gfi mailsecurity for exchange/smtp 8 manual · pdf filemanual mailsecurity for exchange/smtp...

GFI MailSecurity for Exchange/SMTP 8

Manual

By GFI Software Ltd.

http://www.gfi.com

E-mail: [email protected]

This manual was produced by GFI Software Ltd. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of GFI Software Ltd. GFI MailSecurity was developed by GFI Software Ltd. GFI MailSecurity is copyright of GFI Software Ltd. 1998-2004 GFI Ltd. All rights reserved. GFI MailSecurity is a registered trademark and GFI Software Ltd. and the GFI logo are trademarks of GFI Software Ltd. in the Europe, the United States and other countries. Version 8.10 Last updated: March 15, 2004

http://www.gfi.com

mailto:[email protected]

Manual MailSecurity for Exchange/SMTP Contents • i

Contents

Explaining GFI MailSecurity 1 Introduction to GFI MailSecurity .................................................................................... 1 Key features of GFI MailSecurity................................................................................... 1 GFI MailSecurity operating modes ................................................................................ 3 GFI MailSecurity VS API Exchange 2000/2003 mode .................................................. 3 GFI MailSecurity SMTP gateway mode ........................................................................ 4 Differences between SMTP gateway and Exchange VSAPI mode .............................. 5 Which operating mode should I use? ............................................................................ 5 Can I use both operating modes? ................................................................................. 6 GFI MailSecurity components ....................................................................................... 6 GFI MailSecurity from a user's perspective................................................................... 7 Add-ons – DownloadSecurity for ISA server ................................................................. 7 Add-ons – GFI MailEssentials ....................................................................................... 8

Installing GFI MailSecurity in VS API mode 9 Introduction to installing in VS API mode ...................................................................... 9 System requirements of VS API mode.......................................................................... 9 Installing GFI MailSecurity in VS API mode .................................................................. 9 Entering your License key after installation................................................................. 11

Installing GFI MailSecurity in gateway mode 13 Introduction to installing in SMTP gateway mode ....................................................... 13 System requirements of GFI MailSecurity SMTP gateway mode ............................... 14 Installing in SMTP Gateway mode on the Exchange server ....................................... 14 Installing in SMTP gateway mode on a separate machine ......................................... 15 The Exchange 5.5 User synchronization wizard ......................................................... 24 Entering your License key after installation................................................................. 25

Configuring Content & Attachment checking 27 Introduction to content checking.................................................................................. 27 Creating a content checking rule ................................................................................. 27 Creating an attachment checking rule ......................................................................... 32

Quarantining 37 Introduction .................................................................................................................. 37 Quarantine options ...................................................................................................... 37 Approving/rejecting mail via an e-mail client ............................................................... 40 Approving/rejecting mail using the Moderator Client................................................... 41 Using the remote moderator client .............................................................................. 42 Quarantined mail from the user point of view.............................................................. 45 Setting up the web based moderator .......................................................................... 46

Configuring Virus checking 53 Configuring scanning engines ..................................................................................... 53 Deleting/Quarantining infected mails........................................................................... 53 Norman Virus Control configuration ............................................................................ 54

ii • Contents Manual MailSecurity for Exchange/SMTP

BitDefender configuration ............................................................................................ 56 McAfee configuration................................................................................................... 57 Kaspersky configuration .............................................................................................. 57

The Email Exploit engine 59 Introduction to e-mail exploits...................................................................................... 59 Configuring the email exploit engine ........................................................................... 60 Email exploit update settings....................................................................................... 61

The HTML Threat Engine 63 Introduction to the HTML Threat Engine ..................................................................... 63 Configuring the HTML Threat Engine.......................................................................... 64

The Trojan & Executable Scanner 65 Introduction to the Trojan & executable scanner......................................................... 65 Configuring the Trojan & Executable scanner............................................................. 66 Trojan & Executable scanner update settings............................................................. 67

Decompression engine 69 Introduction to the decompression engine .................................................................. 69 Configuring the decompression engine....................................................................... 69

Remote monitoring & administration 73 Installing the remote monitor/configuration ................................................................. 73 Configuring & monitoring GFI MailSecurity remotely .................................................. 73 Switching to another server to monitor or configure.................................................... 74

General options 75 General options ........................................................................................................... 75 Update options ............................................................................................................ 76 VS API Scanning modes ............................................................................................. 77 Adding additional local domains.................................................................................. 78 Changing the bindings................................................................................................. 79 Checking number of licensed users ............................................................................ 80 Version information...................................................................................................... 81

Advanced topics 83 Determining Outbound/Inbound/Internal mail.............................................................. 83 User synchronization with Exchange 5.5 .................................................................... 83 GFI MailSecurity logging ............................................................................................. 85 Configuring ISA server to allow downloading of updates............................................ 85 Enabling Event Logging for the Virus Scanning API ................................................... 85 Setting Virus Scanning API Performance Monitor Counters....................................... 86 Customizing the notification templates........................................................................ 87

Troubleshooting 91 Introduction .................................................................................................................. 91 Knowledgebase ........................................................................................................... 91 Request support via e-mail.......................................................................................... 91 Request support via webchat ...................................................................................... 92 Request support via phone.......................................................................................... 92 Web Forum.................................................................................................................. 92 Build notifications......................................................................................................... 92

Manual MailSecurity for Exchange/SMTP Contents • iii

Index 93

Manual MailSecurity for Exchange/SMTP Explaining GFI MailSecurity • 1

Explaining GFI MailSecurity

Introduction to GFI MailSecurity The need to monitor email messages for dangerous, offensive or confidential content has never been more evident. The most deadly viruses, able to cripple your email system and corporate network in minutes, are being distributed worldwide via email in a matter of hours (for example, the Nimda virus). Anti-virus vendors cannot update their signatures in time. Worse still, email is also used to install backdoors (Trojans) and other harmful programs to help potential intruders break into your network. Your only defense is to install a comprehensive email content checking and anti-virus solution to safeguard your mail server & network. GFI MailSecurity acts as an Email Firewall and protects you from headline-hitting viruses such as Love Letter, as well as email attacks targeted at your organization. GFI MailSecurity for Exchange/SMTP is the market leading email content security software. GFI MailSecurity can be installed in 2 modes: the Exchange 2000 VS API mode or the SMTP gateway mode. The Exchange 2000 VS API version integrates seamlessly with Exchange Server 2000 and scans the Exchange 2000 information stores. The SMTP gateway version should be deployed at the perimeter of the network as a mail relay server. GFI MailSecurity is totally transparent to your users - no additional user training or administration is needed.

Key features of GFI MailSecurity

Email Content checking/filtering GFI MailSecurity's key feature is the ability to content check all in- and outbound mail. It can quarantine all mail with dangerous attachments, such as *.exe, *.vbs and other files. Such attachments are more likely to carry a virus, worm or email attack. Because email viruses can spread so quickly and cause immense damage, it is best to quarantine such emails before they are distributed to the email users. When an email is quarantined, it can by reviewed by the administrator who can then reject or approve the message. In addition to scanning for harmful attachments, GFI MailSecurity can check for script code in the message body itself, as well as scanning for offensive content (for which a company could be sued) and information leaks (distribution of confidential information by users).

2 • Explaining GFI MailSecurity Manual MailSecurity for Exchange/SMTP

Furthermore, you might choose to quarantine mails carrying *.mp3 or *.mpg files, as these hog bandwidth and can needlessly burden a mail server's disk space. The attachment checking module has effectively saved thousands of companies from the Love Letter virus.

Email exploit detection engine GFI's leading research on email exploits has contributed to the creation of GFI MailSecurity's email exploit detection engine. This industry-first detects emails that contain known email exploits - think of it as "email intrusion detection". It therefore safeguards you from any current or future email viruses and attacks that use known exploits. GFI MailSecurity is the ONLY email security product to protect against email exploits. For more information on exploits, visit http://www.gfi.com/emailsecuritytest/

Automatic removal of HTML scripts The advent of HTML mail has made it possible for hackers/virus writers to trigger commands by embedding them in HTML mail. GFI MailSecurity detects & disables these commands and sends the 'cleaned' HTML mail to the recipient. GFI MailSecurity is the only product to protect you from potentially malicious HTML e-mail, allowing you to be secure from not only HTML viruses, but also from attacks directed at your network via HTML e-mail.

Automatic quarantining of Microsoft Word documents with word macros GFI MailSecurity protects you from present and future Word & Excel macro viruses, by automatically quarantining documents with macros. This means you can safely allow Word docs and excel spreadsheets to be sent via e-mail, since if they are potentially malicious, you can rest assured that GFI MailSecurity will quarantine them. (or delete if you prefer)

Virus checking using multiple virus engines GFI MailSecurity scans email for viruses using multiple virus engines. Scanning email at the gateway and at mail server level prevents viruses from entering and/or spreading within your network. Furthermore, you can avoid the embarrassment of sending infected emails to customers, as GFI MailSecurity also checks outgoing mail for viruses. GFI MailSecurity includes the industrial strength Norman anti-virus & Bitdefender virus engines that has received various awards. Optionally you can choose to add the McAfee virus engine. Multiple virus engines gives you a higher level of security, since virus engines complement each other and lower the average virus response time.

Trojan Executable scanner GFI MailSecurity is able to analyze incoming executables and rate the risk-level of an executable. This way, potentially dangerous, unknown Trojans can be detected before they enter your network.

http://www.gfi.com/emailsecuritytest/


GFI MailSecurity operating modes GFI MailSecurity can be operated in 2 modes: 1. Exchange 2000/2003 VS API mode 2. SMTP gateway mode Depending on your network set-up, and your objectives in deploying GFI MailSecurity, either mode can be applicable. In some cases you might consider deploying GFI MailSecurity in both modes.

GFI MailSecurity VS API Exchange 2000/2003 mode If you have Microsoft Exchange 2000 or 2003, GFI MailSecurity can integrate with Exchange Server via the Microsoft Virus Scanning API (VS API).

What is and why use VS API (Virus Scanning API)? Exchange 2000 & 2003 provides a new virus scan API that is implemented at very low-level in the Exchange store. This allows a virus scanning application to run with high performance and guarantees that the message will be scanned before any client can access a message or attachment. This low-level access facilitates the elimination of viruses such as the Melissa virus. In addition, VS API reduces scalability issues that can arise when a particular server has a large number of users/mailboxes. VS-API's real-time scan allows messages and attachments to be scanned once before delivery, rather than multiple times determined by the number of mailboxes the message is delivered to. This single-instance scanning also helps prevent messages from being rescanned when a message is copied. GFI MailSecurity VS API has the following features: • Native MIME/MAPI content scanning • Proactive scanning • Priority-based queuing • Multithreaded queue processing • Per-Messaging Database configuration options • Enhanced background scanning • Event logging • Virus scanning API-specific Performance Monitor counters

Why choose a product based on the VSAPI? Microsoft strongly encourages the development and adoption of Exchange VS API-based anti-virus solutions • VS API is secure and preserves the integrity of the Information

Store and its databases • The Microsoft Exchange product group is committed to providing

enhancements to this API, bug fixes, documentation, and technical assistance to ISVs using VS API (as appropriate)


• Antivirus solutions using Extensible Storage Engine API or any other undocumented API may corrupt the Information Store and its databases

• The Microsoft Exchange product group does not provide any code updates, documentation, or technical assistance to address issues related to the use of a non-VS API-based solution

• For Exchange customers using a non-VS API-based solution, Microsoft Product Support Services may ask the customer to uninstall/disable the anti-virus solution to help identify issues, this may delay in final resolution

• VS API enhances the current core feature set by providing abilities to optimize and configure the scanning process at multiple levels, as well as providing Exchange administrators with built-in functionality to monitor the performance of the new API

For more information about VS API You can find more information about VS API on this link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285667

Limitations of using the VS API Exchange 2000/2003 mode Although VS API is a recommended way to do content checking and virus scanning on Exchange 2000, there are a number of limitations which you need to be aware of as a system administrator: 1. The Virus API only scans information stores. That means that if you have installed GFI MailSecurity for Exchange 2000 on for example a front-end server, no mail will be scanned, because mail is not being stored on the front-end server. In this case, you need to use GFI MailSecurity in SMTP gateway mode. 2. You need to be more careful with applying attachment rules. Some MAPI applications running on Exchange might be using vbs or exe files. You need to ensure that if this is the case, you don’t apply rules to quarantine exe or vbs files to mailboxes used by those applications. 3. Outgoing mails that have been approved need to be resent by the user. For example, if an executable is quarantined and approved, the user will get a message saying that he has 24 hours to send that executable. The reason for this is because the recipient of the message is not always known with 100% certainty in VS API mode.

GFI MailSecurity SMTP gateway mode If you do not need to scan internal mail or do not have Microsoft Exchange 2000/2003, you must install GFI MailSecurity in SMTP gateway mode. You can install GFI MailSecurity in SMTP Gateway mode on a separate machine on the perimeter of your network (acting as a mail relay) or on the Exchange server 2000/2003 machine it self. The SMTP gateway mode allows you to set-up more powerful content security rules. If you do not need to scan internal mail we recommend the SMTP gateway mode.

http://support.microsoft.com/default.aspx?scid=kb


Installing GFI MailSecurity on a separate machine If you decide to install GFI MailSecurity on a separate machine then you must install GFI MailSecurity in SMTP gateway mode. In this type of installation GFI MailSecurity checks all inbound and outbound mail before it reaches your mail server. In order to do this, it must be the first to receive all mails destined for your mail server and it must the last 'stop’ for outbound mail, i.e. mails destined for the Internet. In this set-up GFI MailSecurity acts as a gateway for all email. This set-up is also known as 'Smart host' or 'Mail relay' server.

GFI MailSecurity working as a mail gateway/relay

Differences between SMTP gateway and Exchange VSAPI mode The main differences between the SMTP gateway mode and the Exchange VS API version of GFI MailSecurity are as follows: • SMTP Gateway version only scans inbound and outbound mail,

not internal mail • SMTP Gateway version has more information about the e-mail,

and can therefore quarantine outbound mail without the need for a ticketing system

• SMTP Gateway version has more information about the e-mail and can therefore determine better if it’s an inbound or an outbound mail.

• SMTP Gateway version has a more advanced quarantining system. It is possible to hold the entire email until a part is approved or rejected – that way a recipient only receives the mail if it is approved. He will receive the mail in its entirety.

• Exchange VS API version can only be used on Exchange 2000/2003

• Exchange VS API version can scan internal mail also, and can therefore prevent internal virus outbreaks.

Which operating mode should I use? In general we recommend using the gateway version to block viruses at the gateway and implement advanced content security rules, and to use the VS API version mainly to block internal virus outbreaks. • If you don’t have Exchange 2000/2003, you must use the SMTP

gateway version. • If you have Exchange 2000/2003, you can choose. If you have a

large network or many users on Exchange, its better to install GFI MailSecurity in gateway mode at the perimeter of your network and use the VS API mode only to block internal virus outbreaks. If


you have a small number of users, you can just install the VS API version.

• If you want to block entire mails, rather then message parts, you need to use the SMTP gateway version.

• SMTP gateway mode is the correct mode if you run Exchange 5.5, Lotus Notes or another SMTP/POP3 server!

Can I use both operating modes? It is possible to deploy both versions at the same time (as long as they are installed on separate machines). The main advantage of this is that you can have stricter rules on inbound and outbound mail, and less strict rules on internal mail. Also, you can avoid mail reaching your Exchange server in the first place, and use the Exchange VS API version to control virus outbreaks through internal mail.

GFI MailSecurity components GFI MailSecurity consists of the following parts:

GFI MailSecurity scan engine The GFI MailSecurity scan engine analyses the content of all in- and outbound mail and internal mail (if using in Exchange 2000/2003 VS API mode). If a mail is quarantined, the scan engine will notify the appropriate supervisor/administrator and ask for approval of the message.

GFI MailSecurity configuration

The GFI MailSecurity configuration

The configuration program allows you to set up and configure GFI MailSecurity. All configuration can be done from the MMC console.


GFI MailSecurity Moderator client

The moderator client – gateway version

GFI MailSecurity allows you to approve or reject messages that are quarantined in 2 ways – either using the moderator client or via HTML mail in your inbox. If you have to approve/reject large amounts of mail, you can use the moderator client.

GFI MailSecurity from a user's perspective GFI MailSecurity is totally transparent to the user. That means that the user will not notice that GFI MailSecurity is active, until the user sends or receives a mail which has triggered a rule in GFI MailSecurity, for example because it included a forbidden attachment or a virus. In the case of a suspicious attachment, GFI MailSecurity will quarantine the mail attachment for review by the administrator. Optionally, the recipient will receive a message saying that a mail is waiting for administrator review. Once the administrator approves the email, the mail will be sent to the recipient.

Add-ons – DownloadSecurity for ISA server A companion product to GFI MailSecurity is DownloadSecurity. DownloadSecurity content filters & virus checks user's file downloads. It uses the same scan engine as GFI MailSecurity. DownloadSecurity installs on top of Microsoft ISA server (and therefore requires Microsoft ISA server) and will intercept all files downloads from users on your network. In this manner, you can safely allow users to download files from the Internet. If you use Microsoft Small Business Server, you are probably running both Microsoft ISA server and Microsoft Exchange Server on a single machine. GFI MailSecurity & GFI DownloadSecurity can be installed on that same machine, and together provide http, ftp and SMTP content security. For more information, please see the GFI website. DownloadSecurity is available at a bundle price if purchased in combination with GFI MailSecurity.


Add-ons – GFI MailEssentials A companion product to GFI MailSecurity is GFI MailEssentials. MailEssentials adds a number of corporate email features to Exchange Server, notably: • Anti Spam • Disclaimers • Centralized archiving of inbound and outbound mail • POP3 down loader • Server based auto replies For more information, please see the GFI website. MailEssentials is available at a bundle price if purchased in combination with GFI MailSecurity.

Manual MailSecurity for Exchange/SMTP Installing GFI MailSecurity in VS API mode • 9

Installing GFI MailSecurity in VS API mode

Introduction to installing in VS API mode This chapter explains the procedure how to install and configure GFI MailSecurity in Exchange 2000/2003 VS API mode. In this mode, GFI MailSecurity uses the low level Microsoft Virus scanning API, ensuring that the scanning process will be done in a high performance and reliable manner. For more information about GFI MailSecurity operating modes and VS API, please see the previous chapter. VS API mode requires Exchange 2000 (SP1) or Exchange 2003!

System requirements of VS API mode To install GFI MailSecurity you need: • Windows 2000 Server or Advanced Server with Service Pack 1 or

higher installed OR Windows 2003 Server or Advanced Server. • Microsoft Exchange server 2000 with Service Pack 1 or higher

installed or Microsoft Exchange server 2003. • If using Small Business Server, ensure you have installed Service

Pack 2 for Exchange Server. • IMPORTANT: Disable Anti Virus software from scanning the GFI

MailSecurity directories! AV products are known to both interfere with normal operation as well as slow down any software which requires file access. In fact Microsoft does not recommend running file based anti virus software on the Exchange Server. For more information: http://kbase.gfi.com/showarticle.asp?id=KBID001559

• Make sure that backup software is not backing up any of the GFI MailSecurity directories at any point.

Installing GFI MailSecurity in VS API mode Before you install GFI MailSecurity, please make sure you are logged on as an Administrator. Step 1: Run GFI MailSecurity set-up by double-clicking the file MailSecurity.exe on the Exchange Server machine. GFI MailSecurity will also prompt you to check for a later GFI MailSecurity version. We recommend you do this and always use the latest version. Step 2: Confirm the License agreement. Step 3: Enter your Name, company, and License key. If you are evaluating the product, leave the default ‘Evaluation’. Click Next.

http://kbase.gfi.com/showarticle.asp?id=KBID001559

10 • Installing GFI MailSecurity in VS API mode Manual MailSecurity for Exchange/SMTP

Step 4: Set-up will now ask you if you wish to install in SMTP Gateway mode or in VS API mode. Choose VS API mode. Step 5: Set-up will now ask you to specify the administrator email address. Enter the e-mail address of the Administrator.

Specifying the administrator email address

Step 6: Set-up will now ask you where you want GFI MailSecurity to be installed. GFI MailSecurity will need approximately 30 MB of free hard disk space. In addition to this, you must reserve approximately 200 MB for temporary files. Step 7: Set-up will confirm installation in VS API mode and will now copy all program files to the selected destination, and finish the installation by creating a GFI MailSecurity program group. Click Finish to finish setup. The GFI MailSecurity services & the GFI MailSecurity VS API engine will now be started. Step 8: You can check if GFI MailSecurity is running using the GFI MailSecurity monitor. Note that it can take up to a minute before GFI MailSecurity will load, because VS API has to load GFI MailSecurity first.

The GFI MailSecurity remote monitor

To monitor GFI MailSecurity: Click Start > Programs > GFI MailSecurity and select GFI MailSecurity monitor.

Manual MailSecurity for Exchange/SMTP Installing GFI MailSecurity in VS API mode • 11

Note that the monitor refers to items, not mails. An item is a message part, such as a mail body or an attachment. Therefore a mail can contain multiple items. For example a mail with 2 attachments consists of 3 parts/items: 1 body and 2 attachments.

Entering your License key after installation If you have purchased GFI MailSecurity, you can enter your License key in the General > Licensing node. If you are evaluating GFI MailSecurity with an evaluation key, the product will time out after 60 days. If you then decide to purchase GFI MailSecurity, you can just enter the License key here without having to re-install. Entering the License key should not be confused with the process of registering your company details on our website. This is important; since it allows us to give you support and notify you of important product news. Register on: http://www.gfi.com/pages/regfrm.htm In VS API mode, you must license GFI MailSecurity based on the number of mailboxes that you have on Exchange Server.

http://www.gfi.com/pages/regfrm.htm

Manual MailSecurity for Exchange/SMTP Installing GFI MailSecurity in gateway mode • 13

Installing GFI MailSecurity in gateway mode

Introduction to installing in SMTP gateway mode This chapter explains the procedure how to install and configure GFI MailSecurity in SMTP gateway mode. There are 2 ways to install GFI MailSecurity in SMTP gateway mode: 1. On the Exchange Server 2000/2003 machine. 2. On a separate machine at the perimeter of your network. If you are installing on the Exchange Server 2000/2003 machine, set-up is very straight forward. Simply choose gateway mode rather then VS API mode. If installing on a separate server, you must configure that machine to act as a gateway for all mail first. This set-up is also known as 'Smart host' or 'Mail relay' server. Once configured, you can install GFI MailSecurity on that machine. In SMTP gateway mode, GFI MailSecurity checks inbound and outbound mail before it reaches your mail server. For more information about GFI MailSecurity operating modes and the SMTP gateway mode, please see the chapter ‘Explaining GFI MailSecurity’. SMTP gateway mode is the correct mode if you run Exchange 5.5, Lotus Notes or another SMTP/POP3 server! If you are running a Windows NT network: The machine running GFI MailSecurity can be totally separate from your Windows NT network – GFI MailSecurity does not require Active Directory!

Installing GFI MailSecurity in front of your firewall A good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on your firewall (if running a Windows 2000/2003 firewall such as Microsoft ISA Server). This allows you to keep your corporate mail server behind the firewall. GFI MailSecurity will act as a smart host/mail relay server in the perimeter network (also known as DMZ - demilitarized zone). Additional advantages are: • You can perform maintenance on your Mail server machine, whilst

still receiving email from the Internet. • You use less resources on your Mail server machine • The GFI MailSecurity machine can have a lower spec then the

Mail server machine and process mail faster.

14 • Installing GFI MailSecurity in gateway mode Manual MailSecurity for Exchange/SMTP

• Additional fault tolerance – if anything happens with your Mail server you still receive mail, which is queued on the GFI MailSecurity machine.

Note: This separate machine does not need to be dedicated to GFI MailSecurity, it can be running other applications, for example a firewall.

System requirements of GFI MailSecurity SMTP gateway mode • Windows 2000 - Pro, Server or Advanced Server OR Windows

2003 – Pro, Server or Advanced Server OR Windows XP (Note that if you use Windows 2000 Pro or XP, you will only be able to accept up to 10 inbound SMTP connections simultaneously, so its better to use Windows server versions)

• Microsoft Exchange server 2003, 2000, 4, 5 or 5.5, Lotus Notes 4.5 and up, or an SMTP/POP3 mail server.

• IMPORTANT: Disable Anti Virus software from scanning the GFI MailSecurity & IIS directories! AV products are known to both interfere with normal operation as well as slow down any software which requires file access. For more information: http://kbase.gfi.com/showarticle.asp?id=KBID001559

• Make sure that backup software is not backing up any of the GFI MailSecurity directories at any point.

Installing in SMTP Gateway mode on the Exchange server Before you install GFI MailSecurity, please make sure you are logged on as an Administrator. Step 1: Run GFI MailSecurity set-up by double-clicking the file MailSecurity.exe on the Exchange Server machine. GFI MailSecurity will also prompt you to check for a later GFI MailSecurity version. We recommend you do this and always use the latest version. Step 2: Confirm the License agreement. Step 3: Enter your Name, company, and License key. If you are evaluating the product, leave the default ‘Evaluation’. Click Next. Step 4: Set-up will now ask you if you wish to install in SMTP Gateway mode or in VS API mode. Choose SMTP Gateway mode. Step 5: Set-up will now ask you to specify the administrator email address. Enter the e-mail address of the Administrator.




Step 6: Set-up will now ask you where you want GFI MailSecurity to be installed. GFI MailSecurity will need approximately 30 MB of free hard disk space. In addition to this, you must reserve approximately 200 MB for temporary files. Step 7: Set-up will now copy all program files to the selected destination, and finish the installation by creating a GFI MailSecurity program group. Click Finish to finish setup. The GFI MailSecurity services will now be started. Step 8: You can check if GFI MailSecurity is running using the GFI MailSecurity monitor.


To monitor GFI MailSecurity: Click Start > Programs > GFI MailSecurity and select GFI MailSecurity monitor. Note that the monitor refers to items, not mails. An item is a message part, such as a mail body or an attachment. Therefore a mail can contain multiple items. For example a mail with 2 attachments consists of 3 parts/items: 1 body and 2 attachments.

Installing in SMTP gateway mode on a separate machine In order for GFI MailSecurity to be installed on a separate machine, the IIS SMTP service must be installed and running on that machine


and configured as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the machine on which you will install GFI MailSecurity. This chapter describes how you can install the mail relay. For more information about this: http://support.microsoft.com/support/kb/articles/Q293/8/00.ASP

Installing & configuring the IIS SMTP service GFI MailSecurity uses the Windows 2000/2003 IIS SMTP service as its SMTP server. Because GFI MailSecurity works with this SMTP service, you need to configure this service as a mail relay server first. About the Windows 2000/2003 IIS SMTP service The SMTP service is part of IIS, which is part of Windows 2000/2003. It is used as the message transfer agent of Microsoft Exchange Server, and has been designed to handle large amounts of mail traffic. The Windows 2000/2003 IIS SMTP service is included in every Windows 2000/2003 distribution, including Windows 2000 professional and XP. To install & configure the IIS SMTP service as a mail relay server:

Step 1: Verify the Installation of the SMTP Service In Control Panel, open Add/Remove Programs, click Add/Remove Windows Components. Click the Internet Information Services (IIS) component, click Details, and then verify that the SMTP Service check box is selected. If it is not selected, click to select it, click OK, and then follow the installation directions that are displayed.

Specify mail relay server name and assign IP

Step 2: Specify mail relay server name and assign an IP 1. Click Start, point to Programs, click Administrative Tools, and then

click Internet Services Manager.

http://support.microsoft.com/support/kb/articles/Q293/8/00.ASP


2. Expand the tree under the server name, and then expand the Default SMTP Virtual Server. Right click and select 'Properties'. Assign an IP to it.

Step 3: Configure the SMTP Service to relay mail to your mail server In this step, you configure the SMTP service to relay inbound messages to your mail server. Note: During installation, GFI MailSecurity will perform this step for you automatically. GFI MailSecurity will ask for your local domain name, and create it as a remote domain. You will see the domain listed in the right pane. However, if you do this step manually, you can confirm that your relay server is working properly before running the GFI MailSecurity installation.

Creating a local domain in IIS to route mail 1. Click Start, point to Programs, click Administrative Tools, and then

click Internet Services Manager. 2. Expand the tree under the server name, and then expand the

Default SMTP Virtual Server. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.

3. Configure the domain for inbound: a) Right-click the Domains icon, click New, and then click

Domain. b) Click Remote, click Next, and then type the domain name in

the Name box. Click Finish.

Configure the domain

IMPORTANT NOTE ABOUT LOCAL DOMAINS Note: Upon installation, MailSecurity will import local domains from the IIS SMTP service. If you want additional local domains, you have to


add these local domains in the MailSecurity configuration. For more information see ‘Adding additional local domains’ in the Advanced Topics chapter. If you add additional local domains in IIS SMTP service, they will not be automatically recognized until you enter them in the MailSecurity configuration. This allows you to setup remote smart hosts for particular domains that are not local.

Configure the domain to relay mail to your mail server: 1. In the properties for the domain that you just created, click to

select the Allow the Incoming Mail to be Relayed to this Domain check box.

2. If this is being set up for an internal domain, you should specify the server that receives email for the domain name by the IP address in the Route domain dialog box.

3. Click the forward all email to smart host option, and then type the IP address of the server that is responsible for email for that domain in square brackets. For example: [123.123.123.123] Note: Typing the IP address of the server in square brackets is necessary so that the server recognizes this is an IP address and not a host name.

4. Click OK.

Relay options

Step 4: Secure your mail relay server. In this step you will specify your mail server name, and any other mail servers that will send mail via this mail relay server. Effectively you will limit the servers that can send mail through this server: 1. Open the properties of the Default SMTP Virtual Server. 2. On the Access tab, click Relay.


3. Click Only the list below, click Add, and then add the IP of your mail server that will be forwarding the mail to this server. You can specify a single computer, group of computers or a domain:

a) Single computer: Specify one particular host that you want to relay off of this server. If you click the DNS Lookup button, you can lookup an IP address of a specific host.

b) Group of computers: Specify a base IP address for the computers that you want to relay.

c) Domain: Select all of the computers in a domain by domain name that will openly relay. This option adds processing overhead, and might reduce the SMTP service performance because it includes reverse DNS lookups on all IP addresses that try to relay to verify their domain name.

Step 5: Configure your mail server to relay mail via the mail relay server After you have configured the IIS SMTP service to send and receive mail, you must configure your mail server to relay all mail to the mail relay server. To do this;

If you have Microsoft Exchange Server 4/5/5.5: 1. Start up Microsoft Exchange Administrator. 2. Go to the Internet Mail Service and double-click on it to configure its properties.

The Microsoft Internet mail connector

3. Go to the Connections tab. 4. Message Delivery section, select 'Forward all messages to host'. Enter the computer name or IP of the machine running GFI MailSecurity. 5. Click OK and restart Exchange server. This can be done from the services applet.


If you have Microsoft Exchange Server 2000/2003: You will need to set-up an SMTP connector that forwards all mail to GFI MailSecurity: 1. Start up Exchange System Manager 2. Right-click on the Connectors Node->New->SMTP Connector and

create a new SMTP connector. You will be prompted for a name. 3. Now select the option "Forward all mail through this connector to

the following smart host", and type in the IP of the GFI MailSecurity server (the mail relay server) enclosed within square brackets [ ] (e.g.: [100.130.130.10]. Click OK to ADD.

4. Select the SMTP Server that the SMTP Connector will be working on. Go to the Address Space tab, and click Add. Select SMTP and click OK.

5. Click OK to exit. All mails will now be forwarded to the GFI MailSecurity machine.

If you have Lotus Notes: 1. Double click on the Address Book button in Lotus Notes 2. Click on Server item to open it’s sub-items 3. Click on Domains 4. Click on Add Domains 5. In the Basics section, select Foreign SMTP Domain from the

Domain Type field. 6. In the Messages Addressed to section type '*' in the Internet

Domain field. 7. In the Should be routed to section enter the IP number of the Mail

Essentials machine in the Internet Host field 8. Save the settings and restart the Lotus Notes server

If you have an SMTP/POP3 mail server: 1. Start-up the configuration program of your mail server. 2. Search for the option to relay all outbound mail via another mail

server. This option will be called something like 'Forward all messages to host’. Enter the computer name or IP of the machine running GFI MailSecurity.

3. If necessary, click OK and restart your mail server.

Step 6: Point the MX record of your domain to the mail relay server. Since the new mail relay server must receive all inbound mail first, you must update the MX record of your domain to point to the IP of the new mail relay server. Otherwise mail will continue to go to your mail server and by-pass GFI MailSecurity. If you run your own DNS server you need update this in your DNS server. If your ISP manages it for you, you need to ask your ISP to update the MX record for you. After you have done this, check if the MX record is correct using the following procedure.


Checking if the MX record for your domain is set correctly 1. Open command prompt. Type nslookup 2. Now type 'set type=mx' 3. Enter your mail domain. 4. The MX record should return a single IP. This IP must be the IP of

the machine on which GFI MailSecurity is installed!

Checking the MX record of your domain

Step 7: Test your new mail relay server! Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly. 1. Test IIS 5 SMTP inbound connection of your mail relay server by sending a mail from an external account to an internal user (you can use hotmail, if you don’t have an external account available). Verify that the mail client received the email. 2. Test IIS 5 SMTP outbound connection of your mail relay server by sending a mail to an external account from a mail client. Verify that the external user received the email. Note: Instead of using an email client, you can use Telnet and manually send an email. This will give you more troubleshooting information. Here is the link to the Microsoft KB article how to do it: http://support.microsoft.com/support/kb/articles/Q153/1/19.asp

Step 8: Running GFI MailSecurity set-up Step 1: Run GFI MailSecurity set-up by double-clicking the file MailSecurity.exe on the SMTP relay machine. GFI MailSecurity will also prompt you to check for a later GFI MailSecurity version. We recommend you do this and always use the latest version. Step 2: Confirm the License agreement. Step 3: Enter your Name, company, and License key. If you are evaluating the product, leave the default ‘Evaluation’. Click Next. Step 4: Set-up will now ask you to specify the administrator email address. Enter the e-mail address of the Administrator.

http://support.microsoft.com/support/kb/articles/Q153/1/19.asp



Step 5: Set-up will now ask you where you want GFI MailSecurity to be installed. GFI MailSecurity will need approximately 30 MB of free hard disk space. In addition to this, you must reserve approximately 200 MB for temporary files. Step 6: Set-up will now ask you to specify your mail server IP & port and your local domain. The local domain is the last part of your internal e-mail address, for example gfi.com. You can use the Test IP function to test whether the IP and port you specified are correct

Is Active Directory installed?

Step 7a: This step only occurs if Active Directory is installed! If Active Directory is installed, set-up will ask you whether this server has access to all Network users in Active Directory. This step is relevant if you are installing GFI MailSecurity on a machine in the DMZ that is not part of the main domain, and therefore will not have all users listed in Active Directory. In this case you can select that GFI MailSecurity will not use Active Directory to retrieve users. Users will


be based on SMTP e-mail addresses and not on Active Directory users. Users will be automatically added to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database) Step 7b: This step only occurs if Active Directory is NOT installed! GFI MailSecurity will ask you what type of internal mail server you are running.

What mail server you are running

In this dialog you have 3 options: 1. Microsoft Exchange Server 5.5. In this case, GFI MailSecurity

will synchronize its users with the Exchange Server 5.5 user database. If you select this option, after installation the GFI MailSecurity User synchronization wizard will start and retrieve users from your Exchange 5.5 server. Note: Install Microsoft Exchange administrator on the machine running GFI MailSecurity!

2. SMTP/POP3 server or Lotus Notes. In this case, GFI MailSecurity will automatically add users to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database)

3. Microsoft Exchange Server 2000/2003. This option is identical to the SMTP/POP3 server or Lotus Notes option. If GFI MailSecurity is running on the DMZ, and does not have access to all network users in Active Directory, GFI MailSecurity will automatically add users to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database) Note: If GFI MailSecurity is running on the DMZ, and does not have access to Exchange 5.5, you can also select this option.

The set-up program will now copy all program files to the selected destination, and finish the installation by creating a GFI MailSecurity program group. Click Finish to finish setup. The GFI MailSecurity services will now be started.


Step 8: You can check if GFI MailSecurity is running using the GFI MailSecurity monitor.


To monitor GFI MailSecurity: Click Start > Programs > GFI MailSecurity admin tools and select GFI MailSecurity monitor.

The Exchange 5.5 User synchronization wizard Note: In order for the synchronization wizard to run, install the Microsoft Exchange administrator on the machine running GFI MailSecurity! The User synchronization wizard is only applicable to Microsoft Exchange server 5.5 users. This wizard will automatically start after you have installed GFI MailSecurity AND selected that you are running Microsoft Exchange Server 5.5. This wizard will connect to Exchange server and synchronize users via DAPI, so as to allow you to configure rules on a per user basis.

Requirements to run the User Synchronization Wizard 1. The Exchange 5.5 administrator must be installed on the GFI MailSecurity machine. GFI MailSecurity requires certain DAPI DLL's installed by the Exchange 5.5 administrator, in order to successfully perform the synchronization process. 2. An account with administrative rights within the Exchange directory. You can either specify a separate account, or use your own admin account. If you use a separate account, you can use this procedure to grant an account admin rights in the Exchange 5.5 directory: • From the Exchange Administrator, open the Properties for the Site

against which synchronization should be performed. • In the permissions tab grant the Account used for synchronization

the 'Admin' role. • Repeat the same procedure for the 'Configuration' container within

the Site. • In case you want to synchronize multiple exchange sites you will

need to repeat the whole procedure for each of the sites.

Running the User synchronization Wizard Step 1: When the Wizard is started you are presented with the initial welcome screen. Click Next to Continue.


Step 2: The User sync wizard will ask you for: • The Exchange Server 5.5 machine name. • A username (use domain notation, i.e. domain\username) and

password which it should use to connect to the Exchange 5.5 server.

Note: that if you use an administrative account on which you change the password regularly, you will have to change the password for the synchronization service also. Step 3: Confirm the entries you specified by clicking on ‘Confirm settings’ and click Next. The wizard will now retrieve a list of sites from which you can retrieve users. Select the sites from which you wish to retrieve users and click Next. Step 4: User synchronization will now take place. GFI MailSecurity will install a new service, called the MailSecurity synchronisation service and will re-start a number of services. Click Next to finish. The GFI MailSecurity database will be populated with all users from the Exchange 5.5 directory.

Entering your License key after installation If you have purchased GFI MailSecurity, you can enter your License key in the General > Licensing node. If you are evaluating GFI MailSecurity with an evaluation key, the product will time out after 60 days. If you then decide to purchase GFI MailSecurity, you can just enter the License key here without having to re-install. Entering the License key should not be confused with the process of registering your company details on our website. This is important; since it allows us to give you support and notify you of important product news. Register on: http://www.gfi.com/pages/regfrm.htm In Gateway mode, you must license GFI MailSecurity based on the number of users in Active Directory that have an e-mail address configured.


Manual MailSecurity for Exchange/SMTP Configuring Content & Attachment checking • 27

Configuring Content & Attachment checking

Introduction to content checking This chapter explains how to set up content & attachment checking in GFI MailSecurity. The content checking feature allows you to setup a policy regarding what types of email you will allow on your mail server.

To set up such a policy, GFI MailSecurity uses the concept of 'Rules'. A rule is a condition that you set, for example, blocking all executable attachments. Other examples of rules are: • blocking all mails which contain certain words • blocking all mails with attachments that can contain programs or

scripts. (*.vbs) (Love Letter!) • blocking certain users sending attachments all together.

Types of Content checking rules There are two types of content checking rules: Content checking rule - this rule allows you to search a mail message and its attachments for certain words. This allows you to block mails and attachments with certain content. For example, you can block attachments with specific words. Attachment checking rule – An attachment checking rule allows you to block attachments of a certain type. Both rules can be applied to all users or a specified list of users.

Creating a content checking rule To create a content checking rule: 1. Highlight the content checking node in the GFI MailSecurity configuration. Right click and select New> Content checking rule. 2. A new rule will be created in the right pane. Highlight this rule and double-click it. A tabbed dialog will appear.

28 • Configuring Content & Attachment checking Manual MailSecurity for Exchange/SMTP

Checking the body & subject

A content checking rule (VSAPI mode)

3. In the general tab, you can specify whether you wish to apply this rule to apply to inbound mail, internal mail, outbound mail or all. You can also block PGP encrypted messages. 4. Now you can enter the conditions & keywords you wish to content check emails for. Select either 'Add Condition' to enter a condition that uses operands, or select 'Add Keyword' to enter a single keyword or a phrase.

Adding a condition

Adding conditions Conditions are combinations of keywords using the operands IF, AND, AND NOT, OR or OR NOT. Using conditions, you can specify combinations of words that must appear in the e-mail. For example a condition "If Word1 AND Word2" will check for Word1 and Word2. Both words would have to be present in the mail to activate the rule. To add a condition, select 'Add Condition'


Adding a keyword or phrase

Adding keywords If you only wish to check for single words or phrases, you do not need to create a condition. In this case you can just add a keyword. Select 'Add Keyword' to do this. If you enter multiple words, then GFI MailSecurity will search for that phrase. For example if you enter Basketball sports, then GFI MailSecurity will check for the phrase 'Basketball sports'. Only this phrase would activate the rule, not only the word basketball OR sports. 5. By default, only the message body of the mail will be checked. You can have GFI MailSecurity open an attachment and check for keywords in the attachment itself. To do this, click on 'Attachment checking options'. Enable 'Check these attachments', and specify the extensions of the attachments you wish to content check using the Add & remove buttons. Note: This option will cost processing time, since it is time intensive to search for words through attachments. Its best to only do this for doc, txt and rtf attachments and to quarantine other attachments. 6. After you have specified keywords and combinations to check for, you can select a number of options: Match whole words only: Enabling this option allows you to ensure that GFI MailSecurity will only block mails where the word you specify is a whole word. For example, if you specify the word sport, an email with the word sport will be blocked, but not an email with the word Allsports. Block PGP encrypted mails: This option will block/quarantine messages that are encrypted using PGP. This will allow you to intercept messages trying to bypass the GFI MailSecurity content checking engine. Import/Export: You can import keywords & conditions using the Import/Export function. To do this, create a text file and include each condition or keyword on a separate line. Phrases should be enclosed in “”. Condition operators should be written in capitals. Tip: Export a sample file to see the exact format. 7. You can now proceed onto the next tab and specify words that you wish to check for in the subject of the message.


Content checking rule – subject tab

Specifying the actions to be taken 8. After you have specified what the content rule should check for, you can now specify what should be done if GFI MailSecurity finds a mail with those words in the body.

Content checking rule – actions tab – gateway version

You can choose from the following options: Block mail & perform action: Enabling this will block the mail and allow you to either quarantine, delete or move the mail.


Quarantine e-mail: This will quarantine the mail or message part for review by an administrator. For more information on quarantining, see the chapter on Quarantining. Delete e-mail: (Gateway version only) This option will delete the entire e-mail. Delete body/attachment: This option will delete the ‘offending’ mail message part (i.e. body or attachment) Move mail to folder: This option will move the mail part to a folder. Notification The following notification options are available Notify user via mail: This option allows you to notify the user via e-mail that the message was blocked. Notify manager via mail: This option allows you to notify the users manager via e-mail that the mail was blocked. The manager of a user is specified in Active Directory. If no manager is specified the default manager is notified. The default manager can be configured from the quarantine options node. Log occurrence of rule to this file: Optionally you can log the fact that a rule was ‘activated’ to a log file of your choice. Note: You can also choose not to block the mail, but simply to notify the user or to log the occurrence of it.

Applying the rule to users 9. After you have configured what to check for and what to do, you can specify for which users GFI MailSecurity will apply this rule. By default, GFI MailSecurity will apply the rule to all emails. However, you can choose to apply the rule to only a few users. This can be done from the users tab.

The Content checking rule ‘Users’ tab


To add users, select add. GFI MailSecurity will automatically list all the users listed in Active Directory. If you do not have Active Directory, all known/imported SMTP addresses will be listed. You can then select to which users to apply the rule. Alternatively you can select the users to which the rule should not apply! You can also apply the rule to one or more mail enabled public folders. When you are ready specifying to which users the rule will apply, click OK to save the rule.

Renaming the rule After you have created and saved the rule, you can rename it. To do this, simply right click on the rule and select ‘rename’.

Creating an attachment checking rule An attachment checking rule allows you to block attachments of a certain type. The attachment checking rule differs from the content checking rule in that it only checks for a type of attachment. The content checking rule checks attachments also, but only for words contained in them. If running in Exchange VSAPI mode: Be careful when applying attachment rules! Some MAPI applications running on Exchange might be using vbs or exe files. You need to ensure that if this is the case, you don’t apply rules to quarantine exe or vbs files to mailboxes used by those applications. To create an attachment checking rule: 1. Highlight the Attachment checking node in the GFI MailSecurity configuration. Right click and select New> Attachment checking rule. 2. A new rule will be created in the right pane. Double-click on this rule. A tabbed dialog will appear.

The attachment checking rule


3. Specify whether to apply this rule to inbound mails, internal mails, outbound mails or all. To understand how GFI MailSecurity determines whether a mail is inbound, internal or outbound, see the chapter 'Advanced Use'.

Checking attachments 4. Specify which attachments to block. You can specify a list of attachments types or names to block, or you can specify a list of attachments which are allowed through, such as doc or txt.

Adding a file type or file name to block

To add a file to block, click on the ‘Add’ button. You can use asterisk (*) wildcards to specify file names that have certain strings in the name. For example specifying *orders*.mdb blocks files which contain the string 'orders' in the file name. *.jpg will block all jpg files. You can also block attachments based on size. To do this simply select ‘Block files greater than’ and enter attachment size.

The attachment checking rule ‘Actions’ tab.


Specifying actions to be taken 5. After you have specified what the attachment rule should check for, you can now specify what should be done if GFI MailSecurity finds that type of attachment. You can choose from the following options: Block attachment & perform action: Enabling this will block the attachment and allow you to either quarantine, delete or move the attachment. Quarantine attachment: This will quarantine the attachment for review by an administrator. For more information on quarantining, see the chapter on Quarantining. Delete attachment: This option will delete the attachment Delete e-mail: (Gateway version only) This option will delete the entire e-mail. Move attachment to folder: This option will move the attachment to a folder. Notification The following notification options are available Notify user via mail: This option allows you to notify the user via e-mail that the attachment was blocked. Notify manager via mail: This option allows you to notify the users manager via e-mail that the attachment was blocked. The manager of a user is specified in Active Directory. If no manager is specified the default manager is notified. The default manager can be configured from the quarantine options node. Note: This option is only available if you have Active Directory. If you don’t have Active Directory, the option is called “Notify Administrator via e-mail”. The administrator email address can be configured in the quarantine options dialog. Log occurrence of rule to this file: Optionally you can log the fact that a rule was ‘activated’ to a log file of your choice. Note: You can also choose not to block the attachment, but simply to notify the user or to log the occurrence of it.

Applying the rule to users 6. After you have configured what to check for and what to do, you can specify for which users GFI MailSecurity will apply this rule. By default, GFI MailSecurity will apply the rule to all email. However, you can choose to apply the rule to only a few users. This can be done from the users tab.


The Content checking rule ‘Users’ tab

To add users, select add. GFI MailSecurity will automatically list all the users listed in Active Directory. If you do not have Active Directory, all known/imported SMTP addresses will be listed. You can then select to which users to apply the rule. Alternatively you can select the users to which the rule should not apply. You can also apply the rule to one or more mail enabled public folders. When you are ready specifying to which users the rule will apply, click OK to save the rule.

Renaming the rule After you have created and saved the rule, you can rename it. To do this, simply highlight the rule, right click and select ‘rename’.

Manual MailSecurity for Exchange/SMTP Quarantining • 37

Quarantining

Introduction When an email does not pass the ‘content check’ and is quarantined by GFI MailSecurity, the email has to be reviewed by an authorized person (from now on called the administrator) and then approved or rejected. In GFI MailSecurity this review process can be done in the following ways: 1. Via an HTML email to the administrator 2. Via an HTML email sent to a public folder. 3. Via an HTML email to the users manager/supervisor 4. Using the moderator client 5. Using the web based moderator The advantage of using HTML email, is that the process is proactive, i.e. the moderator does not need to remember to check the moderator client. In addition, e-mails can be approved/rejected directly from an e-mail client, anywhere on the network. Furthermore, it allows the burden of moderating emails to be distributed either amongst the managers of the users, or to a public folder. By giving access to more then one person to the public folder, the moderating burden can be divided. The advantage of using either the moderator client or the web based moderator is that the interface is optimized for faster/batch approving/rejecting of mails.

Quarantine options You can set-up how mail should be quarantined from the Quarantine options node in the GFI MailSecurity configuration. To do this, right click on the Quarantine options node and bring up the Quarantine options properties.

38 • Quarantining Manual MailSecurity for Exchange/SMTP

Quarantine mode

Now configure who should moderate the e-mail:

1. Send quarantined mail to the user's manager: This option will send the mail to the manager of the user as configured in Active Directory. (See below how to do this)

2. Send all quarantined mail to the following e-mail address: This option will send all quarantined mails to a single user, usually the network administrator. 3. Send all quarantined mail to a mail enabled public folder: This option allows you to specify a public folder. By giving multiple users access to this folder, you can divide the moderating burden. Note: This option only appears if you are using the VS API mode. Its possible to use a public folder in Gateway mode too, however in that case you will need to specify the email address of the public folder in option 2.


Quarantine options

Quarantine options

In the Quarantine options tab you can specify how you want approved quarantined items to be delivered to recipients: Always send file as attachment: This option always attaches the quarantined item in e-mail. If using GFI DownloadSecurity, this option is not recommended, because mail could slow down if the user downloads a very large file. Send link instead of attachment if file exceeds a number of bytes: This option sends a link if the file is large. Always send link instead of attachment: This option always send a link.

Configure a manager in Active Directory This option is only available if you have Active Directory To configure a manager of a user in Active Directory: 1. Start Active Directory Users & Computers and go to the users node, 2. Now select the user for whom you want to configure the manager. Double-click to bring up the user's properties. 3. Go to the Organization tab. Now click on the manager button to specify the user's manager


Configuring a manager in Active Directory

Approving/rejecting mail via an e-mail client When email is quarantined, the administrator is notified by receiving the actual mail that is quarantined. The subject of the mail will show which mail user triggered the quarantine and what the reason of the quarantine was.

A quarantined email in a public folder

The quarantined e-mail notification will contain the reason for quarantining, the quarantined item as attachment, and the following three options:


Approve Message: This will approve the message and it will automatically be sent to the recipient. Delete Message: This will delete the message. Delete and Notify: This action will delete the message, and notify the sender that the message was not sent out. You can select your preferred action. Note that you can also forward the mail directly to the recipient, or to another user using the forward function of your e-mail client.

You can notify the user automatically about the outcome of the quarantine

Approving/rejecting mail using the Moderator Client When email is quarantined, it is also listed in the moderator client. The moderator client lists all the emails that have been quarantined. This utility allows you to approve or reject messages in a more ‘high volume’ fashion, since you can approve/reject multiple messages in one go. The moderator client is slightly different depending on whether you have installed GFI MailSecurity in VS API or in Gateway mode. If installed in Gateway mode, GFI MailSecurity will allow you to delete an entire mail, not only a message part. In addition if a mail has multiple ‘offending’ parts, then they will be grouped.

The moderator client – gateway version


To use the moderator client: 1. Start up the moderator client from the MailSecurity program group. The client consists of a 2 pane interface, which allows you to quickly view all quarantined messages. In addition, you can view: Critical Failures: Lists all processing errors Notifications: Lists all messages that GFI MailSecurity has generated regarding events that happened, such as updating the virus definition files. 2. To approve or reject a mail, simply click on the ‘Quarantined mails’ node. This will show you a list of quarantined mails. You can now approve or reject a mail by right clicking on a mail and selecting the appropriate action.

Approving mail using the moderator client

Using the remote moderator client The third method to approve or reject mail is to use the web based remote moderator client. The web based remote moderator lists all the emails that have been quarantined. This utility allows you to approve or reject messages in a more ‘high volume’ fashion, since you can approve/reject multiple messages in one go. The moderator client is slightly different depending on whether you have installed GFI MailSecurity in VS API or in SMTP Gateway mode. If installed in Gateway mode, GFI MailSecurity will allow you to delete an entire mail, not only a message part. In addition if a mail has multiple ‘offending’ parts, then they will be grouped.


The web based remote moderator

To use the remote moderator: 1. Ensure that you have installed the web based moderator

according to instructions in the paragraph setting up the web based moderator (further on in this chapter)

2. Go to the following URL and enter authentication http://<mailsecurityserver_name>/remotemoderator (this depends on how you have configured it)

3. After authentication, the remote moderator will show you the quarantined mails on the right hand side. On the left hand side, there are 3 sections: • Viewing – allows you to select between viewing quarantined

mails, critical failures or notifications. • Messages – allows you to perform operations on quarantined

mails, such as select all or approve or reject. • Navigation – allows you to navigate.

A quarantined item in the remote moderator


4. To approve or reject a mail, expand the quarantined mail by clicking on the arrow to the right of the mail. The reason for quarantining the mail will be listed. You can view the mail by clicking on the show email link. You can view the headers of the mail by clicking on the headers.txt link

Viewing email content in the remote moderator

5. You can then either approve or reject the WHOLE MAIL or just a particular MAIL PART: • To approve or reject the whole mail, tick the check box in front

of the mail and select Delete, Delete & Notify or Approve in the ‘Messages’ section to the left of the mail.

• To approve or reject a mail part, click on the appropriate button just below the mail part.

Approving mail using the web based moderator

6. Besides quarantined mails, you can view: Critical Failures: Lists all processing errors


Notifications: Lists all messages that GFI MailSecurity has generated regarding events that happened, such as updating the virus definition files. To view these simply click on the appropriate heading in the ‘Viewing’ section.

Quarantined mail from the user point of view The quarantining of mail is largely transparent to the mail user. It differs slightly depending on which mode you are running GFI MailSecurity in.

If running in SMTP gateway mode For inbound & outbound mail, users will receive the quarantined mail or attachment as soon as the administrator approves it.

If running in VS API Exchange mode For inbound mail, users will receive the quarantined email or attachment as soon as the administrator approves it. For outbound mail however, the procedure is a little more complex. This is due to the fact that GFI MailSecurity does not receive recipient information via VS API, and therefore, GFI MailSecurity will generate a mail that the user has to forward to the original recipient.

Forwarding an attachment that got quarantined to the original recipient

Ticketing system (VS API mode) The system that allows outbound mails to be sent after they have been quarantined is called the ticketing system. Basically what happens is that a new message, containing the file attachment or the original mail that was quarantined is sent to the user, accompanied by


a ticket number, giving the user 24 hours to forward the mail or attachment to the original recipient. The user can modify the body of this approval ticket mail, but not the attachment.

Setting up the web based moderator In order to use the web based moderator, you will need to setup the moderator via the IIS configuration. To do this, follow these steps: 1. The MailSecurity installation installs all the necessary files in the MailSecurity\RemoteModerator folder. This folder contains a sub folder wwwroot, which contains the Web based Moderator files.

Creating the virtual directory.

2. To use the Web based moderator, you need to create a virtual directory in IIS, pointing to the wwwroot folder. To do this, open up Internet Services Manager, right click on the Web Site node, and from the popup menu select New – Virtual Directory.

Naming a Virtual Directory Alias.

3. This will start the Virtual Directory Creation Wizard. Click Next to continue. Now you need to give the alias for the virtual directory. In


this case it is RemoteModerator, but you can enter whatever name you like, as long as it follows the folder naming conventions used in Microsoft Windows. See Figure 3 below.

Selecting the web site content directory.

4. Now enter the path where the content is located. From the wizard select browse, and select the sub folder wwwroot under RemoteModerator folder in the MailSecurity installation path. 5. Next we need to set the access permissions for the Remote Moderator Client. From the check boxes available select only Read and Run Scripts. Now click next to finish the Virtual Directory Creation Wizard

Setting the Virtual Directory Access Permissions.


The newly created virtual directory.

6. Now right click on the newly created virtual directory, located under the web root of your web site server and select properties

Virtual Directory Properties Tab.

7. From the properties dialog, select the Read, Log Visits and Index this resource check boxes in the Virtual Directory tab. For Execute Permissions, select Scripts Only. See Figure 9 for more information. 8. Next press on the configuration button. The Application Configuration dialog pops up. Go to the App Options tab and set the settings as shown in the screenshot. Make sure to set the ASP Script Timeout value to 600 or above. Some operations can take time, especially if the machine is heavily loaded. This makes sure that the scripts will not timeout. Press OK when ready to close the dialog.


Settings in Application Configuration dialog.

9. Press OK once again in the properties dialog box to close it.

Securing the web based moderator Since the Remote Moderator Client provides administrative control on messages and files, quarantined by GFI MailSecurity or GFI DownloadSecurity, it is important that proper authentication is performed. There are three ways to secure the Remote Moderator Client. These are Basic Authentication, Digest and Integrated Windows Authentication. Integrated Windows Authentication is the preferred choice in an Active Directory environment, because it makes the authentication process seamless, since initially it does not prompt users for their user name or password information. Rather, it uses the current Windows user information on the client computer for authentication. If you are installing GFI MailSecurity on a DMZ, you must use Basic authentication. The following steps show how to secure access to the Web based moderator. 1. Open up Internet Services Manager. Right click on the Remote Moderator Client virtual directory under your server web site and select properties. 2. Under the Virtual Directory tab make sure to deselect Directory Browsing. 3. Select the Documents tab and remove all the default documents. Add the following default document ‘main.asp’.


Default document for the Web based moderator.

4. Next select the Directory Security tab and click on the Edit button for the Anonymous access and authentication control group. 5. Select Integrated Windows authentication (recommended if installed on the internal network) OR Basic Authentication check box (if installed in the DMZ). Ensure Anonymous access is deselected.

Authentication methods for Remote Moderator Client.

If using Integrated Windows authentication, then authentication will occur against Active Directory. This means you do not need to configure additional users. If you use basic authentication, authentication will occur against the local user database on the machine. In this case you must create user names and passwords on


that local machine. For more information on securing IIS, please review the IIS documentation. Be sure not to allow anonymous access! 6. Now restrict access to the accounts you want by using NTFS permissions. Open up Explorer and navigate to the wwwroot subfolder under RemoteModerator folder in the MailSecurity installation path. Right click on the ‘wwwroot’ sub folder and select properties and then the Security tab. 7. Add / remove the users / groups you want to allow access to the Remote Moderator Client. To allow access only to users forming part of the administrators group you would set the security tab as in the screenshot. Click OK. You have now secure the web based moderator.

Setting the Web based Moderator NTFS permissions.

If you are using GFI DownloadSecurity: You need to exclude the URL of the web based moderator, in order to avoid duplicate quaranting of files. To do this: 1. Open up the ISA Management console. Expand the Server node where GFI DownloadSecurity is installed, and go to the Extensions – Web Filters sub node. Right-click on the DownloadSecurity filter item in the right pane of the ISA Management console. 2. In the DownloadSecurity Filter Properties dialog box, add the domain of the server where you have installed the Remote Moderator Client, to the Do not scan these URL’s list. Press the OK button to close the dialog box. This will cause GFI DownloadSecurity not to check files on the web based moderator website.

Manual MailSecurity for Exchange/SMTP Configuring Virus checking • 53

Configuring Virus checking

Configuring scanning engines GFI MailSecurity can virus check all inbound, internal and outbound mail. All mails with viruses will be quarantined for review by an administrator. One of the key features of GFI MailSecurity is that it can use one or more virus scanning engines. As standard, both the Norman Virus Control engine and the BitDefender virus scanning engine are included. Optionally you can license the McAfee virus scanning engine. The Norman Anti virus engine is a proven and reliable virus detection engine, which has received many awards and certifications, including the industry leading certifications of ICSA, VirusBTN and Check mark. The BitDefender is a new and innovative virus scanning engine, which has receive ICSA certification. It is important to note that checking inbound mail with an anti virus engine is only a small part of GFI MailSecurity. You must setup content checking of inbound and outbound mail as well, in order to block email with scripts.

Configuring Virus scanning engines To configure virus checking, go to the virus scanning engines node. This node lists all installed virus scanning engines. You can configure each virus scanning engine separately.

Deleting/Quarantining infected mails You configure GFI MailSecurity to either delete a virus infected mail, delete the infected part only (for example the attachment) or quarantine a virus infected mail. This can be done from the Virus scanning engines properties dialog. To do this:

54 • Configuring Virus checking Manual MailSecurity for Exchange/SMTP

Virus Scanning Properties

1. Go to the Virus scanning engines node, right click and select properties. 2. The Virus scanning engines properties dialog will appear. Select whether to quarantine, delete infected message part only or delete entire mail and click OK.

Norman Virus Control configuration To configure the Norman Virus Control engine: 1. Go to the Virus scanning engines > Norman Virus Control node, right click and select properties. 2. Enable virus checking for inbound mail, internal mail, outbound mail or all.

Virus checking options


Microsoft Office macro settings 3. Norman Virus Control also allows you to block Office documents that contain macros. You can select one of the following options: Do not check macros (not recommended) – This option will cause GFI MailSecurity to ignore macros and just rely on the anti virus engine to check for new viruses. Block all documents containing macros – This option will quarantine all Microsoft Office attachments that contain macros.

Blocking word macros It is highly recommended to quarantine all macros. This will effectively protect you 100% from any unknown macro viruses. Some macros are not viruses, but macros received via the Internet are highly suspicious. Of course the Virus engine will check for known viruses, but new email viruses can spread so fast that your system can become infected before the virus signatures has been updated. (This happens with all anti virus engines). In addition, malicious hackers, could use a custom made macro embedded in a word document to attack your company to install a Trojan or obtain confidential information. Norman scanner engine information 4. The section in the general tab displays the scanning engine version as well as the date of the current signature files.

Virus updates settings

Virus updates settings You can set-up virus update settings from the updates tab. To enable checking for updates, ensure that the ‘Automatically check for updates option is ticked’. You can then choose to automatically download the updates or just be notified when new updates are available. You can specify the interval under the ‘Download/Check every:’ option.


Triggering the virus update manually You can trigger a manual download of the virus updates by clicking on the 'Download updates now' button.

Update options General update options, for example download mode and download location, can be configured General > General settings node in the MailSecurity configuration. For more information on general update options, please see the General Options chapter, paragraph update options.

Norman Web site For more information about the virus patterns included in the Norman Virus Control (NVC) engine, go to the NVC website at: http://www.norman.no/technical_nvc.shtml

BitDefender configuration To configure the BitDefender engine: 1. Go to the Virus scanning engines > BitDefender node, right click and select properties. 2. Enable virus checking for inbound/internal and/or outbound mail. The anti virus engine options are identical to the options for the Norman engine. For a description, see the paragraph on the Norman Virus Control configuration.

Configuring the BitDefender anti virus engine

BitDefender Web site For more information about the virus patterns included in the BitDefender engine, go to the BitDefender website at: http://www.bitdefender.com

http://www.norman.no/technical_nvc.shtml

http://www.bitdefender.com


McAfee configuration Note: The Mc Afee engine is purchased separately: The engine is not included in the base product. As standard, GFI MailSecurity includes both the Norman and the Bitdefender anti virus engine. For pricing information on adding the Mcafee anti virus engine, please see the GFI website. To configure the McAfee engine: 1. Go to the Virus scanning engines > McAfee node, right click and select properties. 2. Enable virus checking for inbound/internal and/or outbound mail. The anti virus engine options are identical to the options for the Norman engine. For a description, see the paragraph on the Norman Virus Control configuration.

Configuring the McAfee anti virus engine

McAfee Web site For more information about the virus patterns included in the McAfee engine, go to the McAfee website at: http://www.mcafee.com

Kaspersky configuration Note: The Kaspersky virus engine is purchased separately: The engine is not included in the base product. As standard, GFI MailSecurity includes both the Norman and the Bitdefender anti virus engine. For pricing information on adding the Kaspersky anti virus engine, please see the GFI website. To configure the Kaspersky engine: 1. Go to the Virus scanning engines > Kaspersky node, right click and select properties. 2. Enable virus checking for inbound/internal and/or outbound mail.

http://www.mcafee.com


The anti virus engine options are identical to the options for the Norman engine. For a description, see the paragraph on the Norman Virus Control configuration.

Configuring the Kaspersky anti virus engine

Kaspersky Web site For more information about the virus patterns included in the Kaspersky engine, go to the Kaspersky website at: http://www.kaspersky.com

http://www.kaspersky.com

Manual MailSecurity for Exchange/SMTP The Email Exploit engine • 59

The Email Exploit engine

Introduction to e-mail exploits

What is an exploit? An exploit uses known vulnerabilities in applications or operating systems to compromise the security of a system, for example execute a program or command, or install a backdoor. It "exploits" a feature of a program or the operating system for its own use.

What is an e-mail exploit? An email exploit is an exploit launched via email. An email exploit is essentially an exploit that can be embedded in an email, and executed on the recipient’s machine either once the user opens or receives the email. This allows the hacker to bypass firewalls and anti-virus products.

Difference between Anti Virus software & Email exploit detection software Anti-virus software is designed to detect malicious code. It does not necessarily analyze the method being used to execute the code. The email exploit detection engine analyses emails for exploits - i.e., it scans for methods to execute a program or command on the user’s system. The email exploit engine does not check whether the program is malicious or not. Rather, it assumes a security risk if an email is using an exploit in order to run a program or command - whether or not the actual program or command is malicious. In this manner, the email exploit engine works like an intrusion detection system (IDS) for email. The email exploit engine might cause more false positives, but it is more secure than a normal anti-virus package, simply because it uses a totally different way of checking for e-mail threats. Furthermore, the email exploit engine is optimized for finding exploits in email, and can therefore be more effective at this job than a general purpose anti-virus engine.

60 • The Email Exploit engine Manual MailSecurity for Exchange/SMTP

Configuring the email exploit engine

Configuring the Email exploit engine

Disabling email exploits You can configure which exploits GFI MailSecurity should check for. For example, some exploits might not apply to your network, in which case you can disable checking for them. You can disable an exploit check by going to the exploit engine node and right clicking on the exploit in the right pane, and selecting disable. You can disable all exploits by disabling the email exploit engine. To do this right click on the email exploit engine node and select ‘disable engine’.

Email exploit engine properties

Email exploit engine properties

Manual MailSecurity for Exchange/SMTP The Email Exploit engine • 61

You can configure what GFI MailSecurity should do with an email that contains an email exploit. You can either quarantine or delete the e-mail. You can change this setting by right-clicking on the exploit engine node, and selecting properties.

Email exploit update settings

Configuring exploit updates

You can configure the Email Exploit engine to automatically download new exploits as they come available. This can be configured from the updates tab of the Email Exploit general properties dialog. To access this dialog right click on the Email Exploit Engine node, right-click and select properties. To enable checking for updates, ensure that the ‘Automatically check for updates option is ticked’. You can then choose to automatically download the updates or just be notified when new updates are available. You can specify the interval under the ‘Download/Check every:’ option.

Triggering the update manually You can trigger a manual download of the updates by clicking on the 'Download updates now' button.

Update options General update options, for example download mode and download location, can be configured from the General > General settings node in the MailSecurity configuration. For more information on general update options, please see the General Options chapter, paragraph update options.

Manual MailSecurity for Exchange/SMTP The HTML Threat Engine • 63

The HTML Threat Engine

Introduction to the HTML Threat Engine The HTML threat engine (previously called email threat engine) is designed to analyze HTML emails for potential threats and defuse them. The HTML threat engine basically analyses inbound HTML e-mail for HTML scripts. As soon as it finds an HTML script, it disables the script by replacing the script with placeholders. The effect of this is that the mail can still be sent to the recipient, and the recipient can read the e-mail as usual, including formatting and images, but the e-mail is totally harmless.

This HTML defusing is an automatic process and happens without administrator intervention. The HTML defusing process is patented by GFI Software Ltd.

Why defuse HTML scripts? The introduction of HTML mail has allowed senders to include scripts in email that can be triggered automatically upon opening mail. HTML scripts are used in a number of headline hitting viruses, such as the KAK worm. Also HTML scripts can be used in one-off attacks directed towards particular users and particular companies. So it’s recommended that you disable HTML scripts in e-mail. The HTML script defuser is an easy way to do this.

64 • The HTML Threat Engine Manual MailSecurity for Exchange/SMTP

Configuring the HTML Threat Engine

Configuring the HTML Threat engine

The email threat engine is installed and configured by default. All you need to do is enable it and select medium or high security. In medium security mode, all highly dangerous HTML scripts are defused. In High Security mode, ALL HTML scripts are defused.

Manual MailSecurity for Exchange/SMTP The Trojan & Executable Scanner • 65

The Trojan & Executable Scanner

Introduction to the Trojan & executable scanner GFI MailSecurity 8 includes an advanced Trojan and executable scanner, which is able to analyze what an executable does, and quarantine any executables (for example Trojans) which perform suspicious activities.

What Is A Trojan Horse? The Trojan Horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war. The enemy accepted this gift and they brought it into their kingdom, and during the night, Greek soldiers crept out of the horse and attacked the city. In computers a Trojan horse is a way to enter a victims computer undetected, allowing unrestricted access to the data stored on that computer to the attacker, causing great damage to the victim, just like the citizens of Troy. A Trojan can be hidden, as a program that is being run on your computer which you don’t know about, or it can be ‘wrapped’ into a legitimate program meaning that a program that you use might have hidden functions that you don’t know about.

Difference between Trojans and Viruses The difference between Trojans and Viruses is that Trojans are often ‘one-off’ executables, targeted towards a specific user to obtain specific information. Anti virus software, which is ‘signature based’ is unable to detect these types of Trojans. In deed any software that uses signatures only to detect malicious software will not be effective in detecting these threats (including specialized anti Trojan software). Signature based software can only detect known viruses and Trojans, which is why they need frequent updates. However, these types of software will never get to know about these one-off Trojans.

66 • The Trojan & Executable Scanner Manual MailSecurity for Exchange/SMTP

The Trojan executable scanner configuration

How the Trojan & executable scanner works GFI MailSecurity takes a different approach by including built-in intelligence to rate the risk-level of an executable. It decompiles the executable, and detects in real time what the executable might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable. This way, potentially dangerous, unknown or one-off Trojans can be detected before they enter your network.

Configuring the Trojan & Executable scanner The Trojan & Executable scanner can be configured from the Trojan & Executable scanner node. If you select the Trojan & Executable Scanner node, the checks that the Trojan executable scanner performs are listed in the right-hand side pane. However this is just for informational purposes. The main configuration option is selecting the security level of the Trojan & Executable scanner. What this does is determine what level of risk you allow an executable to have before it is quarantined. High Security quarantines almost all executables. Low security will allow many executables through.

Configuring security level

Selecting the security level.

To configure the security level, right click on the Trojan Executable scanner node and select properties.

Manual MailSecurity for Exchange/SMTP The Trojan & Executable Scanner • 67

Now move the slider to select what risk level of executables you want to let through: • High Security: Quarantines almost all executables. If the

executable contains any signature it will get quarantined. • Medium Security: Quarantines suspicious executables. If the

executable contains 1 high risk signature or a combination of high risk and low risk signatures it will get quarantined.

• Low Security: Quarantines executables which are most probably malicious. If the executable contains at least 1 high risk signature it will get quarantined.

Skip attachment checking If an executable is quarantined because of its risk level, the administrator must approve or reject the executable. You can configure GFI MailSecurity to then bypass the attachment checking module, in order to avoid the file being quarantined again. To do this, tick the check box next to ‘Skip Attachment checking if the executable is approved’

Trojan & Executable scanner update settings

Configuring Trojan & exe scanner definition updates

You can configure the Trojan & Executable Scanner to automatically download new updates as they come available. This can be configured from the updates tab of the Trojan and Executable scanner properties dialog. To access this dialog right click on the Trojan & Executable Scanner node, right-click and select properties. To enable checking for updates, ensure that the ‘Automatically check for updates option is ticked’. You can then choose to automatically download the updates or just be notified when new updates are

68 • The Trojan & Executable Scanner Manual MailSecurity for Exchange/SMTP

available. You can specify the interval under the ‘Download/Check every:’ option.

Triggering the update manually You can trigger a manual download of the updates by clicking on the 'Download updates now' button.

Update options General update options, for example download mode and download location, can be configured from the General > General settings node in the MailSecurity configuration. For more information on general update options, please see the General Options chapter, paragraph update options.

Manual MailSecurity for Exchange/SMTP Decompression engine • 69

Decompression engine

Introduction to the decompression engine The decompression engine is used to decompress compressed files (archives). The GFI decompression engine can recognize 70+ different compression formats.

The decompression engine

Configuring the decompression engine You can specify the way that files should be decompressed in the decompression engine node. The node lists what can be configured in the right pane: 1. Check password protected archives 2. Check corrupted archives 3. Check for amount of files in archives 4. Check for recursive archives 5. Check size of uncompressed files in archives 6. Scan within archives You can enable or disable each option by either right-clicking on them and disabling/enabling via a popup menu or by double-clicking on the option to get the properties for that option.

70 • Decompression engine Manual MailSecurity for Exchange/SMTP

Check password protected archives

What to do with password protected archives

This option allows you to configure what to do with password protected archives. You can: Quarantine – This will quarantine the archive for administrator review Skip all modules - this will allow the archive to bypass all content security & anti virus checking. Be careful with this option! Automatically delete – this will automatically delete the archive. Optionally you can notify user via email when the password protected file is deleted.

Check corrupted archives This option allows you to configure what to do with corrupted archives. You can: Quarantine – This will quarantine the archive for administrator review Skip all modules - this will allow the archive to bypass all content security & anti virus checking. Be careful with this option! Automatically delete – this will automatically delete the archive. Optionally you can notify user when a corrupted file is deleted automatically.

Manual MailSecurity for Exchange/SMTP Decompression engine • 71

Check for recursive archives

What to do with recursive archives

This option allows you to configure what to do with archives that contain more then a certain number of levels of archives (archives within archives). This is also referred to as a recursive archive or a nested archive. A high number of archive levels can indicate a malicious archive: Recursive archives can be used in a DoS attack, since many content scanning & anti virus packages will crash if you send them a recursive archive with many levels of archives. You can configure the maximum level of archives, and what to do with an archive that contains more levels of archives. Then you can: Quarantine – This will quarantine the file for administrator review Automatically delete – This will automatically delete the archive. Optionally you can notify user via email when an archive is automatically deleted.

Check for amount of files in archives This option allows you to configure what to do with archives that contain more then a certain number of archives. You can configure the limit of archives an archive should contain, and what to do with archives that contain more then that limit. Then you can: Quarantine – This will quarantine the archive for administrator review Automatically delete – This will automatically delete the archives. Optionally you can notify user via email when an archive is automatically deleted.

Check size of uncompressed files in archives This option allows you to configure what to do with compressed archives which, when unpacked, are larger then a certain size. Hackers sometimes use this method in a DoS attack: By sending a file that uncompresses to a very large file, they can often crash content

72 • Decompression engine Manual MailSecurity for Exchange/SMTP

security or anti virus software. You can configure the total size of the uncompressed files, and what to do with archives that contain more then that limit. Then you can: Quarantine – This will quarantine the archive for administrator review. Automatically delete – This will automatically delete the archive. Optionally you can notify user via email when an archive is automatically deleted.

Scan within archives This option allows you to disable attachment checking of files in archives. Effectively it means that files in the archive will bypass the attachment checking module.

Manual MailSecurity for Exchange/SMTP Remote monitoring & administration • 73

Remote monitoring & administration

Installing the remote monitor/configuration GFI MailSecurity can be configured and monitored remotely. To be able to monitor and configure GFI MailSecurity remotely, you must first install the GFI MailSecurity remote admin tools.


The set-up for these tools can be found in the GFI MailSecurity subdirectory 'remote install'. To install the remote monitor: 1. Go to the machine on which you wish to install the remote configuration. 2. In Windows explorer, browse to the machine running GFI MailSecurity, and go to the remoteinstall share. Double-click 'remotetools.exe' and follow the set-up instructions. 3. You will be asked to specify the machine name where GFI MailSecurity is running. When set-up is finished, you can go to the GFI MailSecurity admin tools program group to configure or monitor the GFI MailSecurity server remotely. NOTE: If you can't access the share, set-up read and write permissions to the following directories: <GFI MailSecurity root folder>\RemoteInstall (sharename RemoteInstall) <GFI MailSecurity root folder>\Data (sharename Data) <%RootDrive%>\Program Files\Common Files\GFi Shared\GFIM\Data (sharename GFIMDat)

Check that you can actually read and write to the shares from the machine where the Remote admin tools will be installed. Note: By default only administrators have access to the remote monitor and configuration share. If you add additional users, you have to give users access to the share.

Configuring & monitoring GFI MailSecurity remotely To configure GFI MailSecurity remotely:

74 • Remote monitoring & administration Manual MailSecurity for Exchange/SMTP

1. Click Start > Programs > GFI MailSecurity admin tools and select GFI MailSecurity configuration. The GFI MailSecurity configuration will start.

2. You can now modify GFI MailSecurity settings as if you we're on the GFI MailSecurity server.

To monitor GFI MailSecurity remotely: 1. Click Start > Programs > GFI MailSecurity admin tools and select

GFI MailSecurity monitor. 2. You can now monitor GFI MailSecurity remotely.

Switching to another server to monitor or configure

Configuring a different GFI MailSecurity server If you have multiple GFI MailSecurity servers in your network, you can manage them from the same Remote configuration. To switch to another server to configure: 1. Right-click on the root node, GFI MailSecurity, and select 'Connect to another computer'

Switch to another server to configure or monitor

2. Now enter the computer name and click OK. You can now configure another server.

Monitoring a different GFI MailSecurity server 1. In the file menu, select the option 'Connect' 2. Now enter the computer name and click OK. You will now be

monitoring another server.

Manual MailSecurity for Exchange/SMTP General options • 75

General options

General options

The general node allows you to configure a number of general options, including general settings, licensing and versioning information. To configure general settings, right click on the general > general settings node, and select properties.

Configuring general settings (gateway)

76 • General options Manual MailSecurity for Exchange/SMTP

Server name: All notifications and quarantined mails are sent via the SMTP service or Exchange Server. By default the server on which GFI MailSecurity is installed is used. If you need to change this to another machine, you can do so here. The Verify button allows you to verify that GFI MailSecurity can send mail via this server.

Update options

Configuring update options

The options for updating Virus definitions, Email Exploits and Trojan and Executable scanner definitions are configured from the Updates tab in the General properties dialog. In this tab you can configure: • Whether to check for updates on the internet • Or download updates from a directory on your network. This option

is useful if you have many MailSecurity servers and you prefer to download the updates to a single central location.

If you select to check updates from the internet, you have to select 2 further options: Download mode You can select between HTTP, active FTP or passive FTP. We recommend using active FTP or HTTP. Using HTTP saves you having to configure the firewall. WE RECOMMEND USING HTTP IF YOU HAVE A FIREWALL! Preferred Update server You can select a preferred update server. Select update.gfi.com if you are located in the US/Canada and update.gfisoftware.com if you are located in Europe or other part of the world.


Note about Proxy servers: GFI MailSecurity uses Internet Explorer settings to download, so if you use a proxy server, you must setup Internet Explorer to work correctly with that proxy server. Note about Firewall & FTP: If you are behind a firewall, and have selected to use active FTP, you have to enable an FTP connection on the firewall which lets the machine where GFI MailSecurity is installed open an FTP connection (PORT 21 & 20) to host ftp.gfi.com or ftp.gfifax.de For a description how to make this set-up with Microsoft ISA server, see the chapter 'Advanced Use'. If you have a firewall, do not select passive FTP. We recommend using HTTP if you have a firewall. Note: If you don’t wish to configure your firewall to allow FTP downloads, simply select HTTP as the download mode If downloading fails: If the download of the virus update files fails, a file called autodown.txt will be created in the GFI MailSecurity/debuglogs directory. If this happens, please send these files to [email protected].

VS API Scanning modes This section applies only to the Exchange VS API mode If you have installed GFI MailSecurity in VS API mode, the general settings dialog will contain a VS API tab. Here you can configure the VS API Scanning mode: You can select the type of VS API scanning mode that you want GFI MailSecurity to use. GFI MailSecurity supports all 3 VS API scanning modes. These scanning modes are part of VS API. You can select which scanning mode GFI MailSecurity should use from the General options > VS API tab. The VS API tab is located in the general properties dialog, which can be accessed by right clicking on the general > general settings node and selecting properties. VS API provides 3 scanning modes. Two of these modes, on demand and pro active, are mutually exclusive, where as background scanning can be turned on as an option in either mode.

On demand scanning In this mode, a new message gets scanned as it gets accessed by the e-mail client. That means there will be a short delay before the user can access the message.

ftp://ftp.gfi.com

ftp://ftp.gfifax.de



GFI MailSecurity VS API scanning modes

Pro active scanning In this mode, new messages get submitted to the queue for scanning upon receipt. However if an e-mail client accesses a new message, scanning of this message will receive higher priority. This is the recommended scanning mode.

Background scanning In this mode, all EXISTING messages in the store are scanned. This setting will cause GFI MailSecurity to scan all messages in the stores. Depending on how many messages you have in the stores, Exchange & GFI MailSecurity will be very busy for a period of time after enabling this option. If you want to do this, we suggest switching it on the first time during the night, so that the bulk of the scanning work can be done during the night. For more information about scanning modes: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285667

Adding additional local domains This section applies only to the SMTP Gateway mode GFI MailSecurity needs to know what your local domains are to be able to know if a mail is inbound or outbound. During installation, GFI MailSecurity will import local domains from the IIS SMTP service. If however you wish to add or remove local domains afterwards, you can do so from the local domains tab in the general > general settings node properties:

http://support.microsoft.com/default.aspx?scid=kb


Adding a local domain

1. Right-click on the general settings node and select properties to access this dialog.

2. Now enter the local domain This feature is handy because in some cases you might want to configure local mail routing in IIS differently, for example add domains which are local for mail routing purposes but are not local for your mail server.

Changing the bindings

Changing the SMTP server that GFI MailSecurity is bound to

This section applies only to the SMTP Gateway mode


GFI MailSecurity relies on the IIS SMTP service to send and receive SMTP mail. It binds with your default SMTP virtual server. If you have multiple SMTP virtual servers installed on your machine, you can bind GFI MailSecurity to another SMTP virtual server in this dialog.

Checking number of licensed users

Checking number of licensed users

The License key dialog not only allows you to enter the License key, it allows also you to see how many licenses you must have for GFI MailSecurity. Underneath the License key edit box, GFI MailSecurity will list how many mailboxes/users it sees. You can use this information to check if you have licensed GFI MailSecurity accordingly.


Version information

Checking GFI MailSecurity version information

The node General > Version Information contains GFI MailSecurity version and build information. You can check if you have the latest version installed using the 'Check for latest version on website' button. Version information is also very useful when contacting GFI support. This will allow us to know exactly which version you have.

Manual MailSecurity for Exchange/SMTP Advanced topics • 83

Advanced topics

Determining Outbound/Inbound/Internal mail This section applies only to the Exchange VS API mode GFI MailSecurity uses a set of rules to determine whether a mail is inbound, internal or outbound. In some cases it may be important to understand the logic used. This logic is based on determining if the user is present in Active Directory or not.

When is a mail outbound? GFI MailSecurity will assume a mail is outbound if the sender is an internal user and the recipient is an external user. To determine whether a sender or recipient is external or internal, GFI MailSecurity makes an Active Directory query. If the user is present, he is assumed to be an internal user.

When is a mail inbound? GFI MailSecurity will assume a mail is inbound if the sender is an external user and the recipient is an internal user. It will use AD to determine whether the sender/recipient is external or internal.

When is a mail internal? If both the sender and the recipient appear in Active Directory then the mail is internal. Because of various reasons, we can not determine 100% if an email is internal or inbound. This is the reason why, for security reasons, you can not create separate rules for internal mail. Assuming you would set up more relaxed rules for internal mail, a security hole might appear.

What if the mail has multiple recipients, both internal and external? In this case, all rules will be applied. So if a mail contains an internal recipient that has a specific rule specified, the rule will be applied. If the mail also contains an outbound rule linked to the sender, then this rule will be applied also.

User synchronization with Exchange 5.5 If you are using GFI MailSecurity in gateway mode with Microsoft Exchange server 5.5, GFI MailSecurity installs a synchronization service that updates the GFI MailSecurity user database automatically. This eliminates the hassle of synchronizing users manually between Exchange Server 5.5 and GFI MailSecurity.

84 • Advanced topics Manual MailSecurity for Exchange/SMTP

During set-up, the Synchronization wizard prompts you for all the relevant information. However, after set-up you can change Exchange Server name/IP, synchronization interval and the Exchange sites that are synchronized. This can be done from the General > User Synchronization node. Right click on the node to bring up the User Synchronization Properties dialog. Here you can change Exchange Server machine IP & synchronization interval.

User synchronization properties

Clicking on the sites button allows you to specify which sites you want GFI MailSecurity to synchronize with.


GFI MailSecurity logging

GFI MailSecurity log files

GFI MailSecurity maintains a number of log files in the logs subdirectory. These logs allow you to track the activity of GFI MailSecurity. The logs will include information on which mails included viruses or which mails triggered content or attachment checking rules. You can open the logs with Microsoft Excel or Access to do further analysis on these logs. You can configure which logs you want GFI MailSecurity to log to. This can be done from the GFI MailSecurity > Logging node.

Configuring ISA server to allow downloading of updates If your GFI MailSecurity server is running behind a firewall, you will need to allow the machine running GFI MailSecurity to download updates from the GFI site through port 21 & port 20. If you are running Microsoft ISA server, you can find a step by step procedure in our knowledgebase. If GFI MailSecurity is NOT installed on the same machine as Microsoft ISA Server, follow the procedure described at http://kbase.gfi.com/showarticle.asp?id=KBID001346 If GFI MailSecurity is installed on the same machine as Microsoft ISA Server, follow the procedure described at: http://kbase.gfi.com/showarticle.asp?id=KBID001347

Enabling Event Logging for the Virus Scanning API This section applies only to the Exchange VS API mode This information can be found in the Microsoft Knowledgebase (Q294336).




The VS API includes inbuilt event logging that you can turn on. To set the level of detail that is logged by the virus scanning API: 1. Start Exchange System Manager. 2. In the console tree, double-click Servers, right-click the server on which you want to set the logging detail level, and then click Properties. 3. Click the Diagnostics Logging tab. 4. In Services, click MSExchangeIS\System. 5. In Categories, click Virus Scanning. Click one of the following logging levels, as appropriate: • None • Minimum • Medium • Maximum

Setting Virus Scanning API Performance Monitor Counters This section applies only to the Exchange VS API mode This information can be found in the Microsoft Knowledgebase (Q285696) In addition to event logging, the VS API also has the capability to create performance counters. The following Performance Monitor counters are available: • Messages Processed. This is a cumulative value of the total

number of top-level messages that are processed by the virus scanner.

• Messages Processed/sec. This counter represents the rate at which top-level messages are processed by the virus scanner.

• Messages Cleaned. The total number of top-level messages that are cleaned by the virus scanner.

• Messages Cleaned/sec. The rate at which top-level messages are cleaned by the virus scanner.

• Messages Quarantined. The total number of top-level messages that are put into quarantine by the virus scanner. • Messages Quarantined/sec. The rate at which top-level

messages are put into quarantine by the virus scanner. • Files Scanned. The total number of separate files that are

processed by the virus scanner. • Files Scanned/sec. The rate at which separate files are

processed by the virus scanner. • Files Cleaned. The total number of separate files that are

cleaned by the virus scanner. • Files Cleaned/sec. The rate at which separate files are cleaned

by the virus scanner. • Files Quarantined. The total number of separate files that are

put into quarantine by the virus scanner.


• Files Quarantined/sec. The rate at which separate files are put into quarantine by the virus scanner.

• Bytes Scanned. The total number of bytes in all of the files that are processed by the virus scanner.

• Queue Length. The current number of outstanding requests that are queued for virus scanning.

• Folders Scanned in Background. The total number of folders that are processed by background scanning.

• Messages Scanned in Background. The total number of messages that are processed by background scanning.

Customizing the notification templates

Configuring the notification templates

GFI MailSecurity sends out various notification messages to the sender or recipient of an e-mail that gets quarantined or modified, as well as various messages to the administrator/manager. These messages are based on a set of templates, which can be edited from the Notification templates node. The templates contain the text of the message, as well as fields that are replaced by values upon generation of the notification message. You may wish to modify these notification templates. The most obvious reason is to localize/translate them to another language. Alternatively you might feel that the templates can be modified to explain a particular rule set or policy you have better. To modify a template, simply double-click on the corresponding template in the right-hand pane. This will open up the template in Notepad and allow you to edit the notification message. Here is a list of template file names and what they do: Filename Description Quarsubj.txt Template includes the subject of a Quarantined action message

sent to manager or administrator. This subject appears on the mail sent to the person who must reject or approve a mail.

quarbody.htm (VSAPI mode only)

Message body of the Quarantined action message sent to manager or administrator. This mail is sent to the person that should approve or reject the mail.

quarbodymsec.htm (Gateway mode only)

Message body of the Quarantined action message sent to manager or administrator. This mail is sent to the person that should approve or reject the mail.

quarappsubj.txt Contains the subject sent to a sender when the mail is approved to


be sent out or when the mail is approved and the recipient receives the mail.

quarappticketbody.txt (VSAPI mode only)

Template includes the body of the "Approval ticket message", sent to sender when he is allowed to send out a particular attachment or text. (in case of outbound mail)

quarappbody.txt Template includes the message body of a mail that is sent to recipient when a mail item, sent to that recipient, is approved. The approved mail item will be attached to this mail.

notifyusersubj.txt

Notification message subject sent to recipient. This mail only gets sent if "Notify User via e-mail" is enabled in the action tab of a rule.

notifyuserbody.txt

Notification message body sent to recipient. This mail only gets sent if "Notify User via e-mail" is enabled in the action tab of a rule.

notifymanagersubj.txt

Notification message subject sent to manager or administrator. This mail only gets sent if "Notify manager via e-mail is enabled in the action tab of a rule.

notifymanagerbody.txt

Notification message body sent to manager or administrator. This mail only gets sent if "Notify manager via e-mail is enabled in the action tab of a rule.

notifyuserappsubj.txt

Template includes the subject of a mail that is sent to recipient when a mail item, sent to that recipient, has been rejected/deleted.

notifyuserappbody.txt

Template includes the message body of a mail that is sent to recipient when a mail item, sent to that recipient, has been rejected/deleted.

violatedel.txt Template includes the message body of a mail that is sent to notify a recipient that part of the mail, sent to him/her, has been deleted.

violatequar.txt Template includes the message body of a mail that is sent to notify a recipient that part of the mail, sent to him/her, has been quarantined.

Template fields The templates contain fields that are replaced by values upon generation of the notification message by GFI MailSecurity. In the below table each field is explained.

Tag Description [QMC_ID] ID of this quarantined item. [LAST_ERROR] Last error reported by the module that quarantined

this item.

[LAST_MODULE] The last module to quarantine this item [MORE_INFO] More information on the last error

[OBJECT_DATE] Date and time when item was quarantined

[OBJECT_USER_NAME] Name of user who caused this quarantine [OBJECT_USER_EMAIL] Email of user who caused this quarantine [OBJECT_MANAGER_NAME]

Name of manager of user who caused this quarantine. (Or default manager)

[OBJECT_MANAGER_EMAIL]

Email of manager of user who caused this quarantine. (Or default manager)

[ACTION] The action taken [ITEM] The name of the object

[MESSAGE_BODY] Not yet defined [TTL] Time to live (the date when this object will be deleted

from the Quarantine system

[WEB_SERVER] The IP or server name where the Web monitor is listening. Used mainly for form processing and not


display purposes.

[QUAR_PATH] The full path of the quarantine item. Will be in the format: Rule://QTYPE/QID. Used mainly for form processing and not display purposes.

[QUAR_SECURITY_GUID] The QMC_QUAR_SECURITY GUID from the QMC record for this quarantined item. Used mainly for form processing and not display purposes.

[QUAR_TTL] Time to live in floating point format. Used mainly for form processing and not display purposes.

[QUAR_SECURITY_PREFIX]

The QMC_QUAR_SECURITY PREFIX from the QMC record for this quarantined item. Used mainly for loop protection and not display purposes. It is automatically added to the end of every subject generated.

[PRODUCT_NAME] Identifies the source of this item. Current values are: DSEC for download security MSEC for mail security exchange 2000 MSEC GWAY for mail security (Gway version)

[GFISCAN_DAT_CONTENTTYPE]

The content-type of the quarantined item

[GFISCAN_DISPLAY_SENDER]

The display name of the sender

[GFISCAN_DISPLAY_TO] The display name of the recipient(s)

[GFISCAN_DISPLAY_CC] The display name of the CC'd recipient(s) [GFISCAN_SUBJECT] The subject of the quarantined item [GFISCAN_MBX] The mailbox of the quarantined item (only available in

MSEC exchange)

[GFISCAN_STOREDB] The db store of the quarantined item (only available in MSEC exchange)

[GFISCAN_FOLDER] The folder of the quarantined item (only available in MSEC exchange)

Manual MailSecurity for Exchange/SMTP Troubleshooting • 91

Troubleshooting

Introduction The troubleshooting chapter explains how you should go about resolving issues you have. The main sources of information available to users are: • The manual – most issues can be solved by reading the manual. • The GFI knowledgebase – accessible from the GFI website. • The GFI support site. • Contacting the GFI support department by email at

[email protected] • Contacting the GFI support department using our live support

service at http://support.gfi.com/livesupport.asp • Contacting our support department by telephone.

Knowledgebase GFI maintains a knowledgebase, which includes answers to most common problems. If you have a problem, please consult the knowledgebase first. The knowledgebase always has the most up-to-date listing of support questions and patches. The knowledgebase can be found on http://kbase.gfi.com

Request support via e-mail If, after using the knowledgebase and this manual, you have any problems that you cannot solve, you can contact the GFI support department. The best way to do this is via e-mail, since you can include vital information as an attachment that will enable us to solve the issues you have more quickly. The Troubleshooter, included in the program group, generates automatically a series of files needed for GFI to give you technical support. The files would include the configuration settings etc. To generate these files, start the troubleshooter and follow the instructions in the application. In addition to collecting all the information, it also asks you a number of questions. Please take your time to answer these questions accurately. Without the proper information it will not be possible to diagnose your problem. Then go to the support directory, located under the main program directory, ZIP the files, and send the generated files to [email protected].


http://support.gfi.com/livesupport.asp

http://kbase.gfi.com


92 • Troubleshooting Manual MailSecurity for Exchange/SMTP

Ensure that you have registered your product on our website first, at http://www.gfi.com/pages/regfrm.htm! We will answer your query within 24 hours or less, depending on your time zone.

Request support via webchat You may also request support via Live support (webchat). You can contact the GFI support department using our live support service at http://support.gfi.com/livesupport.asp Ensure that you have registered your product on our website first, at http://www.gfi.com/pages/regfrm.htm!

Request support via phone You can also contact GFI by phone for technical support. Please check our support website for the correct numbers to call, depending on where you are located, and for our opening times. Support website: http://support.gfi.com Ensure that you have registered your product on our website first, at http://www.gfi.com/pages/regfrm.htm!

Web Forum User to user support is available via the web forum. The forum can be found at: http://forums.gfi.com/

Build notifications We strongly suggest that you subscribe to our build notifications list. This way, you will be immediately notified about new product builds. To subscribe to our build notifications, go to: http://support.gfi.com


http://support.gfi.com/livesupport.asp


http://support.gfi.com


http://forums.gfi.com/

http://support.gfi.com

Manual MailSecurity for Exchange/SMTP Troubleshooting • 93

Index

A

attachment checking 25, 30, 31

Attachment checking rule 25, 30

B

background scanning 3, 85 Background scanning 3, 75–

76, 85 Bitdefender 51, 54–55, 54,

55

C

Collaboration Data Objects 14

conditions 26–27 configuration 7 content checking 1–2, 4, 25–

28, 29–30, 33, 51 Content checking rule 25,

28, 30

D

DMZ - demilitarized zone 13 DownloadSecurity 8

E

Email exploit detection 2, 57 email exploits 2 Event Logging 3, 83 Exchange 2000 VS API

mode 3, 9, 30, 81

F

fault tolerance 13

I IIS 5 14, 20 ISA server 8, 75, 83

L

Licensing 78 logging 3, 83 Lotus Notes 6, 13, 14, 19 Love Letter 1–2, 25

M

macro viruses 2, 53 macros 2, 51–53 Mail essentials 8, 19 mail relay server 1, 13 MailSecurity scan engine 6 McAfee 2, 51, 55 Microsoft Exchange

Administrator 18 Microsoft Exchange server

2000 9, 14, 18 moderator 7, 35, 39–40 moderator client 7, 35, 39–40 MX record 14, 19

N

Norman 2, 51–53, 54, 55, 56 Norman Virus Control 52–53,

54–55 nslookup 19

O

On demand scanning 75

P

Password 10, 20 Performance Monitor 3, 84 perimeter network 13 POP3 19 Pro active scanning 76 public folder 35–36, 38

S

SMTP gateway 1, 4–5, 13, 43

SMTP gateway mode 3, 13, 43

SMTP Service 14–17, 74 SMTP/POP3 mail server 19

T

Troubleshooting 20, 89

V

virus 1–7, 9, 40–54, 40–54, 83–84

Virus updates 53–54

W

Windows 2000 Server 9, 14