taken from: Log To record the detection in a log. Quarantine To store a copy of the item in a quarantine database. Notify administrator To send an alert message to the email administrator. Notify internal sender To send an alert message to the sender, when the original email originates from the same domain as the server. Notify external sender To send an alert message to the sender, when the original email does not originate from the same domain as the server. Notify internal recipient To send an alert message to the recipient, when the recipient is in the same domain as the server. Notify external recipient To send an alert message to the recipient, when the recipient is not in the same domain as the server.
Default Actions From Take the following action drop-down list, select an action. Replace item with an alert Delete embedded item Delete message Allow through
16 Select the corresponding alert document or click Create to make a new alert document. From And also select additional actions to be taken . Custom Malware Packers PUPs
36
3 4 5 6
In Activation, select Enable. In the Options drop-down list, select <create new set of options>. The Anti-Spam Settings page appears. In Instance name, type a unique name for the anti-spam scanner setting instance. This field is mandatory. In Options tab, under Scoring, type the values for: High score threshold If the overall spam score is 15 or more. Medium score threshold If the overall spam score is 10 or more, but less than 15. Low score threshold If the overall spam score is 5 or more, but less than 10.
To use the default values of spam scores, select the Use default option. These default settings have been carefully optimized to maintain the balance between a high spam detection rate and a low false positive rate. In the unlikely event that you need to change these settings, a technical notice is available from Technical Support.
7 8 9
In Reporting, under the Spam reporting threshold is drop-down list, select High, Medium, Low, or Custom to specify the point at which an email message should be marked as spam. In Custom score, type a specific spam score at which email messages should be marked as spam. This field is enabled only if you select the Custom option in step 6. Select or deselect Add prefix to subject of spam messages as required.
10 From the Add a spam score indicator drop-down list, select: Never - To have the Internet header of an email message without the spam score indicator. To spam messages only To add a spam score indicator to the Internet header of spam email messages only. To non-spam messages only To add a spam score indicator to the Internet header of non-spam email messages only. To all messages To add a spam score indicator to the Internet header of all email messages.
Spam score indicator is a symbol used in the spam report that is added to the email message's Internet headers to indicate the amount of potential spam contained in an email message.
11 From the Attach a spam report drop-down list, select: Never - To display an email message without the spam score indicator. To spam messages only To add a spam report to spam email messages only.
37
To non-spam messages only To add a spam report to non-spam email messages only. To all messages To add a spam report to all email messages.
12 Select or deselect Verbose reporting to specify whether verbose reporting is required or not. Verbose reporting includes the names and descriptions of the anti-spam rules that have been triggered.
Verbose reporting is available only if you do not select Never in step 11.
13 On the Advanced tab, use: Maximum message size to scan (KB) To specify the maximum size of an email message (in kilobytes) that can be scanned. You can type a size up to 999,999,999 kilobytes, although typical spam email messages are quite small. Default value is 250 KB. Maximum width of spam headers (Bytes) To specify the maximum size (in bytes) that the spam email message header can be. The minimum header width that you can specify is 40 characters and the maximum is 999 characters. Default value is 76.
Spammers often add extra information to headers for their own purposes.
Maximum number of reported rules To specify the maximum number of anti-spam rules that can be included in a spam report. The minimum number of rules you can specify is 1 and the maximum is 999. Default value is 180. Header name To specify a different name for the email header. You can use this email header and its header value (below) when tracking email messages and applying rules to those messages. These fields are optional, and accept up to 40 characters. Header value To specify a different value for the email header. Add header To specify that the header should be added to none of the email messages, all of the email messages, only spam email messages or only to non-spam email messages. Select or deselect the Use alternative header names when a mail is not spam option as required.
14 In Mail Lists tab, under Blacklisted senders, Whitelisted senders, Blacklisted recipients and Whitelisted recipients, type the email addresses of the blacklisted and whitelisted senders and recipients.
Email messages sent to or from an email address on a blacklist are treated as spam, even if they do not contain spam-like characteristics. Email messages sent to or from email addresses on a whitelist are not treated as spam, even if they contain spam-like characteristics.
Click Add to add email addresses to a list and the checkbox beside each address to specify whether it is currently enabled or not. Click Delete All to remove an email address from the list. You cannot add the same email address more than once. You can use wildcard characters to match multiple addresses. 15 In Rules tab, enter the rule name and select Enable rule to activate it. Click Add to display a list of available rules.
Click Reset to return to the default anti-spam settings.
16 In the list, against each rule, click Edit to modify the rule; click Delete to remove the rule. 17 Click Save to return to the policy page.
38
18 In Actions to take if spam is detected, click Edit. In the following tabs, specify the anti-spam scanner actions that must be taken if a spam is detected: High Score Medium Score Low Score
In Content Scanner rules and associated actions, click Add rule. The Content Rules page appears. In Specify actions for a selection of content rules: a b Select a rule group from the Select rules group drop-down menu that will trigger an action if one or more of its rules are broken. In Select rules from this group, specify if all rules or only rules with a specific severity rating should be included. The options are Severity - Low, Severity - Medium, and Severity - High.
Selecting the Select all option overrides all the three rules.
8 9
In If detected, take the following action:, select the content scanner actions that must be taken if some content in an email message is detected. From And also, select one or more additional actions.
39
In File filtering rules and associated actions, from the Available rules drop-down menu, select Create new rule. The File Filtering Rule page appears. Type a unique Rule name. Give the rule, a meaningful name, so that you can easily identify it and what it does. For example, FilesOver5MB. In Filename filtering, select Enable file name filtering to enable file filtering according to the file names. For example, if you type *.exe, this file filtering rule is applied to any file that has a .exe file name extension. In Take action when the file name matches, specify the names of the files that are affected by this rule. You can use the * and ? wildcard characters to match multiple filenames. For example, if you want to filter out executable files, type *.exe. Click Add to add the file names to the filtering list or Delete to remove file names from the filtering list.
10 In File category filtering, select Enable file category filtering to enable file filtering according to their file type. a In Take action when the file category is, specify the type of files that are affected by this rule.
File types are divided into categories and subcategories.
b c
In File categories, select a file type. An asterisk symbol (*) appears next to the file type to indicate that the selected file type will be filtered. In Subcategories, select the subcategory you want to filter. To select more than one subcategory, use Ctrl+Click or Shift+Click. To select all of the subcategories, click All. Click Clear selections to undo the last selection.
Select Extend this rule to unrecognized file categories to apply this rule to any other file categories and subcategories that are not specifically mentioned in the categories and subcategories lists.
40
11 In File size filtering, select Enable file size filtering to filter files according to their file size. a b In Take action when the file size is, select Greater than to specify that the action should only be applied if the file is larger than the size specified. Select Less Than to specify that the action should only be applied if the file is smaller than the size specified.
12 Click Save to return to the policy page. 13 Click the Change link of the rule and specify actions that must be taken when a file/attachment in an email message is detected and filtered. 14 Click Delete, to remove a rule. 15 Send an email from your Microsoft Outlook with an executable file attached. The file filtering rule is triggered and the actions specified in steps 7 - 11 take place.
8 9
Click Save to return to the policy page. In Actions to take, click Edit and specify the antiphish scanner actions that must be taken if a phish is detected.
41
Tasks Configuring corrupt content filter settings on page 42 The content of some email messages can become corrupt, which means that the content of the email message cannot be scanned. Configuring protected content filter settings on page 42 The content of some email messages is protected, which means that the content of the email message cannot be scanned. Configuring encrypted content filter settings on page 43 Email messages can be encrypted, meaning that the content of those messages is encoded and therefore not accessible to unauthorized parties. Configuring signed content filter settings on page 43 Whenever information is sent electronically, it can be accidentally or willfully altered. To overcome this, some email software use a digital signature the electronic form of a handwritten signature. Configuring password-protected archives filter settings on page 44 You can protect an archive with a password and sent through an email. Password-protected files cannot be accessed without a password and cannot be scanned. Configuring mail size filter settings on page 44 Mail size filtering allows you to specify an action that will be applied to email messages based on their size. Configuring the scanner control filter settings on page 45 You can use Scanner Control Settings to limit the nesting level, file size, and scan time that is allowed when the email messages are scanned. Configuring MIME mail filter settings on page 45 Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non-ASCII formats over protocols (such as SMTP) that supports only 7-bit ASCII characters. Configuring HTML file filter settings on page 47 HTML file filter allows you to search for elements or executables such as ActiveX, Java applets, VBScripts in HTML components.
42
Task 1 2 3 4 5 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Protected Content. In Actions, click Edit to specify the filter actions that must be taken when protected content is detected. Click Save to return to the policy page.
43
4 5
In Actions, click Edit to specify the filter actions that must be taken when signed content is detected. Click Save to return to the policy page.
Signed content settings are applicable to signed internet emails and signed attachments.
44
In Actions, click Edit. In the following tabs, specify the mail size filter actions that must be taken if the size of the email message/attachment and the number of email attachments exceed the specified number: Message Size Attachment Size Attachment Count
7 8 9
10 In Alert selection, you can select which alert to use when a scanner control option is triggered. You can use: Create To create a new alert message for this policy. View/Hide To display or hide the alert text. If the text is hidden, clicking this link displays it. If the text is displayed, clicking this link hides it.
11 In Actions, click Edit to specify the filter actions that must be taken when the maximum nesting level in a zip attachment/file size/scanning time of the item exceeds and if scanning an item fails. 12 Click Save to return to the policy page.
45
Task 1 2 3 4 5 6 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click MIME Mail Settings. In Options, select <create new set of options>. The Mail Settings page appears. In Instance name, type a unique name for the MIME email filter setting instance. This field is mandatory. In Options tab, type a Prefix to message subject. a b c 7 In Preferred re-encoding of attachments in a MIME message, select a re-encoding method that is used when re-encoding attachments in MIME messages from the options available. In Preferred re-encoding of modified subject headers, select a re-encoding method that is used when re-encoding the subject headers in the MIME messages from the options available. In If re-encoding a subject header fails, select one of these options : Treat as an error The MIME message is bounced. Fallback to UTF-8 The MIME message is encoded into UTF-8.
In Advanced tab, select one of these encoding methods to use while encoding the text part of an email message: Quoted-Printable, which is best suited for messages that mainly contain ASCII characters, but also contains some byte values outside that range. Base64, which has a fixed overhead and is best suited for non-text data, and for messages that do not have a lot of ASCII text. 8-Bit, which is best suited for use with SMTP servers that support the 8BIT MIME transport SMTP extension.
You can perform step 6b only if you select Re-encode using the original encoding scheme or Re-encode using the following character set from Preferred re-encoding of modified subject headers.
a b c d e f 8
Select or deselect Do not encode if text is 7-bit as required. In Default decode character set, select a character set that should be used for decoding when one is not specified by the MIME headers. In Maximum number of MIME parts, specify the maximum number of MIME parts that can be contained in a MIME message. Default value is 10000 MIME parts. In Header corruption in a MIME message, select the required option. In NULL characters in the headers of a MIME message, select the required option. In Quoted-printable characters encoding in a MIME message, select the required option.
In MIME Types tab, specify which MIME types should be treated as text attachments and which, as binary attachments.
Click Add to add the MIME types to the list or Delete to delete a MIME type from a list. Duplicate entries are not allowed.
46
In Character Sets tab, select a Character set, Alternatives, deselect the Fixed checkbox, and click Add to specify an alternative character set mapping to the one specified in the MIME message.
Click Edit to edit character mappings, Delete to delete character mappings and Save to save any changes you have made to the character mappings.
The Save option is available only when you click Edit. 10 Click Save. 11 In Alert selection, you can select which alert to use when a MIME type is blocked. You can use: Create To create a new alert message for this policy. View/Hide To display or hide the alert text. If the text is hidden, clicking this link displays it. If the text is displayed, clicking this link hides it.
12 In Incomplete message actions, click Edit to specify the filter actions that must be taken when a partial MIME or external MIME type is encountered. 13 Click Save to return to the policy page.
Metadata To scan for metadata elements in the HTML message. For example:
< META EQUI="Expires" Content="Tue, 04 June 2007 21:29:02">
Links URLs ("<ahref=...") To scan for URL elements in the HTML message. For example:
<a HREF="McAfee.htm">
Source URLS ("<img src=...") To scan for source URL elements in the HTML message. For example:
<IMG SRC="..\..\images\icons\mcafee_logo_rotating75.gif">
JavaScript / VBScript To scan for JavaScript or Visual Basic script in the HTML message. For example:
<script language="javascript" scr="mfe/mfe.js">
47
In Remove the following executable elements, select any of these option(s): JavaScript / VBScript To remove JavaScript or Visual Basic script elements from the HTML message. For example:
<script language="javascript" scr="mfe/mfe.js">
Java applets To remove Java applet elements from the HTML message. For example:
<APPLET code="XYZApp.class" codebase="HTML ....."></APPLET>
ActiveX controls To remove ActiveX control elements from the HTML message. For example:
<OBJECT ID="clock" data="http://www.mcafee.com/vscan.png" type="image/png"> VirusScan Image </OBJECT>
Macromedia Flash To remove Macromedia Flash elements from the HTML message. This option gets enabled if you have selected ActiveX controls. For example:
<EMBED SCR="somefilename.swf" width="500" height="200">
48
4 5 6 7 8 9
In Options, select the default alert settings available or select <create new set of options> to define your alert settings. The Alert Settings page appears. In Instance name, type a unique name for the alert message setting instance. This field is mandatory. Select HTML or Plain text as the Alert format. From the Character encoding drop-down menu, select a required character set. In Alert filename, specify the file name for this alert, including the appropriate HTML (.htm) or plain text (.txt) file extension. Select or deselect Enable alert headers to enable the use of an alert header.
10 In the Alert header text entry box, type the header for the alert. 11 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML text should be shown as compiled code or source code in the Alert header.
The Show option is only available if you have selected HTML as the alert message format.
12 Select Enable alert footers to enable the use of an alert footer as needed. 13 In the Alert footer text entry box, type the footer for the alert. 14 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML text should be shown as compiled code or source code in the Alert footer.
The Show option is only available if you have selected HTML as the alert message format.
49
Table 4-3 Toolbar options Options Bold Italic Underline Align Left Center Align Right Justify Ordered List Unordered List Outdent Indent Text Color Horizontal Rule Insert Link Description To make the selected text bold. To make the selected text italic. To underline the selected text. To left align the selected paragraph. To center the selected paragraph. To right align the selected paragraph. To adjust the selected paragraph so that the lines within the paragraph fill a given width, with straight left and right edges. To make the selected text into a numbered list. To make the selected text into a bulleted list. To move the selected text a set distance to the right. To move the selected text a set distance to the left. To change the color of the selected text. To insert a horizontal line. To insert a hyperlink where the cursor is currently positioned. In URL, type the URL. In Text, type the name of the hyperlink as you want it to appear in the alert message. If you want the link to open a new window, select Open link in new window, then click Insert Link.
50
Table 4-3 Toolbar options (continued) Options Insert Image Description To insert an image where the cursor is currently positioned. In Image URL, type the location of the image. In Alternative text, type the text you want to use in place of the image when images are suppressed or the alert message is displayed in a text-only browser. If you want to give the image a title, type the title name in Use this text as the image title. Click Insert Image. To insert a table at the current cursor position. Type the values in Rows, Columns, Table width, Border thickness, Cell padding, and Cell spacing to configure the table, then click Insert Table.
Insert Table
From the Show drop-down menu, specify how the alert message should be displayed within the user interface. You can select: HTML content (WYSIWYG) To hide the underlying HTML code and display only the content of the alert message. HTML content (source) To display the alert message with the HTML code as it appears before compilation. Plain-text content To display the content as plain text. You can use the following notification fields to include them in your alert message. For example, in your alert message, if you want the name of the detected item and the action taken when it was detected, use %vrs% and %act% on the Alert Editor page. Table 4-4 Notification fields you can use Notification field options %dts% %sdr% %ftr% %fln% %rul% %act% %fdr% %vrs% %trs% %tik% %idy% %psn% %svr% %avd% %ave% %rpt% %rsn% %sbj% %ssc% Description Date and time Sender Filter File name Rule name Action taken Folder Detection name State (Train state) Ticket number Scanned by Policy name Server Anti-virus DAT Anti-virus engine Recipient Reason Subject Spam score
51
Table 4-4 Notification fields you can use (continued) Notification field options %ase% %asr% 9 Click Save to return to the policy page.
Click Reset to undo all changes you have made since you last saved the alert message.
3 4
Shared Resource
When setting up policies, you might want the same resource to be used by more than one policy. For example, you might want to use the same disclaimer in both internal and external email messages. Instead of creating two disclaimers, one for the internal mail policy, one for the external mail policy, you can create a single disclaimer that can be used by both policies. The disclaimer can be thought of as a resource that is shared by more than one policy. You can use Shared Resource to: View resource settings. Create new resources. Change resource settings, so that the changes are picked up by all policies using those shared resources. Delete shared resources that are no longer in use.
Shared resource is explained using Anti-Virus Scanner Settings. The settings for other scanners and filters may vary, however most of them are similar.
52
In Scanner options, select the scanner options for the shared resource. Scan archive files (ZIP, ARJ, RAR...) To scan inside archive files, such as ZIP files. Find unknown file viruses To use heuristic analysis techniques to search for unknown viruses. Find unknown macro viruses To find unknown viruses in macros. Scan all files for macros To scan all files for macros. Find all macros and treat as infected To find macros in files and treat them as infected items. Remove all macros from document files To remove all macros from document files.
Select the specific malware types from the list or type the detection names you want to detect. When typing in the detection name, you can use wildcard characters for pattern matching.
53
Specify the Clean options for the shared scanner when the cleaning is attempted and the file is of zero bytes after cleaning. You could keep the file, remove it or treat the scan as failed.
Cleaning an item can remove some types of malware. You can specify whether items that have already been successfully cleaned should be subject to the custom malware check.
10 Select Exclude specified names or Include only specified names to specify which packers can be ignored or detected. Click Add to add packer names to a list. Click Delete to remove packer names from a list.
When specifying packer names, you can use wildcard to match multiple names.
13 Select each type of PUP in Program types to be detected or ignored. 14 Select Exclude specified names or Include only specified names to list by name the PUPs that you want the software to ignore or detect, then click Add.
You can use wildcard to match names. For example, type the name of the spyware and click Add. Repeat this step until you have added the names of all the spyware programs you want the software to ignore or detect.
15 Click Save. 16 Click Cancel to delete all changes and return to the home page. 17 In Alerts, click View to see the default anti-virus scanner alert or click Create New and create a new alert message. For instructions, see the Creating a new alert section. 18 Click Save to return to the policy page. To delete all changes and return to the policy page, click Cancel.
54
7 8
In File categories, click a file type. An asterisk symbol (*) appears next to the file type to indicate that the selected file type will be filtered.
10 In Subcategories, click the subcategory you want to filter. To select more than one subcategory, use Ctrl+Click or Shift+Click. To select all of the subcategories, click All. Click Clear selections to undo the last selection.
11 Select Extend this rule to unrecognized file categories to apply this rule to any other file categories and subcategories that are not specifically mentioned in the categories and subcategories lists. 12 In File size filtering, select Enable file size filtering to filter files according to their file size. 13 In Take action when the file size is, select an option, then click Save. Greater than to specify that the action should only be applied if the file is larger than the size specified. Less than to specify that the action should only be applied if the file is smaller than the size specified.
14 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for the submenu item appears. 15 Click a policy name. Select the Active option for the file filtering scanner, then click File Filtering. 16 In File Filtering rules and associated actions, select the rule you created from the Available rules drop-down menu. 17 Click the Change link of the rule to specify actions that must be taken when a file/attachment in an email message is detected and filtered. 18 Click Save to return to the policy page. See the Appendix A Using file filtering rule and actions in a real-time scenario section for more information.
55
Use Wildcards If enabled, the rule is triggered for the specified word or phrase that contain wildcard characters. (Wildcard characters are often used in place of one or more characters when you do not know what the real character is or you do not want to type the entire name). Starts with If enabled, the rule is triggered for specified text that forms the beginning of the word or phrase. Ends with If enabled, the rule is triggered for specified text that forms the last part of the word or phrase. Case Sensitive If enabled, the rule is triggered if the case of the specified text matches the word or phrase.
6 7
Select Specify additional contextual words or phrases, if you want to add contextual words. Select from Trigger if ALL of the phrases are present, Trigger if ANY of the phrases are present or Trigger if NONE of the phrases are present from the drop-down menu.
56
8 9
Select within a block of to specify the number of Characters from a block to be scanned. Click Add Contextual word to type additional words or phrases.
10 Specify the word or phrase in Specify words or phrases, select one of the conditions (same options as in Step 5), then click Add. 11 Under File Format, select Everything to enable all the file categories and its subcategories. You can select multiple categories and file types within the selected categories to be matched. Selecting All in the subcategory selector overrides any other selections that may have already been made. 12 If you have not selected Everything, then click Clear selections to deselect any of the selected file type options. 13 Click Save to return to the policy page, then click Apply.
57
58
This section describes the settings and diagnostics you can perform with McAfee Security for Microsoft Exchange. Contents On-Access settings Configuring Mailbox Exclusion settings Notifications settings Configuring Anti Spam settings Detected Items settings User Interface Preferences settings Diagnostics settings Product Log settings DAT settings Import and Export Configuration settings Proxy Settings
On-Access settings
In this section you can configure the general On-Access settings, Microsoft Virus Scanning API (VSAPI) settings, background scan settings and transport scan settings.
59
For example, if a user tries to open an item that has not been scanned, it is assigned a high priority, whereas items being saved or posted to public folders are assigned a low priority. This is known as priority based queuing. When all the high priority items have been scanned, scanning of lower priority items begins. The latter scans on a first-in-first-out (FIFO) basis.
Task 1 2 3 Click Settings & Diagnostics | On-Access Settings. The On-Access Settings page appears. From General, choose Allow Through or Remove for On Scan Failure depending on whether you want to allow the email message through or delete it, if scanning fails. From Microsoft Virus Scanning API (VSAPI), you can use: Enabled To specify whether VSAPI is enabled or not. If disabled, the following options also becomes inactive. Proactive Scanning To scan when messages and files are written to the Store. Background Scanning To specify whether background scanning is enabled or not. You can use Enable At and Disable At to schedule the background scanning. Scan Timeout (seconds) To specify the length of time to wait for a scan before timing out. The default value is 180 seconds. Number of Scan Threads To specify the maximum number of scan threads for various processes. You can select the Default option if you don't want to specify the number of scan threads.
VSAPI should be disabled while moving or restoring backup mailboxes.
From Transport Scan Settings, select Enable to benefit from bi-directional SMTP scanning control.
60
From Direction Based Scanning, you can select: Scan Inbound Mails To scan messages coming from an external server (for example, Internet-based email messages). If this is selected and the other two options are deselected, then a mail going to a different domain is not scanned. Scan Outbound Mails To scan any email that leaves your Exchange server or Exchange organization. Email messages are designated as outbound if at least one recipient has an external address. Scan Internal Mails To scan email messages that are being routed from one location inside your domain to another location inside your domain. Email messages are designated as Internal if they originate from inside your domain and ALL the recipients are located inside your domain.
Select Enable routing to the user junk folders on this server to route junk emails to the user junk folders on the email server.
61
From Background Scan Settings, you can use: Enable To specify whether background scanning should be enabled or not. You can use Enable At and Disable At to schedule the background scanning. Only Messages With Attachments To enable background scanning for only email messages that has attachments. Only Un-Scanned Items To enable background scanning only to those messages that have not been scanned yet. Force Scan All To scan items irrespective of whether the item has a scan stamp or not. If an item has a scan stamp, it means that the item is scanned and up to date. Update Scan Stamp To perform background scanning up to date. When you deselect this option, do not update stamp. This feature is useful if the vendor wants to access the messages but not necessarily virus scan them. From Date and To Date To schedule the scan stamp update.
From Transport Scan Settings, you can select: Enable To enable transport scanning. Transport Scan Stamp To reduce redundant scanning whenever possible and to benefit bi-directional SMTP scanning control.
From Direction Based Scanning, you can select: Scan Inbound Mails To scan messages coming from an external server (for example, Internet-based email messages). If this is selected and the other two options are deselected, then a mail going to a different domain is not scanned. Scan Outbound Mails To scan any email that leaves your Exchange server or Exchange organization. Email messages are designated as outbound if at least one recipient has an external address. Scan Internal Mails To scan email messages that are being routed from one location inside your domain to another location inside your domain. Email messages are designated as Internal if they originate from inside your domain and ALL the recipients are located inside your domain.
62
Notifications settings
Notification settings allows you to configure the content and SMTP address for the administrator to send email notifications.
Configuring notifications
Use this task to configure the notifications sent from McAfee Security for Microsoft Exchange. Task 1 2 3 4 Click Settings & Diagnostics | Notifications. The Notifications page appears. Under Notifications, in General, type the Administrator E-mail address, to notify the administrator email account of that Exchange server. Type the Sender E-mail to notify using the sender email address. Select Enable Task results notification to send emails with on-demand scan and update tasks results. The email is in HTML format and has the same data and format as Task Result window in the user interface. This feature can be enabled/disabled through this option. By default, this feature is disabled. In Template, select a template from the drop-down list. Type the Subject of the notification. Click Edit to change the notification text that should be included in the body of the message. Click Apply to save the settings. In Product Health Alerts, select Enable to activate alerts regarding products when certain events occur.
5 6 7 8 9
10 Select Alert ePolicy Orchestrator or Alert Administrator or both. An alert message is sent accordingly. 11 Select an event, when a notification should be sent. You can select Immediate to send a notification immediately, or Daily and enter the time when the notification should be sent on a daily basis. 12 Click Apply to save the settings. For details on the Notification fields that you can use, see Creating a new alert.
63
5 6
In Message reputation threshold, type the minimum value that would trigger the corresponding policy. Click Apply to save the settings.
If your internet bandwidth is low, it is recommended that you execute McAfee AntiSpam Add-on first and then Global Threat Intelligence. If your internet bandwidth is high, it is recommended that you run Global Threat Intelligence first, followed by McAfee AntiSpam Add-on.
Task 1 2 3 4 Install McAfee Security for Microsoft Exchange on <server 1>. Install McAfee Quarantine Manager version 6.0/7.0 on <server 2>. Launch McAfee Security for Microsoft Exchange user interface from the <server 1>. Click Settings & Diagnostics to display the Detected Items page.
64
5 6 7 8
In McAfee Quarantine Manager, select Enabled. Type the IP address of <server 2>, where you have installed McAfee Quarantine Manager. Use the default values for Port and Callback port, or modify them as configured on McAfee Quarantine Manager Server. Click Apply to save the settings.
10 Select an option from Once , Hours, Days, Weeks or Months, and type the corresponding values. 11 For the schedule to be saved and applied, first click Save, then Apply.
65
Tasks Specifying the dashboard settings on page 66 Use this task to specify the settings for various features of the Dashboard and what information would you like to be displayed. Specifying the graph and chart settings on page 66 Use this task to set the parameters for generating graphical reports and charts, which are displayed in the Dashboard section.
66
5 6 7
Select Explode pie to specify whether the segments should remain within the circle of the pie chart or be shown with some distance between each segment. In Pie angle (degrees), specify the angle to use when drawing pie charts. The default value is 45. Click Apply to save the settings.
Diagnostics settings
Diagnostics is used to collect information from the computer that can be used for debugging problems that are reported. This enables customers to select event logs, product logs, trace files, etc., which are useful to developers to troubleshoot the issue. You can use Diagnostics to specify the level of debug logging required, the maximum size of debug files, and where they should be saved. You can specify which events should be captured in the product log and event log by specifying the product log's location, name, size limits, and time-out settings.
67
Select Limit size of debug log files to specify if you want a size limit for the debug log files. In Maximum size of debug log file, specify how large (in megabytes or kilobytes) the debug log files can be.
If the debug log file exceeds the specified file size, new log entries are added to the file by deleting the oldest log entries. The maximum size is 2000 MB.
Select Specify location for debug files to specify a location for debug files. Select any location from the drop-down list and specify the location. This feature is not activated if you select None for Level. Avoid using debug logging indiscriminately because it fills up the hard disk space and affects the overall performance of the Exchange server. It should be enabled for a limited duration as advised by an authorized personnel (McAfee Technical Support Engineer).
68
In Size Limits section: Select Limit database size to limit the size of the product log database. Type the Maximum database size of the product log database. You can specify the size in either megabytes or kilobytes.
If product log files exceed the specified size, the older log entries are overwritten by newer log entries.
Select Limit age of entries to specify a time after which you want the product log entries to be deleted. Type the Maximum age of entry to specify how many days an entry should remain in the database before it is deleted.
In Advanced section: Select Specify a query timeout to limit the amount of time for answering a product log query. Type the Query timeout (seconds) to specify the maximum number of seconds allowed when answering a product log query.
69
3 4
Click All Dates to include all entries, else click Date Range and select a date range from the drop-down list. Click Search. A list of detected items matching your search criteria are displayed in the View Results section.
Click Clear Filter to return to the default search filter settings and click Export to CSV File to export the list of detections in .CSV format.
DAT settings
DAT files are the detection definition files, also referred to as signature files, that identify the code anti-virus and/or anti-spyware software detects to repair viruses, trojan horses and Potentially Unwanted Programs (PUPs).
70
Importing a configuration
Use this task to import configuration settings from another system for this system where McAfee Security for Microsoft Exchange has been installed. Task 1 2 3 4 Click Settings & Diagnostics | Import and Export Configuration. The Import and Export Configurations page appears. Click the Configuration tab. From the Import Configuration section, click Browse to locate the configuration file. Click Import.
4 5
Click Import. The new site list overwrites the existing site list. Click Apply.
71
Proxy Settings
A proxy server facilitates communications between two or more computers in a domain, and increases the security and privacy of a network. The proxy can either be a dedicated server with special software or just an application running on a generalized machine. There are many ways to configure a proxy server, and an administrator can use them to block content, cache data to increase transfer speeds or to bypass filters.
72
4. What is the recommended installation type for McAfee Security for Microsoft Exchange and why?
During the McAfee Security for Microsoft Exchange installation, select the installation type as Complete. This will install McAfee Security for Microsoft Exchange with the web user interface, Buffer Overflow Protection and the AntiSpam Add-On. (The AntiSpam Add-On evaluation version will be installed. You need to buy the Licensed AntiSpam Add-On component separately).
5. Can I upgrade from GroupShield for Exchange 7.0 to McAfee Security for Microsoft Exchange?
Yes. You can upgrade to McAfee Security for Microsoft Exchange from GroupShield for Exchange 7.0.1 Patch 1 and above, and GroupShield for Exchange 7.0.2. Rollup2 and above.
6. How can I upgrade the GroupShield for Exchange 7.0.1 in a cluster environment to McAfee Security for Microsoft Exchange 7.6?
In Single Copy Cluster setup (for Microsoft Exchange 2003 & 2007), install McAfee Security for Microsoft Exchange 7.6 on the active node. If you are upgrading from GroupShield for Exchange 7.0.1 Patch1, then the Configuration and the Database will be upgraded in the shared drive provided there is a cluster resource for GroupShield for Exchange.
73
7. What is the process of installing McAfee Security for Microsoft Exchange 7.6 on Microsoft Exchange 2010 DAG servers?
There is no separate process for installing McAfee Security for Microsoft Exchange on DAG servers. You need to follow the steps for a standalone installation. If you want to copy the configuration file, quarantine database and DATs from a McAfee Security for Microsoft Exchange installation on one DAG node to another DAG node, use the Cluster Replication Setup program. Refer Cluster Replication Setup in the Installation Guide.
8. What are the precautions to be taken when installing or upgrading to McAfee Security for Microsoft Exchange 7.6 on any type of cluster servers (like SCC, CCR or LCR)?
For Cluster Continuous Replication (CCR) and Local Copy Replication (LCR), it is a standalone installation of McAfee Security for Microsoft Exchange. In case of Single Copy Cluster (SCC), you have to first install McAfee Security for Microsoft Exchange on the active node and then on a passive node, then create McAfee Security for Microsoft Exchange cluster resources. Depending on your operating system, refer Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2003 (32 bit or 64 bit) or Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2008 (64 bit).
9. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicy Orchestrator?
Refer Managing using ePolicy Orchestrator 4.5 and 4.6 in the Installation Guide.
10. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicy Orchestrator with arguments?
Refer Deploying the software using ePolicy Orchestrator 4.5 for details.
12. What is Global Threat Intelligence and how do I configure it in McAfee Security for Microsoft Exchange 7.6?
Global Threat Intelligence consists of two components: File reputation used on Executables for viruses and malware. Refer Configuring the anti-virus scanner settings in the Product Guide. Email reputation used for spam detection. Refer Configuring Anti Spam settings in the Product Guide.
13. Can I configure a Global Threat Intelligence proxy on McAfee Security for Microsoft Exchange 7.6? If yes, then how can it be done?
Global Threat Intelligence proxy is not supported in this release.
14. How does McAfee Global Threat Intelligence file reputation and McAfee Global Threat Intelligence message reputation work in McAfee Security for Microsoft Exchange 7.6?
This is done by contacting the McAfee Global Threat Intelligence servers to get the file reputation for any malware or virus. For email reputation, McAfee Global Threat Intelligence servers are contacted to get the spam reputation score of emails.
74
15. Is there any performance improvement in McAfee Security for Microsoft Exchange 7.6 over GroupShield for Exchange 7.0.1?
Yes there is a performance improvement, significant improvement has been observed in the On-Demand scan feature.
16. What considerations need to be taken into account during a cluster replication setup?
In the case of Local Copy Replication (LCR) and Cluster Continuous Replication (CCR), it is a normal standalone installation and the normal installation process has to be followed. In case of Single Copy Cluster (SCC), you have to first install McAfee Security for Microsoft Exchange on the active node and then on a passive node.
17. Should you configure cluster replication on all servers, more than one, or just one?
If you are using Microsoft Exchange Server 2010, it depends on whether you would like to share the policies across all McAfee Security for Microsoft Exchange installations on various DAG nodes. If you are managing using ePolicy Orchestrator, this is not applicable.
75
76
This section illustrates a real-life scenario where a file filtering rule is used to delete, log, and quarantine all Microsoft PowerPoint (*.ppt) files that reach your Exchange server, and also to notify the administrator of the detection(s). Task 1 2 3 4 5 6 From Policy Manager, click Shared Resource. The Shared Resources page appears. Click the Filter Rules tab. In File Filtering Rules, click Create New. The File Filtering Rule page appears. Type a unique Rule name. Give the rule a meaningful name, so that you can easily identify it and what it does. For example, PPT_Block. Select Enable file name filtering to enable filtering files based on file names. In Take action when the file name matches, specify the names of the files that must be quarantined. You can use the * and ? wildcard characters to match multiple filenames. In this case, to filter any Microsoft PowerPoint files, type *.ppt and click Add. In File category filtering, select Enable file category filtering to enable file filtering according to their file type. a In Take action when the file category is, specify the file types that must be quarantined.
File types are divided into categories and subcategories.
b c 8 9
In File categories, select Graphics/Presentation. An asterisk symbol (*) appears next to the file type. In Subcategories, select one from the following from the list: Microsoft PowerPoint 2007 Microsoft PowerPoint 2007 (Encrypted) Microsoft PowerPoint 97-2002 Microsoft PowerPoint Dual 95/97
Select Extend this rule to unrecognized file categories if you want to apply file filtering rules to file categories not listed under File categories and Subcategories. In File size filtering, select Enable size filtering and type the file size to specify whether files should be filtered according to their size. Under Take action when the file size is type a file size for any one option: Greater than To specify that the action should be applied when a file is larger than the size specified. Less than To specify that the action should be applied when a file is smaller than the size specified.
77
10 Click Save, then Apply to return to the Shared Resources policy page. 11 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for the submenu item appears.
This example uses the On-Access policy.
12 Click a policy name to display the next page. 13 Click the File Filtering link and from Activation section, select Enable. 14 In File Filtering rules and associated actions, select the rule (PPT_Block you created in step 3) from the Available rules drop-down list. 15 Click the Change link of the rule to specify actions that must be taken when an attached PowerPoint presentation is detected in an email message. The File Filtering Actions page appears. In this case, select the action as Delete message and also Log, Quarantine and Notify Administrator. 16 Click Save, then Apply. 17 Send an email to your Exchange server with Microsoft PowerPoint file attached. The file filtering rule is triggered and the specified actions take place.
78
Appendix B Using the McAfee Security for Microsoft Exchange Access Control
You can use McAfee Security for Microsoft Exchange Access Control to allow or deny access to the McAfee Security for Microsoft Exchange user interface for specific users or groups. Task 1 From the Start menu, click Programs | McAfee | Security for Microsoft Exchange | Access Control. The Permissions for Access dialog box appears.
2 3
From Group or user names, select the user you want to allow or deny access to the McAfee Security for Microsoft Exchange user interface. Click OK.
79
Appendix B Using the McAfee Security for Microsoft Exchange Access Control
80
SiteList specifies the location from where automatic updates (including DAT file and scanning engines) are downloaded. By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site for automatic updates, but you can use a site list that points to a different location. For example, you may have copied the automatic updates to a local repository and created a site list that points your McAfee Security for Microsoft Exchange systems to that local repository. Alternative site lists can be created using McAfee ePolicy Orchestrator software. To access the Site List Editor: Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor.
Contents Configuring repositories and proxy settings Adding a repository Specifying proxy settings
81
Adding a repository
The Site List specifies from where automatic updates are downloaded. By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site for automatic updates, but you can use a site list that points to a different location. For example, you may have copied the automatic updates to a local repository and created a site list that points your McAfee Security for Microsoft Exchange systems to that local repository. Task 1 2 Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor. The Edit AutoUpdate Repository List dialog box appears. From the Repositories tab, click Add. The Repository Settings dialog box appears.
Select from the following options: Repository Description To give a brief description of the repository. Retrieve files from To specify from which type of repository to retrieve the files. The available options are HTTP repository, FTP repository, UNC Path, and Local Path. URL To specify the URL of the repository. Port To specify the port number of the repository. Use Authentication To enable user authentication to access the repository.
82
4 5 6
Specify a user name and password for authentication of the repository and confirm the password by typing it again. Click OK to add the new repository to the Repository Description list. Click OK to close the Edit AutoUpdate Repository List dialog box.
3 4
Select the Use Internet Explorer proxy settings or Manually configure the proxy settings option as required. Type the IP address and port number of the HTTP or FTP server.
83
You can use the following options: Use Authentication To enable user authentication to access the proxy server. Username To specify a username for authentication to access the proxy server. Password To specify a password. Confirm Password To reconfirm the specified password. Exceptions To bypass a proxy server for specific domain(s). Click Exceptions, then select Specify Exceptions and type the domain(s) that needs to be bypassed.
Click OK.
84
Index
A
about this guide 5 access control 79 add repository 82 add filter 32 add scanner 32 advanced search filters 23 alert messages 48 alert settings 48 anti spam settings configuring 63 anti-spam scanner 37 anti-virus scanner settings 34 antiphish scanner settings 41 appendix file filter rule 77 applying file filtering rule real-time scenario 77
configuring (continued) diagnostics settings 67 notifications 63 on-access settings 60, 61 proxy settings 83 contact technical support 73 content rule 39 content scanner rules 56 conventions and icons used in this guide 5 core filters 33 core scanners 33 corrupt content 42 create new rule 33 creating subpolicies 31
D
Dashboard 13 dashboard settings 66 DAT Settings configure 70 debug log settings 67 denial of service 23 detected items 2527 detected items settings 64 detection name 23 detection types 25 detections report 16 diagnostics setting 67 diagnostics settings configuring 67 disclaimer text 48, 49 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5 download 27
B
banned file messages 25 banned file types 25
C
columns to display 27 configuration reports 20 configuration export 71 configuration report 21 configuration reports 20 configure detected items 64 filter rules 56 local quarantine database 64 McAfee Quarantine Manager software 64 proxy settings 82 repositories 82 time slots 56 configure user interface 65 configuring anti spam settings 63 DAT settings 70
E
encrypted content 43 error reporting service 67
85
Index
error reporting service settings 69 event log settings 68 export blacklists 72 export to CSV File 27 export whitelists 72
F
faqs 73 features 8 file filter rule appendix 77 file filtering scanner settings 40 filter 32 filter rules configure 56 filters 33 frequently asked questions 73
O
on-access settings Background Scanning 59 Microsoft Virus Scanning API (VSAPI) 59 Proactive Scanning 59 Transport Scanning 59 on-access settings, configuring on Exchange Server 2003 60 on Exchange Server 2007 61 on-demand scan 17 on-demand scan task 18 on-demand scan tasks 18 organizational threats 9
G
graph and chart settings 66 graphical reports 22
P
packer 23 password-protected archives 44 password-protected files 44 phish 23, 25 policies gateway 29 on-access 29 on-demand (default) 29 on-demand (find banned content) 29 on-demand (find viruses) 29 on-demand (full scan) 29 on-demand (remove banned content) 29 on-demand (remove viruses) 29 policy filter settings 41 Policy Manager 29 policy miscellaneous settings 48 policy views advanced 30 inheritance 30 potentially unwanted program 23 potentially unwanted programs 25 product health alert 52 Product Information 15 product log 70 product log settings 68 Product Log settings 69 product version 15 protected content 42 protected content filter 42 Protecting the Exchange server 11 proxy settings 83 proxy configuration 83
H
HTML file filter 47
I
import a configuration 71 Import and Export Configuration 70 import blacklists 72 import whitelists 72 importing a site list 71 introduction 7
L
launch dashboard 13 Licenses 15 list scanners 31 local database 65
M
mail size filter 44 master policies 10 McAfee Quarantine Manager 64 McAfee Security for Microsoft Exchange features 8 introducing 7 McAfee ServicePortal, accessing 6 MIME 23 MIME mail 45
N
new alert 50 new content rule 39
86
Index
Q
quarantine local database 64 McAfee Quarantine Manager software 64 quarantine data 64
R
Real-time detection 11 real-time scenario applying file filtering rule 77 recently scanned items 16 release 27 reports configuration 20 repositories configuring 82 repository adding 82 repository list 82 reputation score 16
shared scanners 53 shared time slots 57 signed content 43 signed content filter 43 simple search filters 22 site list 82 Site List 71 SiteList Editor 81 spam 25 spam score 23 specific user 33 specify dashboard settings 66 specify graph and chart settings 66 specifying event log settings 68 specifying product log settings 68 statistical information 14 status report 19 status reports 19 sub-policies 30 subject 23 submit to McAfee Labs 27
T
Technical Support, finding product information 6 threats to your organization 9 ticket number 23 time slots configure 56 types policies 29
S
scanner 32 scanner control 45 scanner control filter 45 scanner options setting 34 scanners 31, 33 schedule configuration report 21 schedule status report 19 search filters 26 service error reporting 67 ServicePortal, finding product documentation 6 setting diagnostics 67 scanner options 34 setting policies 31 settings proxy 83 Settings and Diagnostics 59 shared alert 53 shared alerts 53 shared file filtering rule 55 shared filter rules 56 shared filters 53 shared resource 29, 52 shared scanner 53
U
unwanted content 25 Update Information 15 updates 15 user interface 65 user interface preferences 65 user interface preferences settings 65
V
view detected items 26 view results 27 viewing graphical reports 22 viewing on-demand scan tasks 18 viruses 25
W
WebImmune 73 what's in this guide 6
87
00