You are on page 1of 88

Product Guide

McAfee Security for Microsoft Exchange 7.6.0 Software

COPYRIGHT

Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement


NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Contents

Preface
About this guide . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . What's in this guide . . . . . . . . . . . . Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5
5 5 5 6 6

Introducing McAfee Security for Microsoft Exchange


Overview . . . . . . . . . . . . . . . . . . . . . . . Features . . . . . . . . . . . . . . . . . . . . . . . . Why McAfee Security for Microsoft Exchange . . . . . . . . . Threats to your organization . . . . . . . . . . . . . Policies to handle threats . . . . . . . . . . . . . . How McAfee Security for Microsoft Exchange protects the Exchange . . . . . . . . . . . . . . . Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7
. . . . . . 7 . . . . . . 8 . . . . . . 9 . . . . . . 9 . . . . . 10 . . . . . 11

Dashboard
Launching the dashboard . . . . . . . . . . . . . . . . . . . . . Statistical information of detected items . . . . . . . . . . . . . . . Product versions and updates . . . . . . . . . . . . . . . . Detections report . . . . . . . . . . . . . . . . . . . . . On-demand scan and its views . . . . . . . . . . . . . . . . . . Viewing On-demand scan tasks . . . . . . . . . . . . . . . Creating an on-demand scan task . . . . . . . . . . . . . . Status reports . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling a new status report . . . . . . . . . . . . . . . Configuration reports . . . . . . . . . . . . . . . . . . . . . . Scheduling a new configuration report . . . . . . . . . . . . Graphical reports . . . . . . . . . . . . . . . . . . . . . . . . Viewing graphical reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13
13 14 15 16 17 18 18 19 19 20 21 22 22

. . . . . . . . . . .

Detected Items
Detection types . . . . . . . Viewing detected items . . . . Search filters . . . . . . . . View results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25
25 26 26 27

Policy Manager
Inheritance and advanced views . . . . . . . . . . . . . . . . . . Subpolicies . . . . . . . . . . . . . . . . . . . . . . . . . . Creating subpolicies . . . . . . . . . . . . . . . . . . . . Setting policies . . . . . . . . . . . . . . . . . . . . . . . . . Listing all the scanners . . . . . . . . . . . . . . . . . . Creating a new rule for a specific user . . . . . . . . . . . . Core scanners and filters . . . . . . . . . . . . . . . . . . . . . Configuring scanner settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29
. 30 . 30 31 31 . 31 . 33 . 33 . 34

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Contents

Filter settings for a policy . . . . . . . . . . . . . . . . . Alert settings and disclaimer text . . . . . . . . . . . . . . . . . Miscellaneous settings for a policy . . . . . . . . . . . . . . Creating a new alert . . . . . . . . . . . . . . . . . . . . . . . Enabling Product Health Alerts . . . . . . . . . . . . . . . . . . Shared Resource . . . . . . . . . . . . . . . . . . . . . . . . Configuring the shared scanners, filters, and alert settings . . . . Configuring filter rules and time slots . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. 41 . 48 . 48 50 . 52 . 52 . 53 56

Settings and Diagnostics


On-Access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring On-Access settings for Exchange Server 2003 . . . . . . . . Configuring On-Access settings for Exchange Server 2007 or 2010 . . . . . Configuring Mailbox Exclusion settings . . . . . . . . . . . . . . . . . . . Notifications settings . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring notifications . . . . . . . . . . . . . . . . . . . . . . Configuring Anti Spam settings . . . . . . . . . . . . . . . . . . . . . . Detected Items settings . . . . . . . . . . . . . . . . . . . . . . . . . Configuring detected items . . . . . . . . . . . . . . . . . . . . . User Interface Preferences settings . . . . . . . . . . . . . . . . . . . . . Configuring the user interface . . . . . . . . . . . . . . . . . . . . Diagnostics settings . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring diagnostics settings . . . . . . . . . . . . . . . . . . . Product Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Product Log . . . . . . . . . . . . . . . . . . . . . . . . DAT settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring DAT settings . . . . . . . . . . . . . . . . . . . . . . Import and Export Configuration settings . . . . . . . . . . . . . . . . . . Exporting the existing configuration . . . . . . . . . . . . . . . . . Importing a configuration . . . . . . . . . . . . . . . . . . . . . Importing a Site List . . . . . . . . . . . . . . . . . . . . . . . Importing and exporting of blacklists and whitelists . . . . . . . . . . . Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

59
59 60 61 62 63 63 63 64 64 65 65 67 67 69 70 70 70 70 71 71 71 72 72 72

. . . . . . . . . . .

6 A B

Frequently Asked Questions Appendix A Using file filtering rule and actions in a real-time scenario Appendix B Using the McAfee Security for Microsoft Exchange Access Control

73 77

79 C Appendix C SiteList Editor 81

Configuring repositories and proxy settings . . . . . . . . . . . . . . . . . . . . . . . 82 Adding a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Index

85

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Finding product documentation

About this guide


This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program.

Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code

Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.

User interface Hypertext blue

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Preface Finding product documentation

What's in this guide


This guide is organized to help you find the information you need.

Finding product documentation


McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 2 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Introducing McAfee Security for Microsoft Exchange

McAfee Security for Microsoft Exchange uses advanced heuristics against viruses, unwanted content, potentially unwanted programs, and banned file types or messages. McAfee Security for Microsoft Exchange protects your Microsoft Exchange server from various threats that could adversely affect the computers, network, or employees. It also scans: Subject line and body of the email messages Email attachments (based on file type, file name, and file size) Text within the email attachments

The software also includes the McAfee Anti-Spam add-on component that protects your users from spam and phishing emails. McAfee Security for Microsoft Exchange uses Postgress 8.4.7 with this release which runs under the SYSTEM account. Contents Overview Features Why McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server

Overview
McAfee Security for Microsoft Exchange has increased protection profile to provide the best protection for your Microsoft Exchange servers. Global Threat Intelligence A global threat correlation engine and intelligence base of global messaging and communication behavior, that significantly increases spam detection. It is an Always-on real-time protection that safeguards and secures you from emerging threats. Global Threat Intelligence prevents damage and data theft even before a signature update is available. It provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. McAfee Stack Upgrade The latest McAfee Agent and engine for the highest level of protection. Single product support McAfee Security for Microsoft Exchange 7.6 supports Microsoft Exchange versions 2003, 2007, and 2010 (see System requirements in the Installation guide for more details) . Installation and configuration have been simplified and includes customized silent installs, installing only the components needed on the particular server role, and two built-in configuration profiles.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Introducing McAfee Security for Microsoft Exchange Features

Features
The main features of McAfee Security for Microsoft Exchange are described in this section. Protection from viruses Scans all email messages for viruses and protects your Exchange server by intercepting, cleaning, and deleting the viruses that it detects. McAfee Security for Microsoft Exchange uses advanced heuristic methods and identifies unknown viruses or suspected virus-like items and blocks them. Protection from spam Helps you save bandwidth and the storage space required by your Exchange servers by assigning a spam score to each email message as it is scanned and by taking pre-configured actions on those messages. Protection from phishing Detects phishing emails that fraudulently try to obtain your personal information. Capability to detect packers and potentially unwanted programs Detects packers that compress and encrypt the original code of an executable file. It also detects potentially unwanted programs (PUPs), that are software programs written by legitimate companies to alter the security state or privacy state of a computer. Content filtering Scans content and text in the subject line or body of an email message and an email attachment. McAfee Security for Microsoft Exchange supports content filtering based on regular expressions (regex). File filtering Scans an email attachment depending on its file name, type, and size of the attachment. McAfee Security for Microsoft Exchange can also filter files containing encrypted, corrupted, password-protected, and digitally signed content. Background scanning Facilitates scanning of all files in the information store. You can schedule background scanning to periodically scan a selected set of messages with the latest engine updates and scanning configurations. In McAfee Security for Microsoft Exchange, you can exclude mailboxes that you don't want to be scanned. Product Health Alerts These are notifications on the current status of the product's health. You can configure and schedule these alerts. Integration with McAfee ePolicy Orchestrator 4.5 or 4.6 Integrates with ePolicy Orchestrator 4.5 or 4.6 to provide a centralized method for administering and updating McAfee Security for Microsoft Exchange across your Exchange servers. This reduces the complexity of, and the time required to, administer and update various systems. Web-based user interface Provides a user-friendly web-based interface based on DHTML. Policy Management The Policy Manager menu option in the product user interface lists different policies you can set up and manage in McAfee Security for Microsoft Exchange. Centralized scanner, filter rules, and enhanced alert settings Using scanners, you can configure settings that a policy can apply when scanning items. Using File Filtering rules, you can set up rules that apply to a file name, file type, and file size. On-demand/time-based scanning and actions Scans email messages at convenient times or at regular intervals. Multipurpose Internet Mail Extensions (MIME) scanning A communications standard that enables you to transfer non-ASCII formats over protocols (such as SMTP) that support only 7-bit ASCII characters. Quarantine management You can specify the local database to be used as a repository for quarantining infected email messages. You can choose to store quarantined messages on your own server running McAfee Quarantine Manager, which is called the Off-box quarantine.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Introducing McAfee Security for Microsoft Exchange Why McAfee Security for Microsoft Exchange

Auto-update of virus definitions, extra DATs, anti-virus and anti-spam engine regularly provides updated DAT files, anti-virus scanning engine, and anti-spam engine to detect and clean the latest threats. Retention and purging of old DATs Retain old DAT files for periods you define or purge them as needed. Support for Site List editor Specify a location from which to download automatic updates for McAfee Security for Microsoft Exchange. Support for Small Business Server McAfee Security for Microsoft Exchange is compatible with Small Business Servers. Detection reports Generates status reports and graphical reports that enable you to view information about detected items. Configuration reports Summarizes product configuration such as information about the server, version, license status and type, product, debug logging, on-access setting, on-access policies, and gateway policies. You can specify when your server sends the configuration report to the administrator. Denial-of-service attacks detection Detects additional requests or attacks flooding and interrupting the regular traffic on a network. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.

Why McAfee Security for Microsoft Exchange


Your organization is vulnerable to many threats that can affect its reputation, employees, computers, and networks. The reputation of an organization can be affected by the loss of confidential information or through an abuse that can lead to legal action. Electronic distractions and unrestricted use of email and the Internet can affect the productivity of employees. Viruses and other potentially unwanted software can damage computers, making them unusable. Uncontrolled use of various types of files on your networks can cause performance problems for your entire organization.

Threats to your organization


This section briefly describes various threats that could affect an organization. Type of threat Reputation of a company Spam (unsolicited email) Description An unguarded or ill-informed remark by an employee might cause legal problems, unless it is covered by a disclaimer. Unsolicited commercial email messages are the electronic equivalent of spam or junk mail. Often they contain advertisements that are not expected by the recipients. Although it is more of a nuisance than a threat, spam can degrade the performance of your network. Large email messages or messages that contain numerous attachments can slow down the performance of email servers. Although they can be cleaned like any other virus, they can spread rapidly and quickly degrade the performance of your network.

Large email messages Mass-mailer viruses

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Introducing McAfee Security for Microsoft Exchange Why McAfee Security for Microsoft Exchange

Type of threat

Description

Email messages from unwanted Disgruntled ex-employees and unscrupulous individuals who know sources the email addresses of your employees can cause distress and distraction by sending unwanted emails. Non-business use of email If most employees use recipient email addresses not within their organization, such emails are likely to be for personal or non-business use. Employees might disclose confidential information related to unreleased products, customers or partners. Offensive words or phrases can appear in email messages and attachments. Besides causing offense, they can provoke legal action too.

Loss of company-confidential information Offensive language

Transfer of "entertainment" files Large video or audio files intended for entertainment might reduce your network performance. Inefficient file types Some files use large amounts of memory and can be slow to transfer, but alternatives are often available. For example, GIF and JPEG files are much smaller than their equivalent BMP files. Transferring large files can reduce your network performance. A deliberate surge of large files can seriously affect the performance of your network, making it unusable to its legitimate users. Vulgar language or terms must not be used in emails. Viruses and other potentially unwanted software can quickly make computers and data unusable. This type of content cannot be scanned. Appropriate policies must be specified to handle it.

Transfer of large files Denial-of-service attack

Pornographic text Viruses and other potentially unwanted software Corrupt content / encrypted content

Policies to handle threats


You can apply an existing read-only policy (known as a Master Policy) to your entire organization, or create other policies based on the Master Policy to suit specific needs of any part of your organization.

Default policies
McAfee Security for Microsoft Exchange helps you mitigate electronic threats with special sets of rules and settings called policies that you can create to suit your organization. When first installed, McAfee Security for Microsoft Exchange contains the following default policies: On-Access On-Demand (Default) On-Demand (Find Viruses) On-Demand (Remove Viruses) On-Demand (Find Banned Content) On-Demand (Remove Banned Content) On-Demand (Full Scan) Gateway

You can customize these policies to handle specific threats to your organization precisely. To learn more about setting policies, see Policy Manager.

What is a Master Policy?


Master policies describe how items are scanned for viruses, how files are filtered, and various other settings in different circumstances. These policies can apply to the whole organization. From these policies, you can create additional policies as needed to apply to groups of users or domains.

10

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Introducing McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server

As you create further policies, each additional policy records whether any of its current settings are inherited from the Master Policy. A change to the Master Policy (such as an increased level of anti-virus protection or a new file filtering rule) is instantly propagated to other policies too. The Master Policy also indicates how many other policies have inherited its settings.

Where does a policy apply?


The Master Policy applies to all users within an organization. However, you can create additional policies in case you need exceptions to the Master Policy to suit any geographical areas, functions, mailboxes, domains, or departments within your organization. In McAfee Security for Microsoft Exchange, the general term for such additional policies is a policy group.

How McAfee Security for Microsoft Exchange protects the Exchange Server
McAfee Security for Microsoft Exchange accesses all email messages that are read from and written to the mailbox by your Exchange server.

Protecting your Microsoft Exchange server


McAfee Security for Microsoft Exchange uses the virus scanning interface of your Exchange server to gain full access to all email messages that are being read from, and written to the mailbox of the Exchange server. The anti-virus scanning engine compares the email message with all the known virus signatures stored in the DATs. The content management engine scans the email message for banned content as specified in the content management policies in McAfee Security for Microsoft Exchange.

If these checks find any viruses or banned content within the email message, McAfee Security for Microsoft Exchange takes the specified action. If no items are detected, McAfee Security for Microsoft Exchange passes the information back to the virus-scanning interface to complete the original message request within Microsoft Exchange.

Real-time detection
The McAfee Security for Microsoft Exchange software integrates with your Exchange server and works in real-time to detect and delete viruses or other harmful or unwanted code. It also helps you maintain a virus-free environment by scanning the databases on your Exchange server. Each time an email message is sent to or received from a source, McAfee Security for Microsoft Exchange scans the email message to compare it with a list of known viruses and suspected virus-like behavior and intercepts and cleans the infected file before it spreads. It can also scan content within the email message (and its attachments), using rules and policies defined in the software.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

11

Introducing McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server

Scanning of email messages


The anti-spam, anti-virus, and the content management engines scan the email messages and provide the result to McAfee Security for Microsoft Exchange before the content is written to the file system or read by the Microsoft Exchange users. The anti-virus and the anti-spam scanning engines compare the email message with all the known signatures stored in the currently installed virus definition files (DATs) and anti-spam rules. The anti-virus engine also scans the message using selected heuristic detection methods. The content management engine scans the email message for banned content as specified in the content management policies running within the software. If there are no viruses, banned/ unwanted content in the email message, McAfee Security for Microsoft Exchange passes the information back to Microsoft Exchange. In case of a detection, McAfee Security for Microsoft Exchange takes actions as defined within its configuration settings.

How scanning works


Central to your McAfee Security for Microsoft Exchange are the scanning engine and DAT files. The engine is a complex data analyzer. The DAT files contain a great deal of information including thousands of different drivers, each of which contains detailed instructions on how to identify a virus or a type of virus. The scanning engine works with the DAT files. It identifies the type of the item being scanned and decodes the content of that object to understand what the item is. It then uses the information in the DAT files to search and locate known viruses. Each virus has a distinctive signature. There is a sequence of characters unique to a virus and the engine searches for that signature. The engine uses a technique called heuristic analysis to search for unknown viruses. This involves analyzing the object's program code and searching for distinctive features typically found in viruses. Once the engine has confirmed the identity of a virus, it cleans the object to the extent possible. For example, it removes an infected macro from an attachment or deletes the virus code in an executable file.

What and when to scan?


The threat from viruses can come from many directions such as infected macros, shared program files, files shared across a network, email messages and attachments, floppy disks, files downloaded from the Internet, and so on. Individual McAfee Security anti-virus software products target specific areas of vulnerability. We recommend a multi-tiered approach to provide the full range of virus detection, security, and cleaning capabilities that you require. McAfee Security for Microsoft Exchange provides a range of options that you can further configure according to the demands of your system. These demands will vary depending on when and how the component parts of your system operate and how they interact with each other and with the outside world, particularly through emails and Internet access. You can configure or enable various actions that allow you to determine how your McAfee Security for Microsoft Exchange should deal with different items and what actions it should take on detected or suspicious items.

12

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard

It is important for the administrators to know how well their server is being protected from spam, phish, viruses, potentially unwanted programs, and unwanted content. The user interface provides critical functions for Microsoft Exchange administrators. The dashboard in McAfee Security for Microsoft Exchange provides information about statistics, products installed including engine and DAT files, name, version and patch information for the product, server protection status, license agreement, scanned items and most common hoaxes. Contents Launching the dashboard Statistical information of detected items On-demand scan and its views Status reports Configuration reports Graphical reports

Launching the dashboard


To launch McAfee Security for Microsoft Exchange user interface, navigate to Product Configuration from the Start button. You can also double click the program shortcut on the desktop to launch McAfee Security for Microsoft Exchange.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

13

Dashboard Statistical information of detected items

The McAfee Security for Microsoft Exchange dashboard is divided into two panes: The left pane has links to Dashboard, Detected Items, Policy Manager and Settings & Diagnostics that you can administer. The right pane displays information corresponding to the item you select in the left pane.

Figure 2-1 McAfee Security for Microsoft Exchange - Dashboard

Statistical information of detected items


The Statistics tab provides information on spam, phish, viruses, potentially unwanted programs, banned file or content detections in emails, and documents filtered by McAfee Security for Microsoft Exchange. The reported numbers indicate the number of emails and documents that trigger any of the detection methods. For example, if an email contains two viruses, statistics for viruses would be incremented by one and not two. Reporting statistics are based on email messages rather than individual files or detections and is more intuitive in a mail server environment.
The Spam and Phish statistics are available only if you have installed and activated the McAfee Anti-Spam add-on component.

The items displayed are: Clean Spam Phish Viruses Potentially Unwanted Programs Banned File types/Messages Unwanted Content

14

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard Statistical information of detected items

From the Graph section, you can select one of the options from the drop-down list: Spam Summary View spam statistics and graph. Phish Summary View phish statistics and graph. <Select Detections> Select the counters in the Detections section by clicking on the item. This enables you to view the statistics and graph of the selected counters. icon of an

You can use: Magnify Graph Specify the magnification percentage of the Detections graph. This helps you view an enlarged graph. Time range Specify for which time period you would like to review statistics. The options are Last 24 Hours, Last 7 Days, and Last 30 Days. View statistics as a bar graph. View statistics as a pie chart. and Determine which statistics counters are displayed on the bar graph or pie chart. To add a counter click . To remove a counter, click . If the buttons do not appear, a specific graph type has been selected. You can re-activate the buttons by selectingGraph. Reset Reset the statistics of detected items.

From the Scanning section, you can monitor: The average time taken to scan an email message (in milliseconds). Total number of email messages scanned since the statistic counters were reset.

Product versions and updates


The Versions & Updates section provides information on the product version, hotfix, service pack, buffer overflow protection (enabled or disabled), product description, license type and expiry date, engine version, and DAT version (including regular DAT, Extra.DAT).

Update Information
This tab provides information about anti-virus DAT, anti-virus engine, extra drivers, anti-spam engine version, their status and when they were last updated. McAfee Security for Microsoft Exchange uses the McAfee update website to automatically update its anti-virus DAT, engine and rules on a daily basis. If McAfee Security for Microsoft Exchange is managed by ePolicy Orchestrator, there is no need to update the product from the dashboard. You can update the anti-virus DATs, anti-virus engine, and anti-spam engine through an AutoUpdate task using the ePolicy Orchestrator server. 1 2 Click Edit Schedule to display the Edit Schedule page, where you set the update schedule frequency. Click Show Status. The Task Status page appears, where you can view the status of a update task. The page displays the name of the task, when it started, time required to finish the task, when the scheduled task was completed or if the task is in progress.
Click Update Now to update McAfee Security for Microsoft Exchange to the latest DAT, engine, extra drivers, and anti-spam engine version immediately.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

15

Dashboard Statistical information of detected items

Anti-virus DATs, engine, and extra drivers versions are always shown in the dashboard. If the McAfee Anti-Spam add-on component is installed, version information for anti-spam rules and engine is displayed.

Product Information
This tab provides information on the product name and the product version. It provides information on service packs or hotfixes that are installed. It also provides information on the presence of McAfee Anti-Spam add-on component.
For anti-spam and antiphish functionality, you must install the McAfee Anti-Spam add-on component. For more information on installing the McAfee Anti-Spam Add-On, see the McAfee Security for Microsoft Exchange v7.6 - Installation Guide.

Licenses
This tab provides information on the type of license being used for McAfee Security for Microsoft Exchange, when it expires, and the number of days for it to expire.
It also shows license information of the McAfee Anti-Spam add-on component if you have installed/ activated it.

Detections report
The Reports section provides information on the scanned items, posted virus descriptions, and the top hoaxes.

Recently Scanned Items


This tab displays information about items recently scanned by McAfee Security for Microsoft Exchange. The following columns are displayed. Table 2-1 Columns for Recently Scanned Items Column Date/Time Sender Recipients Subject Action Taken Filename Detection Name Task Reasons Scanned By Policy Name Description Date and time when the most recent scan was executed. Email addresses of the senders of the items that were scanned. Email addresses of recipients of scanned items. Subject line of scanned emails. What action was taken on scanned items. The name of a quarantined file. The name of a detection. For example, the name of a virus. The task associated with a particular detection. A rule or rules that were triggered by a particular email. The policy setting used to scan items. The name of the policy that triggered a detection.

Reputation Score The authenticity level of the source of the email based on up to date information available pertaining to a particular source. Reason The reason why the email was quarantined (quarantine queue type).

Indicates that the item is clean.

16

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard On-demand scan and its views

Indicates that the item triggered one of the scanners or filters.


You can hover the cursor on to see which scanner or filter was triggered. If the item triggers several scanners or filters, only the highest priority detection is shown.

On-demand scan and its views


On-demand scanning is a method for scanning emails at convenient times or regular intervals. You can schedule regular scan operations when the server activities are comparatively low and when they do not interfere with your work. McAfee Security for Microsoft Exchange enables you to create scheduled on-demand scans. You can create multiple schedules, each running automatically at predetermined intervals or times. You might want to perform an on-demand scan for a number of reasons, for example: To check a specific file or files that has been uploaded or published. To check that the messages within your Microsoft Exchange server are virus-free, possibly following DAT update, so that new viruses can be detected. If you have detected and cleaned a virus and want to check that your computer is completely clean.

Settings and actions can be specified in on-demand policies, which can be found under Policy Manager. There are six sets of policies that can be used for an on-demand task. These are: On-Demand (Default) The default settings for all scanners and filters. On-Demand (Find Viruses) Anti-virus settings and filters. These policies provide an easy means to check the viral content in databases. On-Demand (Remove Viruses) Anti-virus settings and filters. These policies provide an easy means to remove the viral content in databases. On-Demand (Find Banned Content) Content scan settings. These policies are particularly useful if you want to see the effect of newly created/assigned content scan rules. On-Demand (Remove Banned Content) Content scan settings. These policies are particularly useful if you want to see the effect of newly created/assigned content scan rules and remove banned content. On-Demand (Full Scan) Settings for all scanners and filters. These policies will be the typically used for scanning at regular intervals.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

17

Dashboard On-demand scan and its views

Viewing On-demand scan tasks


Use this task to view a list of On-demand tasks configured for McAfee Security for Microsoft Exchange. Task 1 2 Under Dashboard, click On-Demand Scans . The On-Demand Scans page appears listing the configured on-demand scan tasks. Under Action, click the links to perform an action for the task. The On-Demand Scan view contains the following columns of information for the on-demand scan schedules: Table 2-2 Columns Option Name Status Last Run Next Run Action Modify Delete Run Now Definition Name of the scan task. Indicates whether the scan task is running or stopped. Indicates when the scan was last executed. Indicates when the scan is next scheduled to run. The action column contains links such as Modify, Delete, Run Now, Show Status, Stop that you can perform on the selected on-demand scan. Click Modify to edit the on-demand scan task. Deletes the selected on-demand scan task. Starts the selected on-demand scan task.

Show Status Click Show Status for a running on-demand scan (this tab is visible after you click Run Now). The Task Status page appears with the General tab displaying the progress of the task. Click Settings tab to view more details. Stop Stops the selected on-demand scan task that is running.

For instructions on creating an on-demand scan task, see the Creating an on-demand scan task section.

Creating an on-demand scan task


Use this task to schedule a scan at a convenient time and intervals. You can create multiple schedules, each running automatically at predefined times or intervals. Task 1 2 3 4 Click On-Demand Scans under Dashboard. The On-Demand Scans page appears. Click New Scan to create a new on-demand scan task. The Choose when to scan page appears. Specify when you want the scan to run, specify the duration of the scan, then click Next. The Choose what to scan page appears. Specify which folders to scan and which folders to exclude from scanning, then click Next. The Configure scan settings page appears.

18

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard Status reports

Click Next. The page appears. a b Select the policy from the type of Policy to use drop-down list. Select Resumable Scanning, if you want to resume a scan from the point where it was stopped.
If the Restart from last item option is selected, you can start a task at any time and resume scanning from where it last stopped. For example, when scanning multiple folders, if the scan stops and is resumed, it resumes scanning the folder from where it stopped last.

6 7

Click Next. Type a name for the on-demand task. Click Finish to complete the process of creating an on-demand scan task.

Status reports
A status report is a scheduled report sent to an administrator at a specific time. The report contains detection statistics within that specified time frame. You can choose a time, recipient email address or distribution list to send the report to, and a subject for the email. Reports are sent in HTML or CSV format. The following columns of information are displayed for Status Reports. Table 2-3 Columns in a Status report Option Name Status Last Run Next Run Action Refresh New Report Definition Name of the status report. Indicates whether the report is being generated or has been stopped. Indicates when the report was last generated. Indicates when the report is next scheduled. Indicates what action was taken for each item. To refresh the display with latest reports. To schedule a new status report.

Scheduling a new status report


Use this task to schedule the generation of a status report at a convenient time and/or at intervals. Task 1 2 3 Click Dashboard | Status Reports. The Status Reports page appears. Click New Report. The Report page appears. In When to report page, choose any of these options: Not scheduled Select the option to set up a reporting task that you can activate later. If you are modifying a report schedule, this option allows you to stop an existing report task. Once From the corresponding drop-down lists, choose a date, month, year and the time when a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Hours Specify how frequently, the report task should take place (in hours), and at how many minutes past the hour. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

19

Dashboard Configuration reports

Days Specify the time how frequently, in days, the report task should take place and at what time of the day. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Weeks Specify how frequently, in weeks, the report task should take place. You can also specify on which days and at what time of day the task should take place. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Months On either the first, second, third, fourth or a last day, select a checkbox by clicking on a desired month(s) and specify a time at which a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
You can use Stop task after it has run for to specify the maximum number of hours and minutes a task can run before it is stopped. Limiting the amount of time a report can run helps preserve system resources. By default there is no limit on report task time.

4 5 6 7

Click Next. The Report Settings page appears. In Recipient Email, specify the recipients email address to whom the report is to be sent. In Subject line for report, specify the subject line in the report that is sent to the recipient. In Number of Rows, specify the number of rows (n) to be displayed in the status report. Each row in the status report displays the total number of detections for a particular day. The report contains the detection count for the last (n) days, excluding the day when the status report is triggered. For example: If you specify two, the status report will contain two rows displaying detections for the last two days, excluding today. In Type of Report, specify the format of the status report, which is sent to the recipient. The available options are CSV or HTML. Click Next. The Please enter a task name page appears.

8 9

10 Type a meaningful name for the task. 11 Click Finish to complete the process of creating an on-demand scan task. 12 Click Back to return to the previous pages. 13 Click Cancel to remove all settings and return to the main Status Reports page.

Configuration reports
A configuration report is a scheduled report sent to an administrator at a specific time. The configuration report will have a summary of product configurations such as: server information, version information, license status and type, product information, debug logging information, on-access settings, and on-access policies. The following columns of information are displayed. Table 2-4 Configuration report Option Name Status Last Run Next Run Action Definition Name of the configuration report. Indicates whether the report is being generated or has been stopped. Indicates when the report was last generated. Indicates when the report is next scheduled. Indicates what action was taken for each item.

20

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard Configuration reports

Table 2-4 Configuration report (continued) Option Refresh New Report Definition To refresh the display with latest reports. To schedule a new configuration report.

Scheduling a new configuration report


Use this task to schedule the generation of a configuration report at a convenient time and/or at intervals. You can specify an email address to which this report is to be sent. Task 1 2 3 Click Dashboard | Configuration Reports. The Configuration Reports page appears. Click New Report. The Report page appears. In the When to report page, choose any of these options, then click Next. Not scheduled Select the option to set up a reporting task that you can activate later. If you are modifying a report schedule, this option allows you to stop an existing report task. Once From the respective drop-down lists, choose a date, month, year and the time when a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Hours Specify how frequently, the report task should take place (in hours), and at how many minutes past the hour. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Days Specify how frequently, in days, the report task should take place and at what time of the day. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Weeks Specify how frequently, in weeks, the report task should take place. You can also specify on which days and at what time of day the task should take place. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop. Months On either the first, second, third, fourth or a last day, select a checkbox by clicking on a desired month(s) and specify a time at which a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
You can use Stop task after it has run for to specify the maximum number of hours and minutes a task can run before it is stopped. Limiting the amount of time a report can run helps preserve system resources. By default there is no limit on report task time.

In the Who to report to page, fill in the form, then click Next. a b In Recipient Email, specify the recipients email address to whom the report is to be sent. In Subject line for report, specify the subject line in the report that is sent to the recipient.

When prompted, type a meaningful name for the task, then click Finish.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

21

Dashboard Graphical reports

Graphical reports
You can use Graphical Reports to view information about items that have triggered one or more scanners and find out how many detections match your search criteria. You can also find out what percentage of the total detections each detection represents by using a series of filters to specify the type of detections that are of interest. You can use the following tabs: Simple When you want to use only a few search filters and view the results as a bar graph. Advanced When you want to use more complex search filters and view the results as either a bar graph or a pie chart.

Viewing graphical reports


The Graphical Reports section gives an explicit view of quarantined items in a graph. You can also find each detection by setting search filters to specify the types of detections that are of interest. Tasks Using simple search filters on page 22 Use this task to select simple search filters and define their parameters to search for quarantined items. Using advanced search filters on page 23 Use this task to select advanced search filters to narrow your search of quarantined items.

Using simple search filters


Use this task to select simple search filters and define their parameters to search for quarantined items. Task 1 2 3 Click Dashboard | Graphical Reports. The Graphical Reports page appears with the Simple tab. From Time Span, select Today to view only today's quarantined items or This week to view this week's quarantined items (including today's date). From Filter, select the type of quarantined item to be viewed such as spam, phish, viruses, unwanted content, or potentially unwanted programs. Select from the following: Top 10 Viruses Lists the viruses that are detected the maximum number of times. Top 10 Spam Detections Lists the most commonly detected spam emails. Top 10 Spam Recipients Lists the recipients in an organization who have received the maximum number of spam emails. Top 10 Phish Detections Lists the most commonly detected phishing emails. Top 10 Unwanted Programs Lists the most common programs that are potential threats. Top 10 Unwanted Content Detections Lists the most commonly detected unwanted content.

22

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Dashboard Graphical reports

Top 10 Infected Files Lists the files that are most commonly detected as infections. Top 10 Detections Includes all the above detection categories.

Click Search. The search results are shown in the View Results pane. In Magnify Graph, you can specify the magnification percentage of the graph. This helps in viewing an enlarged and clearer graph.

Using advanced search filters


Use this task to select advanced search filters to narrow your search of quarantined items. Task 1 2 3 Click Dashboard | Graphical Reports. The Graphical Reports page appears. Click the Advanced tab. Select up to three filters from the list: Table 2-5 Primary Filters Filter Subject Recipients Reason Ticket Number Description To search by the subject line of an email. To search by a valid email address of the recipient. To search by the reason for which the item to be detected. Refer to the secondary filters below. To search using a ticket number. A ticket number is a 16-digit alpha-numeric entry which is auto-generated by the software for every detection. To search by a spam score.

Detection Name To search by the name of a detected item. Spam Score

Spam score is a number that indicates the amount of potential spam contained within an email message. The engine applies anti-spam rules to each email messages it scans. Each rule is associated with a score. To assess the risk that an email message contains spam, these scores are added together to give an overall spam score for that email message. The higher the overall spam score, the higher the risk that the email messages contains spam.

Secondary filters are available only for the primary filter Reason, you can select any one of the following.
If you do not want to specify a secondary filter, make sure the secondary filter field is empty. For more information about the search filters, see the Search filters section.

Table 2-6 Secondary Filters Filter Anti-Virus Banned Content File Filter Anti-Spam Potentially Unwanted Program Description Whether it was an anti-virus program that detected the harmful email. Certain content in the email that is banned. Whether it was a file filter that detected a harmful file in an email. The anti-spam rule version that executed the scan. Are software programs that could alter the security or privacy policies of a computer on which they have been inadvertently installed.

Encrypted or Corrupted Content that has been encrypted or corrupted.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

23

Dashboard Graphical reports

Table 2-6 Secondary Filters (continued) Filter Phish Packer Mail Size Encrypted Signed Corrupted Denial of Service Protected Content Password Protected Blocked MIME 4 5 6 Description Phish or Phishing is a method used by individuals to obtain personal information by unfair or fraudulent means. A program that can compress executable files and possibly encrypt the original code. The size of the email (in kilobytes). Email content that has been encrypted. Whether the email has a signature. Email content that is corrupted. Is an incident in which a user or an organization is deprived of the services of a resource they would normally expect to have. Email content that is protected. The content (attachment) can be viewed only with the help of a password. Emails are blocked due to certain Multipurpose Internet Mail Extension (MIME) settings.

Select All Dates or a Date Range from the drop-down lists. Select Bar Graph or Pie Chart as required. If you select Pie Chart, select a filter from the drop-down list to Query on: Table 2-7 Options for Query on Filter Recipients Sender Filename Detection Name Subject Reason Rule Name Policy Name Description To query on a valid email address of the recipient. To query on a valid email address of the sender. To query on the name of the quarantined file. To query by the name of a detected item. To query on the subject line of the email. To query on a reason for which the item was detected. To query on the name of the rule that triggered the detection. To query on the name of the policy that made the detection.

In Maximum Results, specify the maximum number of segments you want to appear in the pie chart. For example, if you are interested only in viewing the three most frequently assigned spam scores, type 3.
Query on and Maximum Results are available only for pie chart.

Click Search. The search results are shown in the View Results pane.

24

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Detected Items

You can use Detected Items to view information about email messages that contain spam, phish, viruses, potential unwanted programs, banned file types or messages, and unwanted content. Use the search filters to find email messages that are of interest and view the results of the search. Contents Detection types Viewing detected items Search filters View results

Detection types
Detection or Detected item is something identified by security software as a potential threat, such as a virus, spam, phish, unwanted content, banned file type, fraudulent website, or an intrusion. Table 3-1 Detection types Detection types Spam Description Spam is an unwanted email message, specifically unsolicited bulk message. Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise select to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender. Phish is a method of fraudulently obtaining personal information (such as passwords, social security numbers, credit card details and so on) by sending spoofed email messages that look like they have come from a trusted source such as legitimate companies or banks. Typically, phishing email messages request that recipients click the link in the email to verify or update contact details or credit card information. Virus is a program or code that replicates and infects other programs, boot sector, partition sector, or document that supports macros by inserting itself or attaching itself to that medium. Potentially unwanted programs are the software programs written by legitimate companies that might alter the security state or the privacy posture of the computer on which they are installed. This software can, but does not necessarily include spyware, adware, dialers, and can be downloaded in conjunction with a program wanted by the user. This is any content that triggers a content scanning rule. It might include offensive, abusive, unpleasing words or even company's confidential information. Certain types of file attachments are prone to viruses. The ability to block attachments by file extension is another layer of security for your mail system. Both internal and external email messages are checked for banned content.

Phish

Viruses

Potentially Unwanted Programs

Unwanted Content Banned File types/ Messages

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

25

Detected Items Viewing detected items

Viewing detected items


Use this task to search for the detections. You can select the desired detection type from the available drop-down list. Task 1 2 3 4 Click Detected Items | All Items. The <All Items> page appears. Select any of the available search filters from the drop-down lists. Select All Dates or a Date Range from the drop-down lists. Select a logical operator to use multiple search filters. 5 And To consider both the former and the latter filters. Or To consider either the former or the latter filter.

Click Search. A list of quarantined items matching your search criteria are displayed in the View Results section.
Click Clear Filter to return to the default search filter settings.

Search filters
Use these search filters in combination with other available criteria to narrow your search of detected items. The filter options vary according to the detected item selected.

Option definitions
The available search filters are: Table 3-2 Search filters Search filter Definition Action taken You can search for an item based on the action that was taken on it (deleted/cleaned/ intercepted/quarantined and so on).

Anti-Spam Engine You can search for an item based on the anti-spam engine that scans email messages for spam and phishing attacks, using anti-spam, anti-phishing, and extra rules. Anti-Spam Rule Anti-Virus DAT You can search for an item based on the anti-spam rules that are updated every few minutes to catch the latest spam campaigns sent by spammers. You can search for an item based on the anti-virus DAT version with a distinctive signature.

Anti-Virus Engine You can search for an item based on the anti-virus engine that had a sequence of characters unique to a virus/unwanted content. Banned Phrases Detection Name File Name Folder Policy Name Reason Reasons You can search by the content of banned phrases. You can search for a detected item based on its name. You can search by the name of the detected file in the quarantined item. You can search by the folder where quarantined items are stored. You can search for an item by a policy name that detected the item. You can search for an item based on the reason why it was detected. You can search by a rule or rules that were triggered by a particular email.

26

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Detected Items View results

Table 3-2 Search filters (continued) Search filter Definition Recipients You can search for an item through the recipient's email address. Reputation Score You can search by the authenticity level of the source of the email based on up to date information available. Rule Name Scanned by Sender Sender IP Server Spam Score You can search for an item based on the rule that triggered one or more scanners/filters. You can search for an item by the scanner name that detected the item. You can search for an item by the sender's email address. You can search for an item by the IP address of the sender's system. You can search for an item based on a specific server version. Spam score is a number that indicates the amount of potential spam contained within an email message. The engine applies anti-spam rules to each email messages it scans. Each rule is associated with a score. To assess the risk that an email message contains spam, these scores are added together to give an overall spam score for that email message. The higher the overall spam score, the higher the risk that the email messages contains spam. You can search for an item based on its status. You can search for an item based on the subject line of the email message. A ticket number is a unique alphanumeric identifier assigned to a specific detection and delivered as a notification through email. It helps identify the associated detection.

State Subject Ticket Number

Each item selected under Detected Items will have a corresponding set of search filters. For instructions to view the detected items, see the Viewing detected items section.

View results
In the View Results pane, you can view the results of the search based on the parameters you defined. You can then execute various actions on these detected items. Table 3-3 Types of actions Action Release Definition To release a quarantined item. Select an applicable record from the View Results pane and click Release. The original email message is released from the database for delivery to the intended recipient. To download a quarantined item. Select an applicable record from the View Results pane and click Download. To export and save records in .CSV format. Select an applicable record from the View Results pane and click Export to CSV File. To select additional column headers to be listed in the View Results pane.

Download Export to CSV File Columns to display

Submit to McAfee Labs To submit a quarantined item to McAfee Labs. Select an applicable record from the View Results pane, then click Submit to McAfee Labs. This option is enabled only for specific quarantined items which may be of interest to the McAfee team for further investigation. View Forward To view the quarantined item. To forward the quarantined items to recipients as required.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

27

Detected Items View results

Table 3-3 Types of actions (continued) Action Add to allow senders Add to block senders Definition To add a sender's email address to the list of addresses from which emails should be allowed. To add a sender's email address to the list of addresses from which emails should be blocked.

Each record in the View Results pane has an image, which indicates: Icon Description A record which can be released or downloaded. A record which cannot be released or downloaded. A record which can be submitted to McAfee Labs for investigation. For instructions to view the detected items, see the Viewing detected items section.

28

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager

Policy Manager is a product feature that allows you to configure/manage different policies and actions in the product. It determines how different types of threats are treated when detected. Each policy specifies the settings and actions that are used by the policy and the actions taken when a detection is triggered for the data in the Exchange environment. The settings are given names and can be used by many policies at the same time. However, the actions are specific to a particular policy. For example, you can create anti-virus policies and create multiple child policies from it. However, you can have a different action for each policy. The different policies that you can set up are listed under the Policy Manager. Each type of policy has a default Master Policy. The Master Policy cannot be deleted because there must always be one policy from which others can be created. The Master Policy is configured to cover most situations, however you can create subpolicies to meet specific requirements.

Types of policies
Table 4-1 Types of policies Policy On-Access Description Create policies for email messages every time they are opened, copied or saved to determine if they contain a virus or other potentially unwanted code. On-access scanning is also called real-time scanning. Create policies that are activated at set intervals or on demand, to find a virus or other potentially unwanted code. Create policies that are activated at set intervals or on demand, to find a virus or other Potentially Unwanted Programs (PUPs) and other possible threats. Create policies that are activated at set intervals or on demand, and which remove viruses, Potentially Unwanted Programs (PUPs) and other possible threats. Create policies that are activated at set intervals or on demand, to find a banned content that you do not want to appear in email messages. Create policies that are activated at set intervals or on demand, and which remove content that you do not want to appear in email messages. For example, if an email message contains a particular word or phrase, you can set up a policy to automatically replace the content of that email message with an alert message. You can use this type of policy to prevent unwanted information entering or leaving your organization. Create full scan policies that are activated at set intervals to scan for viruses, spam, phishing emails, banned/unwanted content and other harmful codes. Create policies for email messages every time they are opened, copied or saved to determine if it is a spam, phish, MIME files or HTML files.

On-Demand (Default) On-Demand (Find Viruses) On-Demand (Remove Viruses) On-Demand (Find Banned Content) On-Demand (Remove Banned Content)

On-Demand (Full Scan) Gateway

Shared Resource Set up resources that can be used by more than one policy. This is more efficient than setting up the same resource separately for each policy. For more information, see the Shared Resources section. For Example, instead of creating two disclaimers; one for the Internal mail policy and another for External mail policy, you can create a single disclaimer that can be used by both policies. The disclaimer is a resource that is shared by more than one policy.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

29

Policy Manager Inheritance and advanced views

Contents Inheritance and advanced views Subpolicies Setting policies Core scanners and filters Alert settings and disclaimer text Creating a new alert Enabling Product Health Alerts Shared Resource

Inheritance and advanced views


The Inheritance View enables you to view policy settings inherited from some other policies.

Inheritance view
Once you have created subpolicies, McAfee Security for Microsoft Exchange needs to determine which policy is going to be applied for an email. For this purpose, every policy is assigned a priority. For deciding a policy to be applied to the email, attributes of the email are used to evaluate rules for each policy in the order of priority. If the rules of the policy are satisfied, that policy is applied to the email. However, if the rules of the policy are not satisfied, McAfee Security for Microsoft Exchange moves on to evaluating the next priority policy. If none of the subpolicies can be applied to the email, the Master Policy is used to scan the email. Using inheritance, you can create policies which inherit their settings and actions from another policy, The policy that inherits the settings is known as the subpolicy, and the policy from which it inherits those settings is know as the parent policy. Inheritance should not be confused with sharing of settings. An inherited policy uses the same named setting and action as the parent policy. If the parent policy starts using a different setting, the same named setting is used by the subpolicy. Similarly any changes to the actions in the parent policy is also reflected in the subpolicies. Up to three levels of inheritance is supported. This allows customization of product behavior for different groups of users in an organization/domain.

Advanced view
The Advanced View enables you to use the arrow icon within the Move column to change the order in which the subpolicies are applied. Using Advanced View in conjunction with Inheritance View allows a greater level of customization while maintaining a lesser number of settings.
If you apply multiple policies to a single user, you might want to prioritize which policy takes precedence.

Subpolicies
You can create subpolicies to have specialized behavior for groups of users in the Exchange server environment. Subpolicies allow you to create customized actions for detecting items while using shared settings.

30

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Setting policies

Creating subpolicies
Use this task to create subpolicies for situations not covered by the Master Policy. Task 1 2 3 4 5 6 7 8 9 From Policy Manager, select a menu item for which you want to create a Subpolicy. Click Create Sub-policy. The Create a Sub-policy page appears. Type a Sub-policy name that identifies the policy and what it does. Type a Description for the policy (optional). Select the Parent policy for the sub-policy. Click Next. The Create a Sub-policy - Trigger Rules page appears. Specify the conditions when the policy should trigger. Select Any of the rules apply, All rules apply or None of the rules apply for the specific user. Click New Rule and select the required policy rule.

10 Click Add to select the trigger rule. 11 Click Next. The Create a Sub-policy - Scanner and Filters page appears. 12 Select Inherit all settings from the parent policy to inherit all properties of the parent policy, else select the policy to inherit from another policy by clicking Initialize selected settings with values copied from another policy. 13 Click Finish.

Setting policies
You can set up policies that determine how different types of threats are treated when detected. Each policy specifies the settings and actions that are used by the policy when a detection is triggered for the data in an Exchange server environment. The settings are given names and can be used by many policies at the same time. However, the actions are specific to a particular policy. Tasks Listing all the scanners on page 31 In the List All Scanners tab, you can configure different types of policy settings. Creating a new rule for a specific user on page 33 Use this task to create a new rule and specify the conditions for the rule to be applied for a particular user.

Listing all the scanners


In the List All Scanners tab, you can configure different types of policy settings. The type of settings that are available depends on which policy is selected. Task 1 2 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master Policy.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

31

Policy Manager Setting policies

Select the policy that you want to view and configure. You can then use Selection to select the type of configuration settings you want to view and configure for the selected policy. You can configure a policy so that it applies only for a specific user. The Scanners, Filters, and Miscellaneous settings displayed vary corresponding to the option selected under Policy Manager. Table 4-2 Policy configuration Option Policy Add Scanner/Filter Definition To select the policy you want to configure. To configure the policy so that it applies only at specific times. For example, you can create anti-virus setting that is applicable on weekends.
Only some filters can be turned off. Filters that cannot be turned off act as a prerequisite for other scanners and filters. For example, when we identify a digitally signed email, we need to decide if we should scan the attachments of the email or not. If settings for signed emails were turned off, we cannot take this decision.

Core Scanners

To configure the policy for each type of scanner. Typical core scanner options include: Anti-Virus Scanner Content Scanning File Filtering

Filters Disclaimer Text To configure the policy for each type of filter. Typical filters include: Corrupt Content Protected Content Encrypted Content Signed Content Password Protected Files Miscellaneous settings To configure the alert settings and disclaimer messages for polices. Miscellaneous options include: Alert Settings Disclaimer Text Tasks Adding scanner/filter on page 32 Use this task to add a scanner or filter. Mail Size Filtering Scanner Control MIME Mail Settings HTML Files

Adding scanner/filter
Use this task to add a scanner or filter. Task 1 2 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master Policy, then select List All Scanners | Add Scanner/Filter.
The Add Scanner/Filter option is available only for the submenu item On-Access.

From Specify the category drop-down list, select the required scanner or filter.

32

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

4 5

From When to use this instance section, select an existing time slot or create a new one. Click Save.

Creating a new rule for a specific user


Use this task to create a new rule and specify the conditions for the rule to be applied for a particular user. Task 1 2 3 4 5 6 7 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy. The sub-policy page appears. Click the Specify Users tab to specify users for whom a policy will be applied. Click New Rule. In the Specify a policy rule pane, select the policy rule, then specify the condition for the rule. You can also Copy rules from another policy, if policies are available. Click Add to add the rule or Delete to remove the selected rule. Click Apply to save the rule to the specific user.

Core scanners and filters


This section highlights the types of core scanners and filters that can be applied when creating policies.

Scanners
You can use Core Scanners to configure a policy for each type of scanner. Typical core scanners include: Anti-Virus Scanner Anti-Spam Content Scanning File Filtering Anti-Phishing

Filters
You can use Filters to configure a policy for each type of filter. Typical filters include: Corrupt Content Protected Content Encrypted Content Signed Content Password Protected Files Mail Size Filtering Scanner Control MIME Mail Settings HTML Files

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

33

Policy Manager Core scanners and filters

Miscellaneous
You can use Miscellaneous to configure: Alert Settings Disclaimer Text

Configuring scanner settings


This section provides information on creating new sets of options for scanners, then specifying an appropriate action to be taken on the item detected by those scanners. Tasks Configuring anti-virus scanner settings on page 34 Anti-Virus Scanner consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Use this task to configure the anti-virus scanner settings. Configuring anti-spam scanner settings on page 37 Use this task to configure various settings for the anti-spam scanner. Configuring content scanner settings on page 39 McAfee Security for Microsoft Exchange can identify the textual data in a mail/attachment for scanning. You can create content rules to specify banned content and assign them to the policies. Use this task to configure the content scanner settings. Configuring file filtering scanner settings on page 40 Use this task to define the scanner settings for file filtering based on the filename or extension. Using this filter, administrators can block unwanted files from user mailboxes. Configuring the antiphish scanner settings on page 41 Use this task to define the settings to block phishing messages at the gateway, using spam rules and engine.

Configuring anti-virus scanner settings


Anti-Virus Scanner consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Use this task to configure the anti-virus scanner settings. Task 1 2 3 4 5 6 7 From Policy Manager, select a submenu item that has the anti-virus scanner. The policy page for the submenu item appears. Click Master policy, then click List All Scanners tab. Click Anti-Virus Scanner. In Activation, select Enable to activate the anti-virus scanner settings for the selected submenu item. From the Options drop-down list, select <create new set of options>. The Anti-Virus Scanner Settings page appears. In Instance name, type a unique name for the anti-virus scanner setting instance. This field is mandatory. In Basic Options tab under Specify which files to scan, select one of these options: Scan all files To specify that all the files should be scanned regardless of their type. Default file types To specify that only the default file types should be scanned. Defined file types To specify which file types should be scanned.

34

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

Select additional scanner option(s) available in Scanner options. You can select: Scan archive files (ZIP, ARJ, RAR...) Find unknown file viruses Find unknown macro viruses Enable McAfee Global Threat Intelligence file reputation This enables the threat intelligence gathered by McAfee Labs that would prevent damage and data theft before a signature update is available. Select the Sensitivity level from the options available. Scan all files for macros Find all macros and treat as infected Remove all macros from document files

On the Advanced tab under Custom malware categories, specify the items to be treated as malware. There are two ways to select malware types: Select the malware types from the list of checkboxes. Select Specific detection names, type a malware category, then click Add.
When typing a malware category name, you can use wildcards for pattern matching.

10 Select the Do not perform custom malware check if the object has already been cleaned option, if the cleaned items must not be subjected to the custom malware check. 11 In Clean options, specify what happens to files that are reduced to zero bytes after being cleaned. Select any one of these options: Keep zero byte file To keep files that have been cleaned and is of zero bytes. Remove zero byte file To remove any file that has zero bytes after being cleaned. Treat as a failure to clean To treat zero byte files as if they cannot be cleaned, and apply the failure to clean action.

12 In Packers tab, select: Enable detection To enable or disable the detection of packers. Exclude specified names To specify which packers can be excluded from being scanned. Include only specified names To specify which packers you want the software to detect. Add To add packer names to a list. You can use wildcards to match names. Delete To remove packer names you have added. This link is activated if you click Add.

13 In PUPs tab, select: Enable detection To enable or disable the detection of PUPs. Click the disclaimer link and read the disclaimer before configuring PUP detection. Select the program types to detect To specify whether each type of PUP in the list should be detected or ignored. Exclude specified names To specify which PUPs can be excluded from being scanned. For example, if you have enabled spyware detection, you can create a list of spyware programs that you want the software to ignore.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

35

Policy Manager Core scanners and filters

Include only specified names To specify which PUPs you want the software to detect. For example, if you enable spyware detection and specify that only named spyware programs should be detected, all other spyware programs are ignored. Add To add PUP names to a list. You can use wildcards to match names. Delete To delete PUP names that you have added. This link is activated if you click Add.
The McAfee website http://vil.nai.com/vil/default.aspx contains a list of PUP names. Use the Search in Category option to select PUPs.

14 Click Save to return to the policy page. 15 In Actions to take, click Edit. In the following tabs, specify the anti-virus scanner actions that must be taken if a virus (or virus-like behavior) is detected: Cleaning Select Attempt to clean any detected virus or trojan to activate various actions. Select the action(s) to be taken from: Log To record the detection in a log. Quarantine To store a copy of the item in a quarantine database. Notify administrator To send an alert message to the email administrator. Notify internal sender To send an alert message to the sender, when the original email originates from the same domain as the server. Notify external sender To send an alert message to the sender, when the original email does not originate from the same domain as the server. Notify internal recipient To send an alert message to the recipient, when the recipient is in the same domain as the server. Notify external recipient To send an alert message to the recipient, when the recipient is not in the same domain as the server.

Default Actions From Take the following action drop-down list, select an action. Replace item with an alert Delete embedded item Delete message Allow through

16 Select the corresponding alert document or click Create to make a new alert document. From And also select additional actions to be taken . Custom Malware Packers PUPs

17 Click Save to return to the policy page.

36

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

Configuring anti-spam scanner settings


Use this task to configure various settings for the anti-spam scanner. Task 1 2 From Policy Manager, select the submenu item Gateway that has the anti-spam scanner. The policy page for the submenu item appears. Click Master policy, then click List All Scanners | Anti-Spam.
To enable Global Threat Intelligence, see Configuring Anti Spam settings.

3 4 5 6

In Activation, select Enable. In the Options drop-down list, select <create new set of options>. The Anti-Spam Settings page appears. In Instance name, type a unique name for the anti-spam scanner setting instance. This field is mandatory. In Options tab, under Scoring, type the values for: High score threshold If the overall spam score is 15 or more. Medium score threshold If the overall spam score is 10 or more, but less than 15. Low score threshold If the overall spam score is 5 or more, but less than 10.
To use the default values of spam scores, select the Use default option. These default settings have been carefully optimized to maintain the balance between a high spam detection rate and a low false positive rate. In the unlikely event that you need to change these settings, a technical notice is available from Technical Support.

7 8 9

In Reporting, under the Spam reporting threshold is drop-down list, select High, Medium, Low, or Custom to specify the point at which an email message should be marked as spam. In Custom score, type a specific spam score at which email messages should be marked as spam. This field is enabled only if you select the Custom option in step 6. Select or deselect Add prefix to subject of spam messages as required.

10 From the Add a spam score indicator drop-down list, select: Never - To have the Internet header of an email message without the spam score indicator. To spam messages only To add a spam score indicator to the Internet header of spam email messages only. To non-spam messages only To add a spam score indicator to the Internet header of non-spam email messages only. To all messages To add a spam score indicator to the Internet header of all email messages.
Spam score indicator is a symbol used in the spam report that is added to the email message's Internet headers to indicate the amount of potential spam contained in an email message.

11 From the Attach a spam report drop-down list, select: Never - To display an email message without the spam score indicator. To spam messages only To add a spam report to spam email messages only.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

37

Policy Manager Core scanners and filters

To non-spam messages only To add a spam report to non-spam email messages only. To all messages To add a spam report to all email messages.

12 Select or deselect Verbose reporting to specify whether verbose reporting is required or not. Verbose reporting includes the names and descriptions of the anti-spam rules that have been triggered.
Verbose reporting is available only if you do not select Never in step 11.

13 On the Advanced tab, use: Maximum message size to scan (KB) To specify the maximum size of an email message (in kilobytes) that can be scanned. You can type a size up to 999,999,999 kilobytes, although typical spam email messages are quite small. Default value is 250 KB. Maximum width of spam headers (Bytes) To specify the maximum size (in bytes) that the spam email message header can be. The minimum header width that you can specify is 40 characters and the maximum is 999 characters. Default value is 76.
Spammers often add extra information to headers for their own purposes.

Maximum number of reported rules To specify the maximum number of anti-spam rules that can be included in a spam report. The minimum number of rules you can specify is 1 and the maximum is 999. Default value is 180. Header name To specify a different name for the email header. You can use this email header and its header value (below) when tracking email messages and applying rules to those messages. These fields are optional, and accept up to 40 characters. Header value To specify a different value for the email header. Add header To specify that the header should be added to none of the email messages, all of the email messages, only spam email messages or only to non-spam email messages. Select or deselect the Use alternative header names when a mail is not spam option as required.

14 In Mail Lists tab, under Blacklisted senders, Whitelisted senders, Blacklisted recipients and Whitelisted recipients, type the email addresses of the blacklisted and whitelisted senders and recipients.
Email messages sent to or from an email address on a blacklist are treated as spam, even if they do not contain spam-like characteristics. Email messages sent to or from email addresses on a whitelist are not treated as spam, even if they contain spam-like characteristics.

Click Add to add email addresses to a list and the checkbox beside each address to specify whether it is currently enabled or not. Click Delete All to remove an email address from the list. You cannot add the same email address more than once. You can use wildcard characters to match multiple addresses. 15 In Rules tab, enter the rule name and select Enable rule to activate it. Click Add to display a list of available rules.
Click Reset to return to the default anti-spam settings.

16 In the list, against each rule, click Edit to modify the rule; click Delete to remove the rule. 17 Click Save to return to the policy page.

38

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

18 In Actions to take if spam is detected, click Edit. In the following tabs, specify the anti-spam scanner actions that must be taken if a spam is detected: High Score Medium Score Low Score

19 Click Save to return to the policy page.

Configuring content scanner settings


McAfee Security for Microsoft Exchange can identify the textual data in a mail/attachment for scanning. You can create content rules to specify banned content and assign them to the policies. Use this task to configure the content scanner settings. Task 1 2 3 4 5 From Policy Manager, select a submenu item that has the content scanner. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Content Scanning. Select Enable to activate the content scanner settings for the selected submenu item. In Options, you can use: 6 7 Include document and database formats in content scanning To include document and database formats when scanning content. Scan the text of all attachments To scan the text of all attachments. Create To create a new alert message when the content of an email message is replaced due to a rule being triggered. See the Creating a new alert section for instructions. View/Hide To display or hide the preview of the alert message. If the preview is hidden, clicking this link displays it. If the preview is displayed, clicking this link hides it.

In Content Scanner rules and associated actions, click Add rule. The Content Rules page appears. In Specify actions for a selection of content rules: a b Select a rule group from the Select rules group drop-down menu that will trigger an action if one or more of its rules are broken. In Select rules from this group, specify if all rules or only rules with a specific severity rating should be included. The options are Severity - Low, Severity - Medium, and Severity - High.
Selecting the Select all option overrides all the three rules.

8 9

In If detected, take the following action:, select the content scanner actions that must be taken if some content in an email message is detected. From And also, select one or more additional actions.

10 Click Save to return to the policy page.


To enable Regex and know its details, see Creating shared filter rules.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

39

Policy Manager Core scanners and filters

Configuring file filtering scanner settings


Use this task to define the scanner settings for file filtering based on the filename or extension. Using this filter, administrators can block unwanted files from user mailboxes. Task 1 2 3 4 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click File Filtering, then select Enable to activate the file filtering scanner settings for the selected submenu item.. In Alert Selection, click: 5 6 7 Create To create a new alert message when the attachment (or a file) of an email message is replaced due to a rule being triggered. See the Creating a new alert section for instructions. View/Hide To display or hide the preview of the alert message. If the preview is hidden, clicking this link displays it. If the preview is displayed, clicking this link hides it.

In File filtering rules and associated actions, from the Available rules drop-down menu, select Create new rule. The File Filtering Rule page appears. Type a unique Rule name. Give the rule, a meaningful name, so that you can easily identify it and what it does. For example, FilesOver5MB. In Filename filtering, select Enable file name filtering to enable file filtering according to the file names. For example, if you type *.exe, this file filtering rule is applied to any file that has a .exe file name extension. In Take action when the file name matches, specify the names of the files that are affected by this rule. You can use the * and ? wildcard characters to match multiple filenames. For example, if you want to filter out executable files, type *.exe. Click Add to add the file names to the filtering list or Delete to remove file names from the filtering list.

10 In File category filtering, select Enable file category filtering to enable file filtering according to their file type. a In Take action when the file category is, specify the type of files that are affected by this rule.
File types are divided into categories and subcategories.

b c

In File categories, select a file type. An asterisk symbol (*) appears next to the file type to indicate that the selected file type will be filtered. In Subcategories, select the subcategory you want to filter. To select more than one subcategory, use Ctrl+Click or Shift+Click. To select all of the subcategories, click All. Click Clear selections to undo the last selection.

Select Extend this rule to unrecognized file categories to apply this rule to any other file categories and subcategories that are not specifically mentioned in the categories and subcategories lists.

40

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

11 In File size filtering, select Enable file size filtering to filter files according to their file size. a b In Take action when the file size is, select Greater than to specify that the action should only be applied if the file is larger than the size specified. Select Less Than to specify that the action should only be applied if the file is smaller than the size specified.

12 Click Save to return to the policy page. 13 Click the Change link of the rule and specify actions that must be taken when a file/attachment in an email message is detected and filtered. 14 Click Delete, to remove a rule. 15 Send an email from your Microsoft Outlook with an executable file attached. The file filtering rule is triggered and the actions specified in steps 7 - 11 take place.

Configuring the antiphish scanner settings


Use this task to define the settings to block phishing messages at the gateway, using spam rules and engine. Task 1 2 3 4 5 6 7 From Policy Manager, select a submenu item that has the antiphish scanner. The policy page for the submenu item appears. Antiphish scanner is available only in Gateway. Click Master policy, then click List All Scanners. Click a policy name, then click Anti-Phishing. Select Enable to activate the antiphish scanner settings for the selected submenu item. In the Options drop-down list, select <create new set of options>. The Anti-Phishing Settings page appears. In Instance name, type a unique name for the antiphish scanner setting instance. This field is mandatory. In Reporting Options, select or deselect these options as required: Add prefix to subject of phishing messages To specify that you want to add text to the start of the subject line of any email message that probably contains phish. Add a phish indicator header to messages To specify whether a phish indicator is added to the Internet header of any email message that probably contains phish. Attach a phish report To specify whether a phish report should be generated and added to an email message. Verbose reporting To specify whether the names and a detailed description of the antiphish rules that have been triggered should be included in the email message. This option is available only if the Attach a phish report option is selected.

8 9

Click Save to return to the policy page. In Actions to take, click Edit and specify the antiphish scanner actions that must be taken if a phish is detected.

10 Click Save to return to the policy page.

Filter settings for a policy


You can configure different types of filter settings for a policy. The type of settings that are available depends on which policy is selected.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

41

Policy Manager Core scanners and filters

Tasks Configuring corrupt content filter settings on page 42 The content of some email messages can become corrupt, which means that the content of the email message cannot be scanned. Configuring protected content filter settings on page 42 The content of some email messages is protected, which means that the content of the email message cannot be scanned. Configuring encrypted content filter settings on page 43 Email messages can be encrypted, meaning that the content of those messages is encoded and therefore not accessible to unauthorized parties. Configuring signed content filter settings on page 43 Whenever information is sent electronically, it can be accidentally or willfully altered. To overcome this, some email software use a digital signature the electronic form of a handwritten signature. Configuring password-protected archives filter settings on page 44 You can protect an archive with a password and sent through an email. Password-protected files cannot be accessed without a password and cannot be scanned. Configuring mail size filter settings on page 44 Mail size filtering allows you to specify an action that will be applied to email messages based on their size. Configuring the scanner control filter settings on page 45 You can use Scanner Control Settings to limit the nesting level, file size, and scan time that is allowed when the email messages are scanned. Configuring MIME mail filter settings on page 45 Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non-ASCII formats over protocols (such as SMTP) that supports only 7-bit ASCII characters. Configuring HTML file filter settings on page 47 HTML file filter allows you to search for elements or executables such as ActiveX, Java applets, VBScripts in HTML components.

Configuring corrupt content filter settings


The content of some email messages can become corrupt, which means that the content of the email message cannot be scanned. Corrupt content policies specify how email messages with corrupt content are handled when detected. Task 1 2 3 4 5 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Corrupt Content. In Actions, click Edit to specify the filter actions that must be taken when corrupt content is detected. Click Save to return to the policy page.

Configuring protected content filter settings


The content of some email messages is protected, which means that the content of the email message cannot be scanned. Protected content policies specify how email messages with protected content are handled when detected.

42

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

Task 1 2 3 4 5 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Protected Content. In Actions, click Edit to specify the filter actions that must be taken when protected content is detected. Click Save to return to the policy page.

Configuring encrypted content filter settings


Email messages can be encrypted, meaning that the content of those messages is encoded and therefore not accessible to unauthorized parties. Encrypted content uses a "key" and encryption mathematical algorithms to decrypt it. Encrypted content policies specify how encrypted email messages are handled when detected. Task 1 2 3 4 5 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Encrypted Content. In Actions, click Edit to specify the filter actions that must be taken when encrypted content is detected. Click Save to return to the policy page.
Encrypted content settings are applicable to encrypted attachments in internal emails and to encrypted internet email messages.

Configuring signed content filter settings


Whenever information is sent electronically, it can be accidentally or willfully altered. To overcome this, some email software use a digital signature the electronic form of a handwritten signature. A digital signature is extra information added to a senders message that identifies and authenticates the sender and the information in the message. It is encrypted and acts like a unique summary of the data. Typically, a long string of letters and numbers appears at the end of a received email message. The email software then re-examines the information in the senders message, and creates a digital signature. If that signature is identical to the original, the data has not been altered. If the email message contains a virus, bad content, or is too large, the software might clean or remove some part of the message. The email message is still valid, and can be read, but the original digital signature is 'broken'. The recipient cannot rely on the contents of the email message because the contents might also have been altered in other ways. Signed content policies specify how email messages with digital signatures are handled. Task 1 2 3 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Signed Content.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

43

Policy Manager Core scanners and filters

4 5

In Actions, click Edit to specify the filter actions that must be taken when signed content is detected. Click Save to return to the policy page.
Signed content settings are applicable to signed internet emails and signed attachments.

Configuring password-protected archives filter settings


You can protect an archive with a password and sent through an email. Password-protected files cannot be accessed without a password and cannot be scanned. Password-protected files policies specify how email messages that contain a password-protected files are handled. Task 1 2 3 4 5 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click Password-Protected Files. In Actions, click Edit to specify the filter actions that must be taken when an email message containing password-protected file is detected. Click Save to return to the policy page.

Configuring mail size filter settings


Mail size filtering allows you to specify an action that will be applied to email messages based on their size. Task 1 2 3 4 5 From Policy Manager, click Gateway. The Gateway Policies page appears. Click Master policy, then click List All Scanners. Click Mail Size Filtering. In Activation, select Enable to activate the email size filter settings for the selected submenu item. In Options, you can use: Default Settings To view a summary of the mail size option set that is used by default. <create new set of options> To configure mail size filtering options. The options are: Instance name Type a unique name for the mail size filter setting instance. This field is mandatory. Maximum overall mail size (KB) Specify the maximum size (in kilobytes) that an email message can be. The recommended size is 100,000 kilobytes (10 megabytes). Maximum attachment size (KB) Specify the maximum size (in kilobytes) that the attachment(s) of an email message can be. The recommended size is 32000 kilobytes. Maximum number of attachments Specify the maximum number of attachments an email message can have. The recommended size is 500 attachments (maximum).

Edit To edit the selected option set.

44

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

In Actions, click Edit. In the following tabs, specify the mail size filter actions that must be taken if the size of the email message/attachment and the number of email attachments exceed the specified number: Message Size Attachment Size Attachment Count

Click Save to return to the policy page.


Mail size filtering is applicable to both inbound and outbound email messages.

Configuring the scanner control filter settings


You can use Scanner Control Settings to limit the nesting level, file size, and scan time that is allowed when the email messages are scanned. Task 1 From Policy Manager, select a submenu item. The policy page for the submenu item appears. 2 3 4 5 6 Click Master policy, then click List All Scanners. Click Scanner Control. In Options, click <create new set of options>. In Instance name, type a unique name for the scanner control filter setting instance. This field is mandatory. In Maximum nesting level, specify the level to which the scanner should scan, when an attachment contains compressed files, and other compressed files within. We recommend that you limit scanning to a depth of 100. In Maximum expanded file size (MB), specify the maximum number of megabytes a file can be when expanded for scanning. We recommend a maximum size of 100 megabytes. In Maximum scan time (minutes), specify the maximum number of minutes that should be spent scanning any file. We recommend a maximum of 10 minutes. Click Save to return to the policy page.

7 8 9

10 In Alert selection, you can select which alert to use when a scanner control option is triggered. You can use: Create To create a new alert message for this policy. View/Hide To display or hide the alert text. If the text is hidden, clicking this link displays it. If the text is displayed, clicking this link hides it.

11 In Actions, click Edit to specify the filter actions that must be taken when the maximum nesting level in a zip attachment/file size/scanning time of the item exceeds and if scanning an item fails. 12 Click Save to return to the policy page.

Configuring MIME mail filter settings


Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non-ASCII formats over protocols (such as SMTP) that supports only 7-bit ASCII characters. MIME defines different ways of encoding the non-ASCII formats so that they can be represented using characters in the 7-bit ASCII character set.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

45

Policy Manager Core scanners and filters

Task 1 2 3 4 5 6 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click MIME Mail Settings. In Options, select <create new set of options>. The Mail Settings page appears. In Instance name, type a unique name for the MIME email filter setting instance. This field is mandatory. In Options tab, type a Prefix to message subject. a b c 7 In Preferred re-encoding of attachments in a MIME message, select a re-encoding method that is used when re-encoding attachments in MIME messages from the options available. In Preferred re-encoding of modified subject headers, select a re-encoding method that is used when re-encoding the subject headers in the MIME messages from the options available. In If re-encoding a subject header fails, select one of these options : Treat as an error The MIME message is bounced. Fallback to UTF-8 The MIME message is encoded into UTF-8.

In Advanced tab, select one of these encoding methods to use while encoding the text part of an email message: Quoted-Printable, which is best suited for messages that mainly contain ASCII characters, but also contains some byte values outside that range. Base64, which has a fixed overhead and is best suited for non-text data, and for messages that do not have a lot of ASCII text. 8-Bit, which is best suited for use with SMTP servers that support the 8BIT MIME transport SMTP extension.
You can perform step 6b only if you select Re-encode using the original encoding scheme or Re-encode using the following character set from Preferred re-encoding of modified subject headers.

a b c d e f 8

Select or deselect Do not encode if text is 7-bit as required. In Default decode character set, select a character set that should be used for decoding when one is not specified by the MIME headers. In Maximum number of MIME parts, specify the maximum number of MIME parts that can be contained in a MIME message. Default value is 10000 MIME parts. In Header corruption in a MIME message, select the required option. In NULL characters in the headers of a MIME message, select the required option. In Quoted-printable characters encoding in a MIME message, select the required option.

In MIME Types tab, specify which MIME types should be treated as text attachments and which, as binary attachments.
Click Add to add the MIME types to the list or Delete to delete a MIME type from a list. Duplicate entries are not allowed.

46

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Core scanners and filters

In Character Sets tab, select a Character set, Alternatives, deselect the Fixed checkbox, and click Add to specify an alternative character set mapping to the one specified in the MIME message.
Click Edit to edit character mappings, Delete to delete character mappings and Save to save any changes you have made to the character mappings.

The Save option is available only when you click Edit. 10 Click Save. 11 In Alert selection, you can select which alert to use when a MIME type is blocked. You can use: Create To create a new alert message for this policy. View/Hide To display or hide the alert text. If the text is hidden, clicking this link displays it. If the text is displayed, clicking this link hides it.

12 In Incomplete message actions, click Edit to specify the filter actions that must be taken when a partial MIME or external MIME type is encountered. 13 Click Save to return to the policy page.

Configuring HTML file filter settings


HTML file filter allows you to search for elements or executables such as ActiveX, Java applets, VBScripts in HTML components. If any of this content is found in HTML, it is removed. This filter works only if Content Scanner is enabled. Task 1 2 3 4 5 6 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners. Click HTML Files. In Options, click <create new set of options>. The HTML Files page appears. In Instance name, type a unique name for the scanner control filter setting instance. This field is mandatory. In Scan the following elements, select any of these option(s): Comments To scan for comment elements in the HTML message. For example:
<!-- comment text --!>

Metadata To scan for metadata elements in the HTML message. For example:
< META EQUI="Expires" Content="Tue, 04 June 2007 21:29:02">

Links URLs ("<ahref=...") To scan for URL elements in the HTML message. For example:
<a HREF="McAfee.htm">

Source URLS ("<img src=...") To scan for source URL elements in the HTML message. For example:
<IMG SRC="..\..\images\icons\mcafee_logo_rotating75.gif">

JavaScript / VBScript To scan for JavaScript or Visual Basic script in the HTML message. For example:
<script language="javascript" scr="mfe/mfe.js">

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

47

Policy Manager Alert settings and disclaimer text

In Remove the following executable elements, select any of these option(s): JavaScript / VBScript To remove JavaScript or Visual Basic script elements from the HTML message. For example:
<script language="javascript" scr="mfe/mfe.js">

Java applets To remove Java applet elements from the HTML message. For example:
<APPLET code="XYZApp.class" codebase="HTML ....."></APPLET>

ActiveX controls To remove ActiveX control elements from the HTML message. For example:
<OBJECT ID="clock" data="http://www.mcafee.com/vscan.png" type="image/png"> VirusScan Image </OBJECT>

Macromedia Flash To remove Macromedia Flash elements from the HTML message. This option gets enabled if you have selected ActiveX controls. For example:
<EMBED SCR="somefilename.swf" width="500" height="200">

Click Save to return to the policy page.

Alert settings and disclaimer text


Alert messages are used to notify a person when a particular event occurs. You can use Alert Settings to set up additional information about these alerts. A disclaimer is a piece of text, typically a legal statement that is added to an email message. Disclaimers are applicable only to outbound email messages.

Miscellaneous settings for a policy


You can configure different types miscellaneous settings for a policy. The type of settings that are available depends on which policy is selected. Tasks Configuring alert message settings on page 48 A message that is sent to the McAfee Security for Microsoft Exchange administrator to notify them that a scanner has detected an issue with a scanned item. Configuring disclaimer text settings on page 49 A disclaimer is a piece of text, typically a legal statement that is added to an email message.

Configuring alert message settings


A message that is sent to the McAfee Security for Microsoft Exchange administrator to notify them that a scanner has detected an issue with a scanned item. Use this task to configure the alert message settings. Task 1 2 3 From Policy Manager, select a submenu item. The policy page for the submenu item appears. Click Master policy, then click List All Scanners tab. Click Alert Settings.

48

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Alert settings and disclaimer text

4 5 6 7 8 9

In Options, select the default alert settings available or select <create new set of options> to define your alert settings. The Alert Settings page appears. In Instance name, type a unique name for the alert message setting instance. This field is mandatory. Select HTML or Plain text as the Alert format. From the Character encoding drop-down menu, select a required character set. In Alert filename, specify the file name for this alert, including the appropriate HTML (.htm) or plain text (.txt) file extension. Select or deselect Enable alert headers to enable the use of an alert header.

10 In the Alert header text entry box, type the header for the alert. 11 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML text should be shown as compiled code or source code in the Alert header.
The Show option is only available if you have selected HTML as the alert message format.

12 Select Enable alert footers to enable the use of an alert footer as needed. 13 In the Alert footer text entry box, type the footer for the alert. 14 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML text should be shown as compiled code or source code in the Alert footer.
The Show option is only available if you have selected HTML as the alert message format.

15 Click Save to return to the policy page.

Configuring disclaimer text settings


A disclaimer is a piece of text, typically a legal statement that is added to an email message. Use this task to configure the disclaimer text. Task 1 2 3 4 5 6 7 8 9 From Policy Manager, click Gateway. The policy page for the submenu item appears. Click Master policy, then click List All Scanners tab. Click a policy name, then click Disclaimer Text from the Miscellaneous category. Select Enable to activate the disclaimer text settings for the selected submenu item. In Options, select <create new set of options>. The Disclaimer Text page appears. In Instance name, type a unique name for the disclaimer text setting instance. This field is mandatory. In Disclaimer message (plain text only), type the disclaimer text message in plain text format. From the Insert disclaimer drop-down menu, select Before any message text, After any message text or As an attachment depending on where/how the disclaimer text should be inserted in the email message. Click Save to return to the policy page.
Disclaimers are applicable only to outbound email messages.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

49

Policy Manager Creating a new alert

Creating a new alert


Use this task to create a new alert message for actions taken by a scanner or filter. Task 1 2 3 4 5 6 From Policy Manager, select a submenu item that has the content scanner. The policy page for the submenu item appears. Click Master policy, then click List All Scanners tab. Click Content Scanning (or an appropriate scanner, filter, or miscellaneous). In Options, click Create. The Alert Editor page appears. Type a meaningful Alert name. In Content Scanning Alert, select the required Style, Font, Size, and Tokens from the respective drop-down lists.
These options are available only if you select HTML content (WYSIWYG) from the Show drop-down menu.

Use any of these tools available in Content Scanning Alert.

Table 4-3 Toolbar options Options Bold Italic Underline Align Left Center Align Right Justify Ordered List Unordered List Outdent Indent Text Color Horizontal Rule Insert Link Description To make the selected text bold. To make the selected text italic. To underline the selected text. To left align the selected paragraph. To center the selected paragraph. To right align the selected paragraph. To adjust the selected paragraph so that the lines within the paragraph fill a given width, with straight left and right edges. To make the selected text into a numbered list. To make the selected text into a bulleted list. To move the selected text a set distance to the right. To move the selected text a set distance to the left. To change the color of the selected text. To insert a horizontal line. To insert a hyperlink where the cursor is currently positioned. In URL, type the URL. In Text, type the name of the hyperlink as you want it to appear in the alert message. If you want the link to open a new window, select Open link in new window, then click Insert Link.

Background Color To change the background color of the selected text.

50

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Creating a new alert

Table 4-3 Toolbar options (continued) Options Insert Image Description To insert an image where the cursor is currently positioned. In Image URL, type the location of the image. In Alternative text, type the text you want to use in place of the image when images are suppressed or the alert message is displayed in a text-only browser. If you want to give the image a title, type the title name in Use this text as the image title. Click Insert Image. To insert a table at the current cursor position. Type the values in Rows, Columns, Table width, Border thickness, Cell padding, and Cell spacing to configure the table, then click Insert Table.

Insert Table

From the Show drop-down menu, specify how the alert message should be displayed within the user interface. You can select: HTML content (WYSIWYG) To hide the underlying HTML code and display only the content of the alert message. HTML content (source) To display the alert message with the HTML code as it appears before compilation. Plain-text content To display the content as plain text. You can use the following notification fields to include them in your alert message. For example, in your alert message, if you want the name of the detected item and the action taken when it was detected, use %vrs% and %act% on the Alert Editor page. Table 4-4 Notification fields you can use Notification field options %dts% %sdr% %ftr% %fln% %rul% %act% %fdr% %vrs% %trs% %tik% %idy% %psn% %svr% %avd% %ave% %rpt% %rsn% %sbj% %ssc% Description Date and time Sender Filter File name Rule name Action taken Folder Detection name State (Train state) Ticket number Scanned by Policy name Server Anti-virus DAT Anti-virus engine Recipient Reason Subject Spam score

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

51

Policy Manager Enabling Product Health Alerts

Table 4-4 Notification fields you can use (continued) Notification field options %ase% %asr% 9 Click Save to return to the policy page.
Click Reset to undo all changes you have made since you last saved the alert message.

Description Anti-spam engine Anti-spam rules

Enabling Product Health Alerts


Use this task to enable Product Health Alerts to send notifications on the product's status and configure these alerts. Task 1 2 Click Settings & Diagnostics | Notifications. The Notifications page appears. Under Notifications, in Product Health Alerts, select Enable. If your McAfee Security for Microsoft Exchange is managed by ePolicy Orchestrator and you want a notification to be sent to ePolicy Orchestrator, select Alert ePolicy Orchestrator. To send a notification to the administrator, select Alert Administrator. In Notify when, select an event or events when a notification is to be sent. To send a notification immediately when the selected event occurs, select Immediate. To schedule a notification to be sent at a particular time of the day, select Daily and enter the values or hours and minutes.

3 4

Shared Resource
When setting up policies, you might want the same resource to be used by more than one policy. For example, you might want to use the same disclaimer in both internal and external email messages. Instead of creating two disclaimers, one for the internal mail policy, one for the external mail policy, you can create a single disclaimer that can be used by both policies. The disclaimer can be thought of as a resource that is shared by more than one policy. You can use Shared Resource to: View resource settings. Create new resources. Change resource settings, so that the changes are picked up by all policies using those shared resources. Delete shared resources that are no longer in use.
Shared resource is explained using Anti-Virus Scanner Settings. The settings for other scanners and filters may vary, however most of them are similar.

52

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Shared Resource

Configuring the shared scanners, filters, and alert settings


This section provides information on creating and configuring shared scanners, filters, and alerts. You can configure scanner-related settings that a policy can apply when scanning items. Tasks Creating shared scanners and alerts on page 53 Use this task to create a new shared scanner and its corresponding alert message. Creating shared file filtering rule on page 55 Use this task to filter files on the basis of their size, content or name.

Creating shared scanners and alerts


Use this task to create a new shared scanner and its corresponding alert message. Task 1 2 3 From Policy Manager, click Shared Resource. The Shared Resources page appears. In Scanners & Alerts tab, click Create New for Scanner for a selected Category you want to create a new shared resource. (For example, for the anti-virus scanner category) Type the shared Instance name and specify the Basic Options for the shared resource. Select Scan all files to scan all files, regardless of their type. Select Default file types to specify that only the default file types should be scanned. Select Defined file types to specify which file types should be scanned.
If you select Defined file types, type a three-letter file extension. Longer file extensions are included through pattern matching so that "CLA" will match ".class" files. Click Add. All lower case extensions are converted to upper case extensions.

In Scanner options, select the scanner options for the shared resource. Scan archive files (ZIP, ARJ, RAR...) To scan inside archive files, such as ZIP files. Find unknown file viruses To use heuristic analysis techniques to search for unknown viruses. Find unknown macro viruses To find unknown viruses in macros. Scan all files for macros To scan all files for macros. Find all macros and treat as infected To find macros in files and treat them as infected items. Remove all macros from document files To remove all macros from document files.

Click Advanced tab. The Custom Malware categories page appears.


In Custom malware categories, you can specify which items should be treated as malware. When setting up a policy, you can specify that the selected malware items are treated differently to viruses. For example, you might specify that an alert message is sent to an administrator whenever an infected email message is detected, but make an exception when a mass-mailer is involved. Mass-mailers spread by generating large numbers of email messages, and if an alert was generated for each of these email messages, the number of alerts generated would only add to the problem.

Select the specific malware types from the list or type the detection names you want to detect. When typing in the detection name, you can use wildcard characters for pattern matching.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

53

Policy Manager Shared Resource

Specify the Clean options for the shared scanner when the cleaning is attempted and the file is of zero bytes after cleaning. You could keep the file, remove it or treat the scan as failed.
Cleaning an item can remove some types of malware. You can specify whether items that have already been successfully cleaned should be subject to the custom malware check.

Click Packers. The Packer detection page appears.


Executable files can be compressed with a packer that shrinks, and possibly encrypts the original code. A packer can be used to conceal software that is a security risk. For example, a packed executable could contain a Trojan horse.

Select or deselect Enable detection to enable or disable the detection of packers.

10 Select Exclude specified names or Include only specified names to specify which packers can be ignored or detected. Click Add to add packer names to a list. Click Delete to remove packer names from a list.
When specifying packer names, you can use wildcard to match multiple names.

11 Click PUPs, the Potentially Unwanted Programs detection page appears.


In PUPs, you can configure detection for the following PUPs such as Spyware, Adware, Remote administration tools, Dialers, Password crackers, Joke programs and other PUPs that are not included in the categories.

12 Click Enable detection to enable or disable the detection of PUPs.


Click the disclaimer link and read the disclaimer before configuring PUP detection.

13 Select each type of PUP in Program types to be detected or ignored. 14 Select Exclude specified names or Include only specified names to list by name the PUPs that you want the software to ignore or detect, then click Add.
You can use wildcard to match names. For example, type the name of the spyware and click Add. Repeat this step until you have added the names of all the spyware programs you want the software to ignore or detect.

15 Click Save. 16 Click Cancel to delete all changes and return to the home page. 17 In Alerts, click View to see the default anti-virus scanner alert or click Create New and create a new alert message. For instructions, see the Creating a new alert section. 18 Click Save to return to the policy page. To delete all changes and return to the policy page, click Cancel.

54

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Shared Resource

Creating shared file filtering rule


Use this task to filter files on the basis of their size, content or name. Task 1 2 3 4 5 6 From Policy Manager, click Shared Resource. The Shared Resource page appears. Click the Filter Rules tab. In File Filtering Rules, click Create New. The File Filtering Rule page appears. Type a unique Rule name. Give the rule a meaningful name, so that you can easily identify it and what it does. For example, FilesOver5MB. In Filename filtering, select Enable file name filtering to enable file filtering according to the file names. In Take action when the file name matches, specify the names of the files that are affected by this rule. You can use the * and ? wildcard characters to match multiple filenames. For example, if you want to filter any Microsoft PowerPoint files, type *.ppt. In File category filtering, select Enable file category filtering to enable file filtering according to their file type. In Take action when the file category is, specify the type of files that are affected by this rule.
File types are divided into categories and subcategories.

7 8

In File categories, click a file type. An asterisk symbol (*) appears next to the file type to indicate that the selected file type will be filtered.

10 In Subcategories, click the subcategory you want to filter. To select more than one subcategory, use Ctrl+Click or Shift+Click. To select all of the subcategories, click All. Click Clear selections to undo the last selection.

11 Select Extend this rule to unrecognized file categories to apply this rule to any other file categories and subcategories that are not specifically mentioned in the categories and subcategories lists. 12 In File size filtering, select Enable file size filtering to filter files according to their file size. 13 In Take action when the file size is, select an option, then click Save. Greater than to specify that the action should only be applied if the file is larger than the size specified. Less than to specify that the action should only be applied if the file is smaller than the size specified.

14 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for the submenu item appears. 15 Click a policy name. Select the Active option for the file filtering scanner, then click File Filtering. 16 In File Filtering rules and associated actions, select the rule you created from the Available rules drop-down menu. 17 Click the Change link of the rule to specify actions that must be taken when a file/attachment in an email message is detected and filtered. 18 Click Save to return to the policy page. See the Appendix A Using file filtering rule and actions in a real-time scenario section for more information.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

55

Policy Manager Shared Resource

Configuring filter rules and time slots


You can use this feature to create rules that a policy can apply to the content of emails and text in attachments, and to set up different time 'slots' that can be applied to policies. Tasks Creating shared filter rules on page 56 Use this task to configure rules that a policy can apply to the content of mails, and text in attachments. Creating shared time slots on page 57 Use this task to set up different time slots that can be applied to policies.

Creating shared filter rules


Use this task to configure rules that a policy can apply to the content of mails, and text in attachments. Task 1 2 3 4 5 From Policy Manager, click Shared Resource. The Shared Resources page appears. Click Filter Rules tab, then click Create New for Content Scanner Rules for a selected category. The New Content Scanner Rule page appears. Type the Rule Name and Description for the rule. Select Add this rule to this category's rules group to add the new rule to the rules group for the selected category. Under Word or Phrase, specify the words or phrases to look for, in The rule will trigger when the following word or phrase is found. Then select one of the following options: Exact Match If enabled, the rule is triggered only if the word or phrase exactly matches with the specified word or phrase. Regular Expression If enabled, the rule is triggered for specified text that is a regular expression. This is a precise and concise method for matching strings of text, such as words, characters or patterns of characters. For example, the sequence of characters "tree" appearing consecutively in any context, such as trees, street, backstreet.
Refer http://www.regular-expressions.info/reference.html or http://www.zytrax.com/tech/web/ regex.htm for more details.

Use Wildcards If enabled, the rule is triggered for the specified word or phrase that contain wildcard characters. (Wildcard characters are often used in place of one or more characters when you do not know what the real character is or you do not want to type the entire name). Starts with If enabled, the rule is triggered for specified text that forms the beginning of the word or phrase. Ends with If enabled, the rule is triggered for specified text that forms the last part of the word or phrase. Case Sensitive If enabled, the rule is triggered if the case of the specified text matches the word or phrase.

6 7

Select Specify additional contextual words or phrases, if you want to add contextual words. Select from Trigger if ALL of the phrases are present, Trigger if ANY of the phrases are present or Trigger if NONE of the phrases are present from the drop-down menu.

56

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Policy Manager Shared Resource

8 9

Select within a block of to specify the number of Characters from a block to be scanned. Click Add Contextual word to type additional words or phrases.

10 Specify the word or phrase in Specify words or phrases, select one of the conditions (same options as in Step 5), then click Add. 11 Under File Format, select Everything to enable all the file categories and its subcategories. You can select multiple categories and file types within the selected categories to be matched. Selecting All in the subcategory selector overrides any other selections that may have already been made. 12 If you have not selected Everything, then click Clear selections to deselect any of the selected file type options. 13 Click Save to return to the policy page, then click Apply.

Creating shared time slots


Use this task to set up different time slots that can be applied to policies. Task 1 2 3 4 5 6 7 From Policy Manager, click Shared Resource. The Shared Resources page appears. Click Time Slots tab. Click Create New. The Time Slot page appears. Type a unique Time slot name. Under Select day and time, select the required day(s). Select All day or Selected hours one wants to put into the created time slot. If you select Selected hours, select the Start and End time from the drop-down. Click Save to return to the policy page.
Master policies use All the time slot. If you want a policy to be active during a different time slot, you must create a subpolicy and specify a different time slot.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

57

Policy Manager Shared Resource

58

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics

This section describes the settings and diagnostics you can perform with McAfee Security for Microsoft Exchange. Contents On-Access settings Configuring Mailbox Exclusion settings Notifications settings Configuring Anti Spam settings Detected Items settings User Interface Preferences settings Diagnostics settings Product Log settings DAT settings Import and Export Configuration settings Proxy Settings

On-Access settings
In this section you can configure the general On-Access settings, Microsoft Virus Scanning API (VSAPI) settings, background scan settings and transport scan settings.

What is Microsoft Virus Scanning API (VSAPI)


VSAPI is implemented at a very low-level in the Exchange Information Store. This allows a virus scanning application to run with high performance, and guarantees that the message will be scanned before any client can access the message or its attachment. This allows messages and attachments to be scanned once before delivery, rather than multiple times (depending on the number of mailboxes to which the message is delivered). This single-instance scanning also helps prevent messages from being re-scanned when a message is copied, which results in improved system performance.

What is Proactive Scanning


Proactive scanning is a type of scanning that is made possible by Microsoft VSAPI. You can prioritize the scanning of messages and files written to the store. It enables objects from the store to be scanned in order of priority. Items passing in and out of the store receive a priority rating and are placed in a scanning queue. The scanning queue allows prioritization and re-prioritization of items in the queue.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

59

Settings and Diagnostics On-Access settings

For example, if a user tries to open an item that has not been scanned, it is assigned a high priority, whereas items being saved or posted to public folders are assigned a low priority. This is known as priority based queuing. When all the high priority items have been scanned, scanning of lower priority items begins. The latter scans on a first-in-first-out (FIFO) basis.

What is Background Scanning


Background scanning is a type of on-access scanning made possible within Microsoft Exchange 2003/2007 by Microsoft VSAPI, which does not scan all files on access, reducing the scanner's workload. It scans the databases on which it has been enabled. Background scanning is off by default.

What is Transport Scanning


Transport scanning allows you to scan SMTP traffic before it enters the Exchange information store. SMTP Transport scanning can perform scanning of routed email messages that are not destined for the local server and can stop delivery of messages. SMTP Transport scanning can be applied to Microsoft Exchange 2003 with the VSAPI 2.5.

Configuring On-Access settings for Exchange Server 2003


Use this task to configure the general on-access settings, Microsoft Virus Scanning API (VSAPI) settings, background scan settings and transport scan settings for Exchange server 2003. By default, the McAfee Transport Scanner is enabled and scans all the email messages. If you deselect Transport Scan Settings, Microsoft Virus Scanning API (VSAPI v 2.5) scans the email messages.
If you set the On scan failure to Remove, all emails that are detected as potentially harmful are quarantined and deleted. When scanning is not in progress and you try to forward, release, download or view these quarantined items under Detected Items | All Items, an operation failed error message is displayed. The forward, release, download and view operations for these quarantined items are possible when McAfee Security for Microsoft Exchange starts scanning again. Product Health Alerts and Notifications are also quarantined and deleted if On scan failure is set to Remove.

Task 1 2 3 Click Settings & Diagnostics | On-Access Settings. The On-Access Settings page appears. From General, choose Allow Through or Remove for On Scan Failure depending on whether you want to allow the email message through or delete it, if scanning fails. From Microsoft Virus Scanning API (VSAPI), you can use: Enabled To specify whether VSAPI is enabled or not. If disabled, the following options also becomes inactive. Proactive Scanning To scan when messages and files are written to the Store. Background Scanning To specify whether background scanning is enabled or not. You can use Enable At and Disable At to schedule the background scanning. Scan Timeout (seconds) To specify the length of time to wait for a scan before timing out. The default value is 180 seconds. Number of Scan Threads To specify the maximum number of scan threads for various processes. You can select the Default option if you don't want to specify the number of scan threads.
VSAPI should be disabled while moving or restoring backup mailboxes.

From Transport Scan Settings, select Enable to benefit from bi-directional SMTP scanning control.

60

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics On-Access settings

From Direction Based Scanning, you can select: Scan Inbound Mails To scan messages coming from an external server (for example, Internet-based email messages). If this is selected and the other two options are deselected, then a mail going to a different domain is not scanned. Scan Outbound Mails To scan any email that leaves your Exchange server or Exchange organization. Email messages are designated as outbound if at least one recipient has an external address. Scan Internal Mails To scan email messages that are being routed from one location inside your domain to another location inside your domain. Email messages are designated as Internal if they originate from inside your domain and ALL the recipients are located inside your domain.

Select Enable routing to the user junk folders on this server to route junk emails to the user junk folders on the email server.

Configuring On-Access settings for Exchange Server 2007 or 2010


Use this task to configure the general On-Access settings, Microsoft Virus Scanning API (VSAPI) settings, background scan settings and transport scan settings for Exchange server 2007 and 2010. Background scanning capabilities in McAfee Security for Microsoft Exchange are enhanced using the new features available in VSAPI v 2.6. There is also a stamping mechanism in case of Microsoft Exchange Server 2007 or 2010. After an email message is scanned, the McAfee Transport Scanner assigns a stamp to the header of the email message. This prevents the email message from being re-scanned by Microsoft Virus Scanning API (VSAPI). The remaining features are the same as that of Exchange Server 2003. Task 1 2 3 Click Settings & Diagnostics | On-Access Settings. The On-Access Settings page appears. From General, choose Allow Through or Remove for On Scan Failure depending on whether you want to allow the email message through or delete it, if scanning fails. From Microsoft Virus Scanning API (VSAPI), you can use: Enabled To specify whether VSAPI is enabled or not. If disabled, the following options also becomes inactive. Proactive Scanning To scan when messages and files are written to the Store. Outbox Scanning To scan outbound messages in the Outbox folder. Lower Age Limit (seconds) To specify whether to scan all emails or only those that are not older than the date/time mentioned in the setting. This is useful in a scenario where the customer suspects an outbreak/infection of emails that came only in the last 2 days. This will also help in finishing the background scanning faster and hence result in lesser load on the server. The default value is 86,400 seconds. Scan Timeout (seconds) To specify the length of time to wait for a scan before timing out. The default value is 180 seconds. Number of Scan Threads To specify the maximum number of scan threads for various processes. You can select the Default option if you don't want to specify the number of scan threads.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

61

Settings and Diagnostics Configuring Mailbox Exclusion settings

From Background Scan Settings, you can use: Enable To specify whether background scanning should be enabled or not. You can use Enable At and Disable At to schedule the background scanning. Only Messages With Attachments To enable background scanning for only email messages that has attachments. Only Un-Scanned Items To enable background scanning only to those messages that have not been scanned yet. Force Scan All To scan items irrespective of whether the item has a scan stamp or not. If an item has a scan stamp, it means that the item is scanned and up to date. Update Scan Stamp To perform background scanning up to date. When you deselect this option, do not update stamp. This feature is useful if the vendor wants to access the messages but not necessarily virus scan them. From Date and To Date To schedule the scan stamp update.

From Transport Scan Settings, you can select: Enable To enable transport scanning. Transport Scan Stamp To reduce redundant scanning whenever possible and to benefit bi-directional SMTP scanning control.

From Direction Based Scanning, you can select: Scan Inbound Mails To scan messages coming from an external server (for example, Internet-based email messages). If this is selected and the other two options are deselected, then a mail going to a different domain is not scanned. Scan Outbound Mails To scan any email that leaves your Exchange server or Exchange organization. Email messages are designated as outbound if at least one recipient has an external address. Scan Internal Mails To scan email messages that are being routed from one location inside your domain to another location inside your domain. Email messages are designated as Internal if they originate from inside your domain and ALL the recipients are located inside your domain.

Configuring Mailbox Exclusion settings


Use this task to configure mailboxes that are to be excluded from a VSAPI scan. The mailbox selected and configured will not be subjected to a VSAPI scan. Task 1 2 3 Click Settings & Diagnostics | Mailbox Exclusion Settings. The Mailbox Exclusion Settings page appears. From the left pane displaying Available mailboxes, select a mailbox, then click >>. The selected mailbox is moved to the right pane Mailboxes to exclude. Repeat step two for all mailboxes that are to be excluded from a VSAPI scan. To remove a mailbox from the exclusion list, select a mailbox in the right pane Mailboxes to exclude, then click << to move the mailbox to the list of Available mailboxes. 4 Click Apply to save the settings.
McAfee does not recommend excluding any mailbox from VSAPI scanning.

62

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics Notifications settings

Notifications settings
Notification settings allows you to configure the content and SMTP address for the administrator to send email notifications.

Configuring notifications
Use this task to configure the notifications sent from McAfee Security for Microsoft Exchange. Task 1 2 3 4 Click Settings & Diagnostics | Notifications. The Notifications page appears. Under Notifications, in General, type the Administrator E-mail address, to notify the administrator email account of that Exchange server. Type the Sender E-mail to notify using the sender email address. Select Enable Task results notification to send emails with on-demand scan and update tasks results. The email is in HTML format and has the same data and format as Task Result window in the user interface. This feature can be enabled/disabled through this option. By default, this feature is disabled. In Template, select a template from the drop-down list. Type the Subject of the notification. Click Edit to change the notification text that should be included in the body of the message. Click Apply to save the settings. In Product Health Alerts, select Enable to activate alerts regarding products when certain events occur.

5 6 7 8 9

10 Select Alert ePolicy Orchestrator or Alert Administrator or both. An alert message is sent accordingly. 11 Select an event, when a notification should be sent. You can select Immediate to send a notification immediately, or Daily and enter the time when the notification should be sent on a daily basis. 12 Click Apply to save the settings. For details on the Notification fields that you can use, see Creating a new alert.

Configuring Anti Spam settings


Use this task to configure the address of the system junk folder to filter junk mails and enable junk folder routing. Task 1 2 3 4 Click Settings & Diagnostics | Anti Spam. The Anti Spam Settings page appears. In Gateway Spam Filter, type an email address to configure the System Junk Folder Address to filter the junk emails. In McAfee Global Threat Intelligence message reputation, select Enable message reputation to enable this feature. In Take the following action, select the required action from the drop-down list.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

63

Settings and Diagnostics Detected Items settings

5 6

In Message reputation threshold, type the minimum value that would trigger the corresponding policy. Click Apply to save the settings.
If your internet bandwidth is low, it is recommended that you execute McAfee AntiSpam Add-on first and then Global Threat Intelligence. If your internet bandwidth is high, it is recommended that you run Global Threat Intelligence first, followed by McAfee AntiSpam Add-on.

Detected Items settings


You can also configure communication settings for McAfee Quarantine Manager and maintenance settings for the local quarantine database. When McAfee Security for Microsoft Exchange detects an infected item, you can specify a local database or McAfee Quarantine Manager for quarantining email messages.

Configuring detected items


This section provides information about configuring settings when using McAfee Quarantine Manager or the local quarantine database for quarantining detected items. Tasks Quarantining data using McAfee Quarantine Manager on page 64 McAfee Quarantine Manager (MQM) versions 6.0 and 7.0 can be used as a repository for quarantining infected email messages. Quarantining data to the local database on page 65 Quarantine data can be saved in a local database on a local system.

Quarantining data using McAfee Quarantine Manager


McAfee Quarantine Manager (MQM) versions 6.0 and 7.0 can be used as a repository for quarantining infected email messages. McAfee products (such as McAfee Security for Microsoft Exchange) use a pre-assigned port number to send the detection information to McAfee Quarantine Manager. McAfee Quarantine Manager in turn uses the same port number by default, to release or send configuration information of the detected email messages to the McAfee product. The communication ports mentioned in the McAfee Security for Microsoft Exchange and McAfee Quarantine Manager user interface should be the same. You can use McAfee Quarantine Manager to consolidate the quarantine and anti-spam management functionality. It gives you a central point from which you can analyze and act upon emails and files that have been quarantined. Items are quarantined because they are spam, phish, contain viruses, potentially unwanted software or other undesirable content. McAfee Quarantine Manager is particularly effective in managing unsolicited bulk email or spam.
This guide does not provide detailed information about installing or using McAfee Quarantine Manager software. See McAfee Quarantine Manager v6.0 or 7.0 Product Guide for more information.

Task 1 2 3 4 Install McAfee Security for Microsoft Exchange on <server 1>. Install McAfee Quarantine Manager version 6.0/7.0 on <server 2>. Launch McAfee Security for Microsoft Exchange user interface from the <server 1>. Click Settings & Diagnostics to display the Detected Items page.

64

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics User Interface Preferences settings

5 6 7 8

In McAfee Quarantine Manager, select Enabled. Type the IP address of <server 2>, where you have installed McAfee Quarantine Manager. Use the default values for Port and Callback port, or modify them as configured on McAfee Quarantine Manager Server. Click Apply to save the settings.

Quarantining data to the local database


Quarantine data can be saved in a local database on a local system. Use this task to set various parameters such as, path, maximum size, and schedule for saving the quarantine data. Task 1 2 3 4 5 6 7 8 9 Click Settings & Diagnostics | Detected Items. The Detected Items page appears. In Local Database section, select Specify location of database, select the type of Database location in the first field, then select a location from options available. In Maximum item size (MB), specify the maximum size of an item to be stored in the database. In Maximum query size (records), specify the maximum number of records that can be returned when the local quarantine database receives a query. In Maximum item age (days), specify the maximum number of days an item will be held in the local quarantine database before being marked for deletion. In Disk size check interval (Minute), type the interval in minutes when the disk space usage should be checked. Enter an integer between 1 2880. In Disk space warning (MB), type the threshold value at which a notification should be sent. Click Edit Schedule of Purge of old items frequency to specify how frequently the old items marked for deletion must be removed from the database. Click Edit Schedule of Optimization frequency to specify how frequently the database is optimized.

10 Select an option from Once , Hours, Days, Weeks or Months, and type the corresponding values. 11 For the schedule to be saved and applied, first click Save, then Apply.

User Interface Preferences settings


In this section you can set the preferences for various features of the user interface Configure the refresh rate of the user interface, define the report, metric, graph and chart settings.

Configuring the user interface


You can use User Interface Preferences to configure user interface refresh settings, report, metric and the graph/chart settings of McAfee Security for Microsoft Exchange.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

65

Settings and Diagnostics User Interface Preferences settings

Tasks Specifying the dashboard settings on page 66 Use this task to specify the settings for various features of the Dashboard and what information would you like to be displayed. Specifying the graph and chart settings on page 66 Use this task to set the parameters for generating graphical reports and charts, which are displayed in the Dashboard section.

Specifying the dashboard settings


Use this task to specify the settings for various features of the Dashboard and what information would you like to be displayed. Task 1 2 3 4 5 6 7 8 9 Click Settings & Diagnostics | User Interface Preferences. The User Interface Preferences page appears. In Dashboard Settings tab, select Automatic refresh to specify whether the information shown on the Dashboard should be refreshed automatically. In Refresh rate (seconds), specify the duration (in seconds) at which the information on the dashboard should be refreshed. Select Enable reports to enable the reports of recently scanned items, recently posted virus descriptions, and the top hoaxes on the dashboard. Select Show recently scanned items to specify whether the recently scanned items should be included in the dashboard reports. In Maximum recently scanned items, specify the maximum number of recently scanned items that should be included in the dashboard reports. In System Metrics Settings, for Graph scale (units), type the measurement units for the scale of the graph that must be generated. In Number of hours to report for, type the report generation interval (in hours) to generate a report. Click Apply to save the settings.

Specifying the graph and chart settings


Use this task to set the parameters for generating graphical reports and charts, which are displayed in the Dashboard section. Task 1 2 3 Click Settings & Diagnostics | User Interface Preferences. The User Interface Preferences page appears. In the Graph and Chart Settings tab, select 3D to specify whether you want the dashboard graph to be displayed as a three-dimensional (3D) graph. Select Draw transparent to specify whether the bars in a three-dimensional bar graph should appear solid or transparent. A solid bar hides part of any bar behind it. A transparent bar allows you to look through it and see other transparent bars behind it. Select Anti-alias to specify whether you want to use anti-aliasing techniques when displaying pie charts. If anti-aliasing is used, pie charts have smoother curves. If anti-aliasing is not used, pie chart curves appear jagged.

66

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics Diagnostics settings

5 6 7

Select Explode pie to specify whether the segments should remain within the circle of the pie chart or be shown with some distance between each segment. In Pie angle (degrees), specify the angle to use when drawing pie charts. The default value is 45. Click Apply to save the settings.

Diagnostics settings
Diagnostics is used to collect information from the computer that can be used for debugging problems that are reported. This enables customers to select event logs, product logs, trace files, etc., which are useful to developers to troubleshoot the issue. You can use Diagnostics to specify the level of debug logging required, the maximum size of debug files, and where they should be saved. You can specify which events should be captured in the product log and event log by specifying the product log's location, name, size limits, and time-out settings.

Configuring diagnostics settings


This section provides information on configuring the debug log, error reporting service, event log and product log settings. Tasks Specifying debug log settings on page 67 Use this task to set the parameters for generating logs of debugging operations. Specifying event log settings on page 68 Use this task to define the settings for generating event logs. Specifying product log settings on page 68 Use this task specify the required parameters to generate product logs. Specifying error reporting service settings on page 69 Use this task to specify various parameters for the error reporting service.

Specifying debug log settings


Use this task to set the parameters for generating logs of debugging operations. Task 1 2 3 Click Settings & Diagnostics | Diagnostics. The Diagnostics page appears. Click Debug Logging tab. From the Level drop-down list, specify the level of information that should be captured in the debug log. The options are: None This disables debug logging. Low Only errors are recorded in the debug log file. Medium Errors and warnings are recorded in the debug log file. High Errors, warnings and debug messages are recorded in the debug log file.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

67

Settings and Diagnostics Diagnostics settings

Select Limit size of debug log files to specify if you want a size limit for the debug log files. In Maximum size of debug log file, specify how large (in megabytes or kilobytes) the debug log files can be.
If the debug log file exceeds the specified file size, new log entries are added to the file by deleting the oldest log entries. The maximum size is 2000 MB.

Select Specify location for debug files to specify a location for debug files. Select any location from the drop-down list and specify the location. This feature is not activated if you select None for Level. Avoid using debug logging indiscriminately because it fills up the hard disk space and affects the overall performance of the Exchange server. It should be enabled for a limited duration as advised by an authorized personnel (McAfee Technical Support Engineer).

Click Apply to save the settings.

Specifying event log settings


Use this task to define the settings for generating event logs. An event log is a report of events that have occurred in a domain which helps an administrator manage the network resources. Task 1 2 3 4 5 Click Settings & Diagnostics | Diagnostics. The Diagnostics page appears. Click Event Logging tab. In Product Log section, select Write information events, Write warning events, and Write error events to include these events into the product log. In Event Log section, select Write information events, Write warning events, and Write error events to include these events into the event log. Click Apply to save the settings.

Specifying product log settings


Use this task specify the required parameters to generate product logs. Task 1 2 3 Click Settings & Diagnostics | Diagnostics. The Diagnostics page appears. Click Product Log tab. In Locations, select Specify location of database to specify whether you want to use the default location for the product log or a different location. If deselected, the default location is used. If selected, select a location from the drop-down list and specify the location details. Select Specify filename of database to specify whether you want to use the default file name or a different name. If deselected, the default file name is used. The default Database filename is productlog.bin.

68

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics Product Log settings

In Size Limits section: Select Limit database size to limit the size of the product log database. Type the Maximum database size of the product log database. You can specify the size in either megabytes or kilobytes.
If product log files exceed the specified size, the older log entries are overwritten by newer log entries.

Select Limit age of entries to specify a time after which you want the product log entries to be deleted. Type the Maximum age of entry to specify how many days an entry should remain in the database before it is deleted.

In Advanced section: Select Specify a query timeout to limit the amount of time for answering a product log query. Type the Query timeout (seconds) to specify the maximum number of seconds allowed when answering a product log query.

Click Apply to save the settings.

Specifying error reporting service settings


Use this task to specify various parameters for the error reporting service. You can generate reports for system crashes, or other errors in the network and send it to the administrator as required. Task 1 2 3 4 5 6 Click Settings & Diagnostics | Diagnostics. The Diagnostics page appears. Click Error Reporting Service tab. Select Enable to enable or disable the error reporting service. Select Catch exceptions to capture information about exceptional events, such as system crashes. Select Report exceptions to user to specify whether exceptions should be reported to the administrator. Click Apply to save the settings.

Product Log settings


A product log is a record of all events pertaining to a particular product that have occurred during a pre-defined time period.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

69

Settings and Diagnostics DAT settings

Using Product Log


You can use Product Log to set up search filters that help you find information in the product log and view the search results. Task 1 2 Click Settings & Diagnostics | Product Log. The Product Log page appears. From the Product Log section, you can use: ID Type the number which identifies a specific product log entry. Level Select Information, Warning or Error from the drop-down list in the second field depending on the type of log you want to see. Description Type the relevant description. For example: Service Started.
You can select up to three search filters.

3 4

Click All Dates to include all entries, else click Date Range and select a date range from the drop-down list. Click Search. A list of detected items matching your search criteria are displayed in the View Results section.
Click Clear Filter to return to the default search filter settings and click Export to CSV File to export the list of detections in .CSV format.

Click Apply to save the settings.

DAT settings
DAT files are the detection definition files, also referred to as signature files, that identify the code anti-virus and/or anti-spyware software detects to repair viruses, trojan horses and Potentially Unwanted Programs (PUPs).

Configuring DAT settings


Use this task to specify the number of old DATs that can be maintained in your system. Task 1 2 3 Click Settings & Diagnostics | DAT Settings. The DAT Settings page appears. Type Maximum number of old DATs to specify the maximum number of DAT generations that shall be preserved in the system during regular updates. The default value is 10. Click Apply to save the settings.

Import and Export Configuration settings


You can use Import and Export Configuration to copy the configuration of a McAfee Security for Microsoft Exchange computer to a location where it can be imported by another McAfee Security for Microsoft Exchange computer. You can also apply the configuration of a different McAfee Security for Microsoft Exchange system and specify the location from which automatic updates are downloaded.

70

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Settings and Diagnostics Import and Export Configuration settings

Exporting the existing configuration


Use this task to copy the configuration of a McAfee Security for Microsoft Exchange system and save it to a location, where it can be imported by other McAfee Security for Microsoft Exchange computer(s). Task 1 2 3 4 5 6 Click Settings & Diagnostics | Import and Export Configuration. The Import and Export Configurations page appears. Click the Configuration tab. Click Export. Specify a location where to save the file. Click Save. The default name of the configuration file is McAfeeConfigXML.cfg. Click Restore Default to restore the default configuration which will set the product for maximum performance. To restore the configuration settings for maximum protection, click Restore Enhanced.

Importing a configuration
Use this task to import configuration settings from another system for this system where McAfee Security for Microsoft Exchange has been installed. Task 1 2 3 4 Click Settings & Diagnostics | Import and Export Configuration. The Import and Export Configurations page appears. Click the Configuration tab. From the Import Configuration section, click Browse to locate the configuration file. Click Import.

Importing a Site List


A site list is a list of websites that have been defined as safe to access. This list is maintained in an excel sheet. Use this task to import a site list, if you have already created an alternative site list. Task 1 2 3 Click Settings & Diagnostics | Import and Export Configuration. The Import and Export Configurations page appears. Click the Site List tab. From the Import Site List section, click Browse to locate the configuration file SiteList.xml. The following figure illustrates the default SiteList.xml file.
The default location of SiteList.xml file is: C:\Documents and Settings\All Users\Application Data \McAfee\Common Framework

4 5

Click Import. The new site list overwrites the existing site list. Click Apply.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

71

Settings and Diagnostics Proxy Settings

Importing and exporting of blacklists and whitelists


Use this task to import a blacklist or a whitelist from another McAfee Security for Microsoft Exchange server or export blacklists and whitelists to another McAfee Security for Microsoft Exchange server. Task 1 2 3 4 5 6 7 8 Click Policy Manager | Gateway. The Gateway Policies page appears. Click the link Master Policy. In List All Scanners, click the link Anti-Spam. In View Settings, click the link Block list and allow list. The Anti-Spam Settings page appears. Click the tab Mail Lists. Select the required list from Blacklisted senders, Whitelisted senders, Blacklisted recipients or Whitelisted recipients. To import a list, click the link Import. In the pop-up window, click Browse to navigate to the required .cfg file, then click OK. To export a list, click the link Export. Click Delete to remove a list from the database.

Proxy Settings
A proxy server facilitates communications between two or more computers in a domain, and increases the security and privacy of a network. The proxy can either be a dedicated server with special software or just an application running on a generalized machine. There are many ways to configure a proxy server, and an administrator can use them to block content, cache data to increase transfer speeds or to bypass filters.

Configuring Proxy Settings


Use this task to set the parameters that your computer would use to access a proxy computer. Task 1 2 Click Settings & Diagnostics | Proxy Settings. The Proxy Settings page appears. Select Use Proxy to enter details for a proxy computer. If you do not require a proxy computer, select No Proxy. This will deactivate the Proxy Details section. 3 4 5 Type the IP Address of the computer that is the proxy computer. Type the Port number of the proxy computer that would be used for communication with other computers in a domain. In the section Authentication Details, select the required option. 6 Anonymous To access the proxy computer without any authentication details. NTLM To access the proxy computer using NT LAN Manager authentication details. Basic Authentication To provide a User Name and Password for the user to access the proxy computer. Repeat the password in Confirm Password.

Click Apply to save the settings.

72

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Frequently Asked Questions

1. Where can I find out more about the effect of a virus?


Visit our website. See the Virus Information Library in http://vil.nai.com.

2. What should I do if I find a new virus?


If you suspect you have a file that contains a virus and the anti-virus software engine does not recognize it, please send us a sample. For information, see WebImmune in https:// www.webimmune.net/default.asp.

3. How do I contact Technical Support?


See http://www.mcafee.com/us/support/ for details. Before calling the technical support, try to have the following information ready: The version of the operating system. The type of computer on which McAfee Security for Microsoft Exchange is installed manufacturer and model. Any additional hardware that is installed. The browser being used and its version. A diagnostic report.

4. What is the recommended installation type for McAfee Security for Microsoft Exchange and why?
During the McAfee Security for Microsoft Exchange installation, select the installation type as Complete. This will install McAfee Security for Microsoft Exchange with the web user interface, Buffer Overflow Protection and the AntiSpam Add-On. (The AntiSpam Add-On evaluation version will be installed. You need to buy the Licensed AntiSpam Add-On component separately).

5. Can I upgrade from GroupShield for Exchange 7.0 to McAfee Security for Microsoft Exchange?
Yes. You can upgrade to McAfee Security for Microsoft Exchange from GroupShield for Exchange 7.0.1 Patch 1 and above, and GroupShield for Exchange 7.0.2. Rollup2 and above.

6. How can I upgrade the GroupShield for Exchange 7.0.1 in a cluster environment to McAfee Security for Microsoft Exchange 7.6?
In Single Copy Cluster setup (for Microsoft Exchange 2003 & 2007), install McAfee Security for Microsoft Exchange 7.6 on the active node. If you are upgrading from GroupShield for Exchange 7.0.1 Patch1, then the Configuration and the Database will be upgraded in the shared drive provided there is a cluster resource for GroupShield for Exchange.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

73

Frequently Asked Questions

7. What is the process of installing McAfee Security for Microsoft Exchange 7.6 on Microsoft Exchange 2010 DAG servers?
There is no separate process for installing McAfee Security for Microsoft Exchange on DAG servers. You need to follow the steps for a standalone installation. If you want to copy the configuration file, quarantine database and DATs from a McAfee Security for Microsoft Exchange installation on one DAG node to another DAG node, use the Cluster Replication Setup program. Refer Cluster Replication Setup in the Installation Guide.

8. What are the precautions to be taken when installing or upgrading to McAfee Security for Microsoft Exchange 7.6 on any type of cluster servers (like SCC, CCR or LCR)?
For Cluster Continuous Replication (CCR) and Local Copy Replication (LCR), it is a standalone installation of McAfee Security for Microsoft Exchange. In case of Single Copy Cluster (SCC), you have to first install McAfee Security for Microsoft Exchange on the active node and then on a passive node, then create McAfee Security for Microsoft Exchange cluster resources. Depending on your operating system, refer Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2003 (32 bit or 64 bit) or Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2008 (64 bit).

9. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicy Orchestrator?
Refer Managing using ePolicy Orchestrator 4.5 and 4.6 in the Installation Guide.

10. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicy Orchestrator with arguments?
Refer Deploying the software using ePolicy Orchestrator 4.5 for details.

11. How do I import a configuration file?


Refer Importing a configuration in the Product Guide.

12. What is Global Threat Intelligence and how do I configure it in McAfee Security for Microsoft Exchange 7.6?
Global Threat Intelligence consists of two components: File reputation used on Executables for viruses and malware. Refer Configuring the anti-virus scanner settings in the Product Guide. Email reputation used for spam detection. Refer Configuring Anti Spam settings in the Product Guide.

13. Can I configure a Global Threat Intelligence proxy on McAfee Security for Microsoft Exchange 7.6? If yes, then how can it be done?
Global Threat Intelligence proxy is not supported in this release.

14. How does McAfee Global Threat Intelligence file reputation and McAfee Global Threat Intelligence message reputation work in McAfee Security for Microsoft Exchange 7.6?
This is done by contacting the McAfee Global Threat Intelligence servers to get the file reputation for any malware or virus. For email reputation, McAfee Global Threat Intelligence servers are contacted to get the spam reputation score of emails.

74

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Frequently Asked Questions

15. Is there any performance improvement in McAfee Security for Microsoft Exchange 7.6 over GroupShield for Exchange 7.0.1?
Yes there is a performance improvement, significant improvement has been observed in the On-Demand scan feature.

16. What considerations need to be taken into account during a cluster replication setup?
In the case of Local Copy Replication (LCR) and Cluster Continuous Replication (CCR), it is a normal standalone installation and the normal installation process has to be followed. In case of Single Copy Cluster (SCC), you have to first install McAfee Security for Microsoft Exchange on the active node and then on a passive node.

17. Should you configure cluster replication on all servers, more than one, or just one?
If you are using Microsoft Exchange Server 2010, it depends on whether you would like to share the policies across all McAfee Security for Microsoft Exchange installations on various DAG nodes. If you are managing using ePolicy Orchestrator, this is not applicable.

18. Is the replication uni or bi directional? If it is uni-directional, in which direction?


Since the cluster resources are installed as shared resources in case of Microsoft Exchange Server 2007, the replication is both ways unless specifically configured using the Cluster Replication Setup program. The Active node makes all the required changes which will be used by a Passive node when it becomes active in a failover situation.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

75

Frequently Asked Questions

76

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Appendix A Using file filtering rule and actions in a real-time scenario

This section illustrates a real-life scenario where a file filtering rule is used to delete, log, and quarantine all Microsoft PowerPoint (*.ppt) files that reach your Exchange server, and also to notify the administrator of the detection(s). Task 1 2 3 4 5 6 From Policy Manager, click Shared Resource. The Shared Resources page appears. Click the Filter Rules tab. In File Filtering Rules, click Create New. The File Filtering Rule page appears. Type a unique Rule name. Give the rule a meaningful name, so that you can easily identify it and what it does. For example, PPT_Block. Select Enable file name filtering to enable filtering files based on file names. In Take action when the file name matches, specify the names of the files that must be quarantined. You can use the * and ? wildcard characters to match multiple filenames. In this case, to filter any Microsoft PowerPoint files, type *.ppt and click Add. In File category filtering, select Enable file category filtering to enable file filtering according to their file type. a In Take action when the file category is, specify the file types that must be quarantined.
File types are divided into categories and subcategories.

b c 8 9

In File categories, select Graphics/Presentation. An asterisk symbol (*) appears next to the file type. In Subcategories, select one from the following from the list: Microsoft PowerPoint 2007 Microsoft PowerPoint 2007 (Encrypted) Microsoft PowerPoint 97-2002 Microsoft PowerPoint Dual 95/97

Select Extend this rule to unrecognized file categories if you want to apply file filtering rules to file categories not listed under File categories and Subcategories. In File size filtering, select Enable size filtering and type the file size to specify whether files should be filtered according to their size. Under Take action when the file size is type a file size for any one option: Greater than To specify that the action should be applied when a file is larger than the size specified. Less than To specify that the action should be applied when a file is smaller than the size specified.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

77

Appendix A Using file filtering rule and actions in a real-time scenario

10 Click Save, then Apply to return to the Shared Resources policy page. 11 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for the submenu item appears.
This example uses the On-Access policy.

12 Click a policy name to display the next page. 13 Click the File Filtering link and from Activation section, select Enable. 14 In File Filtering rules and associated actions, select the rule (PPT_Block you created in step 3) from the Available rules drop-down list. 15 Click the Change link of the rule to specify actions that must be taken when an attached PowerPoint presentation is detected in an email message. The File Filtering Actions page appears. In this case, select the action as Delete message and also Log, Quarantine and Notify Administrator. 16 Click Save, then Apply. 17 Send an email to your Exchange server with Microsoft PowerPoint file attached. The file filtering rule is triggered and the specified actions take place.

78

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Appendix B Using the McAfee Security for Microsoft Exchange Access Control

You can use McAfee Security for Microsoft Exchange Access Control to allow or deny access to the McAfee Security for Microsoft Exchange user interface for specific users or groups. Task 1 From the Start menu, click Programs | McAfee | Security for Microsoft Exchange | Access Control. The Permissions for Access dialog box appears.

Figure B-1 Permissions for Access

2 3

From Group or user names, select the user you want to allow or deny access to the McAfee Security for Microsoft Exchange user interface. Click OK.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

79

Appendix B Using the McAfee Security for Microsoft Exchange Access Control

80

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Appendix C SiteList Editor

SiteList specifies the location from where automatic updates (including DAT file and scanning engines) are downloaded. By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site for automatic updates, but you can use a site list that points to a different location. For example, you may have copied the automatic updates to a local repository and created a site list that points your McAfee Security for Microsoft Exchange systems to that local repository. Alternative site lists can be created using McAfee ePolicy Orchestrator software. To access the Site List Editor: Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor.

Figure C-1 Edit AutoUpdate Repository List

Contents Configuring repositories and proxy settings Adding a repository Specifying proxy settings

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

81

Appendix C SiteList Editor Configuring repositories and proxy settings

Configuring repositories and proxy settings


Use these tasks to configure your repository list and proxy settings for your repository.

Adding a repository
The Site List specifies from where automatic updates are downloaded. By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site for automatic updates, but you can use a site list that points to a different location. For example, you may have copied the automatic updates to a local repository and created a site list that points your McAfee Security for Microsoft Exchange systems to that local repository. Task 1 2 Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor. The Edit AutoUpdate Repository List dialog box appears. From the Repositories tab, click Add. The Repository Settings dialog box appears.

Figure C-2 Repository Settings

Select from the following options: Repository Description To give a brief description of the repository. Retrieve files from To specify from which type of repository to retrieve the files. The available options are HTTP repository, FTP repository, UNC Path, and Local Path. URL To specify the URL of the repository. Port To specify the port number of the repository. Use Authentication To enable user authentication to access the repository.

82

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Appendix C SiteList Editor Specifying proxy settings

4 5 6

Specify a user name and password for authentication of the repository and confirm the password by typing it again. Click OK to add the new repository to the Repository Description list. Click OK to close the Edit AutoUpdate Repository List dialog box.

Specifying proxy settings


If a repository must be accessed via Internet, such as the McAfee update site or an internal repository, the McAfee Security for Microsoft Exchange can use proxy settings to connect to the repository. If your organization uses proxy servers for connecting to the Internet, you can select the Proxy settings option. Task 1 2 Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor. The Edit AutoUpdate Repository List dialog box appears. Click the Proxy settings tab.

Figure C-3 Proxy settings

3 4

Select the Use Internet Explorer proxy settings or Manually configure the proxy settings option as required. Type the IP address and port number of the HTTP or FTP server.

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

83

Appendix C SiteList Editor Specifying proxy settings

You can use the following options: Use Authentication To enable user authentication to access the proxy server. Username To specify a username for authentication to access the proxy server. Password To specify a password. Confirm Password To reconfirm the specified password. Exceptions To bypass a proxy server for specific domain(s). Click Exceptions, then select Specify Exceptions and type the domain(s) that needs to be bypassed.

Click OK.

84

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Index

A
about this guide 5 access control 79 add repository 82 add filter 32 add scanner 32 advanced search filters 23 alert messages 48 alert settings 48 anti spam settings configuring 63 anti-spam scanner 37 anti-virus scanner settings 34 antiphish scanner settings 41 appendix file filter rule 77 applying file filtering rule real-time scenario 77

configuring (continued) diagnostics settings 67 notifications 63 on-access settings 60, 61 proxy settings 83 contact technical support 73 content rule 39 content scanner rules 56 conventions and icons used in this guide 5 core filters 33 core scanners 33 corrupt content 42 create new rule 33 creating subpolicies 31

D
Dashboard 13 dashboard settings 66 DAT Settings configure 70 debug log settings 67 denial of service 23 detected items 2527 detected items settings 64 detection name 23 detection types 25 detections report 16 diagnostics setting 67 diagnostics settings configuring 67 disclaimer text 48, 49 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5 download 27

B
banned file messages 25 banned file types 25

C
columns to display 27 configuration reports 20 configuration export 71 configuration report 21 configuration reports 20 configure detected items 64 filter rules 56 local quarantine database 64 McAfee Quarantine Manager software 64 proxy settings 82 repositories 82 time slots 56 configure user interface 65 configuring anti spam settings 63 DAT settings 70

E
encrypted content 43 error reporting service 67

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

85

Index

error reporting service settings 69 event log settings 68 export blacklists 72 export to CSV File 27 export whitelists 72

new rule 33 notification fields 50 notifications configuring 63 notifications settings 63

F
faqs 73 features 8 file filter rule appendix 77 file filtering scanner settings 40 filter 32 filter rules configure 56 filters 33 frequently asked questions 73

O
on-access settings Background Scanning 59 Microsoft Virus Scanning API (VSAPI) 59 Proactive Scanning 59 Transport Scanning 59 on-access settings, configuring on Exchange Server 2003 60 on Exchange Server 2007 61 on-demand scan 17 on-demand scan task 18 on-demand scan tasks 18 organizational threats 9

G
graph and chart settings 66 graphical reports 22

P
packer 23 password-protected archives 44 password-protected files 44 phish 23, 25 policies gateway 29 on-access 29 on-demand (default) 29 on-demand (find banned content) 29 on-demand (find viruses) 29 on-demand (full scan) 29 on-demand (remove banned content) 29 on-demand (remove viruses) 29 policy filter settings 41 Policy Manager 29 policy miscellaneous settings 48 policy views advanced 30 inheritance 30 potentially unwanted program 23 potentially unwanted programs 25 product health alert 52 Product Information 15 product log 70 product log settings 68 Product Log settings 69 product version 15 protected content 42 protected content filter 42 Protecting the Exchange server 11 proxy settings 83 proxy configuration 83

H
HTML file filter 47

I
import a configuration 71 Import and Export Configuration 70 import blacklists 72 import whitelists 72 importing a site list 71 introduction 7

L
launch dashboard 13 Licenses 15 list scanners 31 local database 65

M
mail size filter 44 master policies 10 McAfee Quarantine Manager 64 McAfee Security for Microsoft Exchange features 8 introducing 7 McAfee ServicePortal, accessing 6 MIME 23 MIME mail 45

N
new alert 50 new content rule 39

86

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Index

proxy settings configuring 82 specifying 83

Q
quarantine local database 64 McAfee Quarantine Manager software 64 quarantine data 64

R
Real-time detection 11 real-time scenario applying file filtering rule 77 recently scanned items 16 release 27 reports configuration 20 repositories configuring 82 repository adding 82 repository list 82 reputation score 16

shared scanners 53 shared time slots 57 signed content 43 signed content filter 43 simple search filters 22 site list 82 Site List 71 SiteList Editor 81 spam 25 spam score 23 specific user 33 specify dashboard settings 66 specify graph and chart settings 66 specifying event log settings 68 specifying product log settings 68 statistical information 14 status report 19 status reports 19 sub-policies 30 subject 23 submit to McAfee Labs 27

T
Technical Support, finding product information 6 threats to your organization 9 ticket number 23 time slots configure 56 types policies 29

S
scanner 32 scanner control 45 scanner control filter 45 scanner options setting 34 scanners 31, 33 schedule configuration report 21 schedule status report 19 search filters 26 service error reporting 67 ServicePortal, finding product documentation 6 setting diagnostics 67 scanner options 34 setting policies 31 settings proxy 83 Settings and Diagnostics 59 shared alert 53 shared alerts 53 shared file filtering rule 55 shared filter rules 56 shared filters 53 shared resource 29, 52 shared scanner 53

U
unwanted content 25 Update Information 15 updates 15 user interface 65 user interface preferences 65 user interface preferences settings 65

V
view detected items 26 view results 27 viewing graphical reports 22 viewing on-demand scan tasks 18 viruses 25

W
WebImmune 73 what's in this guide 6

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

87

00