F Secure Anti Virus Msexchange

F-Secure Anti-Virus for Microsoft Exchange
Administrators Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation. Copyright 1993-2006 F-Secure Corporation. All rights reserved. Portions Copyright 1991-2006 Kaspersky Lab. This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright 2000-2006 The Apache Software Foundation. All rights reserved. This product includes PHP, freely available from http://www.php.net/. Copyright 1999-2006 The PHP Group. All rights reserved. This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright 2000-2002 Justin Mason and others, unless specified otherwise in that particular file. All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the Artistic License.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2374260 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
12000040-6J16
Contents
About This Guide 9
How This Guide Is Organized ............................................................................................ 10 Conventions Used in F-Secure Guides .............................................................................. 12 Symbols .................................................................................................................... 12
Chapter 1
1.1 1.2 1.3 1.4
Introduction
14
Overview ....................................................................................................................15 How F-Secure Anti-Virus for Microsoft Exchange Works........................................... 16 Key Features.............................................................................................................. 19 F-Secure Anti-Virus Mail Server and Gateway Products ........................................... 21
Chapter 2
2.1 2.2 2.3
Deployment
23
Installation Modes ...................................................................................................... 24 Network Requirements............................................................................................... 24 Deployment Scenarios ............................................................................................... 25 2.3.1 Minimum Installation....................................................................................... 25 2.3.2 Medium to Large Installation .......................................................................... 27 2.3.3 Performance-Critical Installation..................................................................... 28 2.3.4 Microsoft Exchange Cluster Environment ...................................................... 30
Chapter 3
3.1
Installation
32
System Requirements................................................................................................ 33 3.1.1 Minimum System Requirements..................................................................... 33 3.1.2 Which SQL Server to Use for the Quarantine Database? .............................. 35
3.1.3 3.2 3.3 3.4 3.5 3.6
Web Browser Software Requirements ........................................................... 37
Improving Reliability and Performance ...................................................................... 38 Centrally Administered or Stand-alone Installation? .................................................. 39 Installation Overview .................................................................................................. 39 Installing F-Secure Anti-Virus for Microsoft Exchange............................................... 41 After the Installation ................................................................................................... 60 3.6.1 Importing Product MIB files to F-Secure Policy Manager Console................. 60 3.6.2 Configuring the Product.................................................................................. 61 Upgrading the Previous Version ................................................................................ 61 Upgrading the Evaluation Version.............................................................................. 64 Uninstalling F-Secure Anti-Virus for Microsoft Exchange .......................................... 65
3.7 3.8 3.9
Chapter 4
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8
Using F-Secure Anti-Virus for Microsoft Exchange
66
Overview ....................................................................................................................67 Administering F-Secure Anti-Virus for Microsoft Exchange ....................................... 67 Using F-Secure Anti-Virus for Microsoft Exchange Web Console ............................. 68 4.3.1 Logging in for the First Time........................................................................... 68 Home Page ................................................................................................................ 71 Checking the Product Status...................................................................................... 71 Configuring the F-Secure Anti-Virus for Microsoft Exchange Web Console .............. 74 Using F-Secure Policy Manager Console .................................................................. 75 Modifying Settings and Viewing Statistics.................................................................. 76 4.8.1 Centrally Administered Mode ......................................................................... 76 4.8.2 Stand-alone Mode .......................................................................................... 78 Manually Processing Mailboxes and Public Folders .................................................. 78 4.9.1 Centrally Administered Mode ......................................................................... 79 4.9.2 Stand-alone Mode .......................................................................................... 88 4.9.3 Creating Scanning Operations ....................................................................... 89
4.9
4.10 Configuring Alert Forwarding ...................................................................................121 4.10.1 Centrally Administered Mode .......................................................................121 4.10.2 Stand-Alone Mode........................................................................................123 4.11 Alert Forwarding.......................................................................................................124 4.12 Viewing Alerts ..........................................................................................................125
Chapter 5
5.1 5.2
Centrally Managed Administration
127
Overview ..................................................................................................................128 F-Secure Anti-Virus for Microsoft Exchange Settings ..............................................128 5.2.1 Real-Time Processing ..................................................................................130 5.2.2 Manual Processing .......................................................................................161 5.2.3 Scheduled Processing..................................................................................176 5.2.4 Content Scanner Servers .............................................................................177 5.2.5 Quarantine....................................................................................................180 5.2.6 Reporting ......................................................................................................184 5.2.7 Advanced......................................................................................................184 F-Secure Anti-Virus for Microsoft Exchange Statistics.............................................186 5.3.1 Common .......................................................................................................187 5.3.2 Real-Time Processing ..................................................................................188 5.3.3 Manual Processing .......................................................................................191 5.3.4 Quarantine....................................................................................................194 F-Secure Content Scanner Server Settings.............................................................195 5.4.1 Interface........................................................................................................197 5.4.2 Virus Scanning .............................................................................................198 5.4.3 Virus Statistics ..............................................................................................201 5.4.4 Database Updates........................................................................................203 5.4.5 Spam Filtering ..............................................................................................204 5.4.6 Threat Detection Engine...............................................................................206 5.4.7 Proxy Configuration ......................................................................................207 5.4.8 Advanced......................................................................................................208 F-Secure Content Scanner Server Statistics ...........................................................210 5.5.1 Server ...........................................................................................................210 5.5.2 Scan Engines ...............................................................................................211 5.5.3 Common .......................................................................................................212 5.5.4 Spam Control................................................................................................212 5.5.5 Virus Statistics ..............................................................................................213 F-Secure Automatic Update Agent Settings ............................................................214 F-Secure Management Agent Settings ....................................................................216
5.3
5.4
5.5
5.6 5.7
Chapter 6
6.1
Administration with Web Console
219
Overview ..................................................................................................................220
6.2
F-Secure Anti-Virus for Microsoft Exchange Settings ..............................................221 6.2.1 Summary ......................................................................................................221 6.2.2 Virus Scanning .............................................................................................223 6.2.3 Stripping Attachments ..................................................................................239 6.2.4 Content Filtering ...........................................................................................249 6.2.5 Manual Scanning..........................................................................................256 6.2.6 Quarantine....................................................................................................260 6.2.7 Advanced......................................................................................................270 6.2.8 Internal Domains ..........................................................................................276 F-Secure Content Scanner Server Settings.............................................................278 6.3.1 Summary ......................................................................................................278 6.3.2 Database Updates........................................................................................285 6.3.3 Scan Engines ...............................................................................................287 6.3.4 Proxy Configuration ......................................................................................292 6.3.5 Archive Scanning..........................................................................................295 6.3.6 Advanced......................................................................................................298 6.3.7 Interface........................................................................................................300 F-Secure Automatic Update Agent Settings ............................................................301 6.4.1 Summary ......................................................................................................302 6.4.2 Automatic Updates .......................................................................................304 6.4.3 HTTP Settings ..............................................................................................306 6.4.4 PM Proxies ...................................................................................................307 F-Secure Management Agent Settings ....................................................................308
6.3
6.4
6.5
Chapter 7
7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9
Quarantine Management
311
Introduction ..............................................................................................................312 Configuring Quarantine Options...............................................................................314 Searching the Quarantined Content.........................................................................314 Query Results Page .................................................................................................318 Viewing Details of a Quarantined Message .............................................................321 Reprocessing the Quarantined Content...................................................................323 Releasing the Quarantined Content.........................................................................324 Removing the Quarantined Content.........................................................................326 Deleting Old Quarantined Content Automatically.....................................................326
7.10 Quarantine Logging..................................................................................................327
7.11 Quarantine Statistics ................................................................................................328 7.12 Moving the Quarantine Storage ...............................................................................329
Chapter 8
8.1 8.2 8.3 8.4
Administering F-Secure Spam Control
331
Overview ..................................................................................................................332 Spam Control Settings in Centrally Managed Environments ...................................333 Spam Control Settings in Web Console...................................................................336 Realtime Blackhole List Configuration .....................................................................341 8.4.1 Enabling Realtime Blackhole Lists ...............................................................341 8.4.2 Optimizing F-Secure Spam Control Performance ........................................343
Chapter 9
9.1 9.2 9.3 9.4
Updating Virus and Spam Definition Databases
345
Overview ..................................................................................................................346 Automatic Updates with F-Secure Automatic Update Agent....................................346 Configuring Automatic Updates ...............................................................................347 Manual Updates .......................................................................................................347 9.4.1 Using FSUPDATE ........................................................................................347 9.4.2 Updating the Virus Definition Database Remotely Using LATEST.ZIP ........348
Appendix A Deploying the Product on a Cluster

A.1 A.2 A.3
349
System and Network Recommendations ................................................................ 350 Installation Overview ................................................................................................352 Creating Quarantine Storage ...................................................................................353 A.3.1 Quarantine Storage in Active-Passive Cluster .............................................353 A.3.2 Quarantine Storage in Active-Active Cluster ................................................358 Installing the Product................................................................................................361 A.4.1 Installing on Active-Passive Cluster .............................................................361 A.4.2 Installing on Active-Active Cluster ................................................................363 Administering the Cluster Installation with F-Secure Policy Manager......................365 Using the Quarantine in the Cluster Installation.......................................................368 Troubleshooting .......................................................................................................368
A.4
A.5 A.6 A.7
Appendix B Variables in Warning Messages
369
List of Variables................................................................................................................ 370
Outbreak Management Alert Variables ............................................................................ 372
Appendix C Services and Processes Chapter D Troubleshooting
373 379
D.1 Overview ..................................................................................................................380 D.2 Starting and Stopping...............................................................................................380 D.3 Viewing the Log File.................................................................................................380 D.4 Common Problems and Solutions............................................................................381 D.4.1 Installing Service Packs................................................................................384 D.4.2 Securing the Quarantine...............................................................................384 D.4.3 Administration Issues ...................................................................................385 D.5 Frequently Asked Questions ....................................................................................386 D.6 F-Secure Automatic Update Agent Troubleshooting................................................391
Technical Support
397
F-Secure Online Support Resources ............................................................................... 398 Web Club .........................................................................................................................400 Virus Descriptions on the Web .........................................................................................400
ABOUT THIS GUIDE
How This Guide Is Organized.................................................... 10 Conventions Used in F-Secure Guides ..................................... 13
About This Guide
10
How This Guide Is Organized

F-Secure Anti-Virus for Microsoft Exchange Administrator's Guide is divided into the following chapters:
Chapter 1. Introduction. General information about F-Secure Anti-Virus

for Microsoft Exchange and other F-Secure Anti-Virus Mail Server and Gateway products.
Chapter 2. Deployment. Instructions and examples how to set up your network environment before you can install F-Secure Anti-Virus for Microsoft Exchange. Chapter 3. Installation. Instructions how to install and set up F-Secure Anti-Virus for Microsoft Exchange. Chapter 4. Using F-Secure Anti-Virus for Microsoft Exchange. Instructions how to use and administer F-Secure Anti-Virus for Microsoft Exchange. Chapter 9. Updating Virus and Spam Definition Databases. Instructions
how to update your virus definition database.
Chapter 5. Centrally Managed Administration. Instructions how to remotely administer F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server when they have been installed in centralized administration mode. Chapter 6. Administration with Web Console. Instructions how to administer F-Secure Anti-Virus for Microsoft Exchange with the Web Console. Chapter 8. Administering F-Secure Spam Control. General information about and instructions on how to configure F-Secure Spam Control. Appendix A. Deploying the Product on a Cluster. Describes how the product can be deployed and used on the cluster environment. Appendix B. Variables in Warning Messages. Lists variables that can be included in virus warning messages. Appendix C. Services and Processes. Describes services, devices and processes of F-Secure Anti-Virus for Microsoft Exchange.
About This Guide
11
Chapter D. Troubleshooting. Solutions to some common problems.

Technical Support. Contains the contact information for assistance. About F-Secure Corporation. Describes the company background and products. See the F-Secure Policy Manager Administrator's Guide for detailed information about installing and using the F-Secure Policy Manager components:
F-Secure Policy Manager Console, the tool for remote administration of F-Secure Anti-Virus for Microsoft Exchange. F-Secure Policy Manager Server, which enables communication between F-Secure Policy Manager Console and the managed systems.
12
Conventions Used in F-Secure Guides

This section describes the symbols, fonts, and terminology used in this manual.
Symbols
WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data. IMPORTANT: An exclamation mark provides important information that you need to consider. REFERENCE - A book refers you to related information on the topic available in another document. NOTE - A note provides additional information that you should consider.
l
TIP - A tip provides information that can help you perform a task more quickly or easily.
An arrow indicates a one-step procedure.
Fonts
Arial bold (blue) is used to refer to menu names and commands, to buttons and other items in a dialog box. Arial Italics (blue) is used to refer to other chapters in the manual, book titles, and titles of other manuals. Arial Italics (black) is used for file and folder names, for figure and table captions, and for directory tree names. Courier New is used for messages on your computer screen.
13
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK)
is used for a key or key combination on your
keyboard. Arial underlined (blue) is used for user interface links. Arial italics is used for window and dialog box names.
PDF Document
This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe Acrobat Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.
For More Information

Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts. In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com.
INTRODUCTION
Overview..................................................................................... 15 How F-Secure Anti-Virus for Microsoft Exchange Works ........... 16 Key Features .............................................................................. 19 F-Secure Anti-Virus Mail Server and Gateway Products............ 21
14
CHAPTER 1 Introduction
15
1.1
Overview
Malicious code, such as computer viruses, is one of the main threats for companies today. In the past, malicious code spread mainly via disks and the most common viruses were the ones that infected disk boot sectors. When users began to use office applications with macro capabilities such as Microsoft Office - to write documents and distribute them via mail and groupware servers, macro viruses started spreading rapidly. After the millennium, the most common spreading mechanism has been the e-mail. Today about 90% of viruses arrive via e-mail. E-mails provide a very fast and efficient way for viruses to spread themselves without any user intervention and that is why e-mail worm outbreaks, like Sober, Netsky and Bagle, have caused a lot of damage around the world. F-Secure Anti-Virus Mail Server and Gateway products are designed to protect your company's mail and groupware servers and to shield the company network from any malicious code that travels in HTTP or SMTP traffic. In addition, they protect your company network against spam. The protection can be implemented on the gateway level to screen all incoming and outgoing e-mail (SMTP), web surfing (HTTP and FTP-over-HTTP) and file transfer (FTP) traffic. Furthermore, it can be implemented on the mail server level so that it does not only protect inbound and outbound traffic but also internal mail traffic and public sources, such as Public Folders on Microsoft Exchange servers. Providing the protection already on the gateway level has plenty of advantages. The protection is easy and fast to set up and install, compared to rolling out antivirus protection on hundreds or thousands of workstations. The protection is also invisible to the end users which ensures that the system cannot be by-passed and makes it easy to maintain. Of course, protecting the gateway level alone is not enough to provide a complete antivirus solution; file server and workstation level protection is needed, also. Why clean 1000 workstations when you can clean one attachment at the gateway level?
16
1.2
How F-Secure Anti-Virus for Microsoft Exchange Works

F-Secure Anti-Virus for Microsoft Exchange is designed to detect and disinfect viruses and other malicious code from e-mail transmissions through Microsoft Exchange 2000/2003 Server. Scanning is done in real time as the mail passes through Microsoft Exchange Server. On-demand scanning of user mailboxes and Public Folders is also available.
Scanning Attachments and Message Bodies
F-Secure Anti-Virus for Microsoft Exchange scans attachments and message bodies for malicious code. It can also be instructed to remove particular attachments according to the file name or the file extension. In addition, it can filter out messages containing keywords that have been defined as disallowed. If the intercepted mail contains malicious code, F-Secure Anti-Virus for Microsoft Exchange can be configured to disinfect or drop the content. Any malicious code found during the scan process can be placed in the Quarantine, where it can be further examined. Stripped attachments can also be placed in the Quarantine for further examination.
Flexible and Scalable Anti-Virus Protection
F-Secure Anti-Virus for Microsoft Exchange is installed on Microsoft Exchange 2000/2003 Server and it intercepts mail traveling through mailboxes and Public folders. Intercepted attachments and documents are sent to F-Secure Content Scanner Server, which returns disinfected files back to F-Secure Anti-Virus for Microsoft Exchange. The two-component product architecture ensures that the anti-virus protection does not increase the load on the protected system and that the infected data is never stored on the production network. It also enables you to implement a server pool, so you can share the traffic load between multiple F-Secure Content Scanner Servers and have backup servers if the traffic to primary servers stops for some reason.
17
Alerting
F-Secure Anti-Virus for Microsoft Exchange has extensive alerting functions, which means that the system administrator can specify a recipient inside the company network to be notified about the infection found in the data content. Of course, the network administrator can be notified about the infection also. F-Secure Anti-Virus for Microsoft Exchange uses the award-winning F-Secure Anti-Virus scanner to ensure the highest possible detection rate and disinfection capability. The daily F-Secure Anti-Virus signature database updates provide F-Secure Anti-Virus for Microsoft Exchange an always up-to-date protection capability. F-Secure Anti-Virus scanner consistently ranks at the top when compared to competing products. Our team of dedicated virus researchers is on call 24-hours a day responding to new and emerging threats. In fact, F-Secure is one of the only companies to release tested virus definition updates on a daily basis, to make sure our customers are receiving the highest quality service and protection.
Powerful and Always Up-to-date
Virus and Spam Outbreak Detection
Massive spam and virus outbreaks consist of millions of messages which share at least one identifiable pattern that can be used to distinguish the outbreak. Any message that contains one or more of these patterns can be assumed to be a part of the same spam or virus outbreak. F-Secure Anti-Virus for Microsoft Exchange can identify these patterns from the message envelope, headers and body, in any language, message format and encoding type. It can detect spam messages and new viruses during the first minutes of the outbreak.
Stand-alone and Centralized Administration Modes Scalability and Reliability
F-Secure Anti-Virus for Microsoft Exchange can be installed either in stand-alone or centrally administered mode. Depending on how it has been installed, F-Secure Anti-Virus for Microsoft Exchange is managed either with the Web Console or F-Secure Policy Manager. F-Secure Policy Manager provides a scalable way to manage the security of multiple applications on multiple operating systems, from one central location. F-Secure Policy Manager is comprised of two components, F-Secure Policy Manager Console and F-Secure Policy Manager Server,
CHAPTER 1 Introduction which are used to administer applications. They are seamlessly integrated with the F-Secure Management Agents that handle all management functions on local hosts.
18
Easy to Administer
If F-Secure Anti-Virus for Microsoft Exchange is installed in stand-alone mode it can be managed with the web-based user interface. With Web Console, you can configure F-Secure Anti-Virus for Microsoft Exchange settings, set up scheduled scans or run manual processes any time you want. If F-Secure Anti-Virus for Microsoft Exchange has been installed in centrally administered configuration, it is managed with F-Secure Policy Manager. With its graphical user interface, F-Secure Policy Manager Console provides a centralized view of the domains and hosts in your network and lets you configure the security policies for all F-Secure components. F-Secure Policy Manager receives status information from F-Secure Anti-Virus for Microsoft Exchange. F-Secure Policy Manager Server is the server side component that handles communication between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Policy Manager Console. It exchanges security policies, software updates, status information, statistics, alerts, and other information between F-Secure Policy Manager Console and all managed systems.
Figure 1-1 (1) E-mail arrives from the Internet to F-Secure Anti-Virus for Microsoft Exchange, which (2) filters malicious content from mails and attachments, and (3) delivers cleaned files forward.
19
1.3
Key Features
F-Secure Anti-Virus for Microsoft Exchange provides the following features and capabilities.
Superior Protection

Superior detection rate with multiple scanning engines. Automatic malicious code detection and disinfection. Heuristic scanning detects also unknown Windows and macro viruses. Recursive scanning of ARJ, BZ2, CAB, GZ, JAR, LZH, MSI, RAR, TAR, TGZ, Z and ZIP archive files. Automatic daily virus definition database updates. Suspicious and unsafe attachments can be stripped away from e-mails. Password protected archives can be treated as unsafe. Intelligent file type recognition. Message filtering based on keywords in message subjects and text. Utilizes the low-level Anti-Virus API (AV API 2.0) for Microsoft Exchange 2000 Server, and AV AP 2.5 for Microsoft Exchange 2003 Server. The virus outbreak detection is an additional active layer of protection that automatically detects virus outbreaks and quarantines suspicious messages. Virus outbreaks are transparently detected and infected messages are quarantined before the outbreak becomes widespread. The product can notify the administrator about virus outbreaks. Quarantined unsafe messages can be reprocessed automatically.

Virus Outbreak Detection

20
Transparency and Scalability
Viruses are intercepted before they can enter the network and spread out on workstations and servers. Real-time scanning of internal, inbound and outbound mail messages and Public Folder notes. Automatic protection of new mailboxes and Public Folders. Total transparency to end-users. Users cannot bypass the system, which means that messages and documents cannot be exchanged without scanning. Support for Windows 2000 Advanced Server or Windows Server 2003 clusters. Both Active-Passive and Active-Active clusters are supported. Controlling and monitoring the behavior of the products remotely. Starting predefined operations remotely. Monitoring statistics provided by the products remotely with F-Secure Policy Manager or F-Secure Anti-Virus for Microsoft Exchange Web Console. Possibility to configure and manage stand-alone installations with the convenient F-Secure Anti-Virus for Microsoft Exchange Web Console. Contains new quarantine management features: you can manage and search quarantined content with the F-Secure Anti-Virus for Microsoft Exchange Web Console. Possible spam messages are transparently detected before they become widespread. Efficient spam detection based on different analyses on the e-mail content. Multiple filtering mechanisms guarantee the high accuracy of spam detection. Spam detection works in every language and message format.

Management

Protection against Spam
21
1.4
F-Secure Anti-Virus Mail Server and Gateway Products

The F-Secure Anti-Virus product line consists of workstation, file server, mail server, gateway and mobile products.
F-Secure Internet Gatekeeper is a high performance, totally automated web (HTTP and FTP-over-HTTP) and e-mail (SMTP) virus scanning solution for the gateway level. F-Secure Internet Gatekeeper works independently of firewall and e-mail server solutions, and does not affect their performance. F-Secure Anti-Virus for Microsoft Exchange protects your Microsoft Exchange users from malicious code contained within files they receive in mail messages and documents they open from shared databases. Malicious code is also stopped in outbound messages and in notes being posted on Public Folders. The product operates transparently and scans files in the Exchange Server Information Store in real-time. Manual and scheduled scanning of user mailboxes and Public Folders is also supported. F-Secure Anti-Virus for MIMEsweeper provides a powerful anti-virus scanning solution that tightly integrates with Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web products. F-Secure provides top-class anti-virus software with fast and simple integration to Clearswift MAILsweeper and WEBsweeper, giving the corporation the powerful combination of complete content security. F-Secure Internet Gatekeeper for Linux provides a high-performance solution at the Internet gateway level, stopping viruses and other malicious code before the spread to end users desktops or corporate servers. The product scans SMTP, HTTP, FTP and POP3 traffic for viruses, worms and trojans, and blocks and filters out specified file types. ActiveX and Java code can also be scanned or blocked. The product receives updates
CHAPTER 1 Introduction automatically from F-Secure, keeping the virus protection always up to date. A powerful and easy-to-use management console simplifies the installation and configuration of the product.
22
F-Secure Messaging Security Gateway delivers the industrys most complete and effective security for e-mail. It combines a robust enterprise-class messaging platform with perimeter security, antispam, antivirus, secure messaging and outbound content security capabilities in an easy-to-deploy, hardened appliance.
DEPLOYMENT
Installation Modes....................................................................... 24 Network Requirements............................................................... 24 Deployment Scenarios ............................................................... 25
23
CHAPTER 2 Deployment
24
2.1
Installation Modes
F-Secure Anti-Virus for Microsoft Exchange can be installed either in stand-alone or centrally administered mode. In stand-alone installation, F-Secure Anti-Virus for Microsoft Exchange is managed with Web Console. In centrally administered mode, it is managed centrally with F-Secure Policy Manager components: F-Secure Policy Manager Server and F-Secure Policy Manager Console. To administer F-Secure Anti-Virus for Microsoft Exchange in the centrally administered mode, you have to install the following components:

F-Secure Policy Manager Server (on a dedicated machine) F-Secure Policy Manager Console (on the administrator's machine)
2.2
Network Requirements
This network configuration is valid for all scenarios described in this chapter. Make sure that the following network traffic can travel:
Service F-Secure Content Scanner Server
Process %ProgramFiles%\F-Secure\ Content Scanner Server\ fsavsd.exe
Inbound ports 18971 (TCP) + 1024-65536 (TCP), only with F-Secure Anti-Virus for Internet Mail on a separate host 25023
Outbound ports DNS (53, UDP/TCP), HTTP (80) or other known port used for HTTP proxy
F-Secure Anti-Virus for Microsoft Exchange Web Console F-Secure Automatic Update Agent
%ProgramFiles%\F-Secure\ Web User Interface\ bin\fswebuid.exe F-Secure Automatic Update.exe
DNS (53, UDP and TCP), 1433 (TCP), only with the dedicated SQL server DNS (53, UDP and TCP), HTTP (80)
371 (UDP), only if BackWeb Polite Protocol is used
25
Service FSNRB
Process %ProgramFiles%\F-Secure\ Common\fnrb32.exe %ProgramFiles%\F-Secure\ Common\fameh32.exe %ProgramFiles%\F-Secure\ Quarantine Manager\fqm.exe
Inbound ports -
Outbound ports DNS (53, UDP/TCP), HTTP (80) DNS (53, UDP/TCP), SMTP (25) DNS (53, UDP/TCP), 1433 (TCP), only with the dedicated SQL server
FSMA (AMEH)
F-Secure Quarantine Manager
2.3
Deployment Scenarios
Depending on the number of protected systems and the amount of data traffic, you might consider various scenarios of deploying F-Secure Anti-Virus for Microsoft Exchange. There are various ways to deploy F-Secure Anti-Virus for Microsoft Exchange that are suitable to different environments.

If the mail traffic is not very heavy, see Minimum Installation, 25. If the mail traffic is rather heavy, see Medium to Large Installation, 27. For very large, performance-critical installations, see Performance-Critical Installation, 28. For Microsoft Exchange Cluster Environments, see Microsoft Exchange Cluster Environment, 30.
2.3.1
Minimum Installation
If the mail traffic is not very heavy, you can install F-Secure Content Scanner Server on the same machine that runs Microsoft Exchange Server. In this case, both F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange will reside on the Microsoft Exchange Server.
CHAPTER 2 Deployment You can administer F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server by using the F-Secure Anti-Virus for Microsoft Exchange Web Console.
26
Figure 2-1 F-Secure Anti-Virus for Microsoft Exchange minimum installation
Alternatively, you can choose to install F-Secure Policy Manager to enable centralized administration of F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange.
27
2.3.2
Medium to Large Installation

If the mail traffic is rather heavy, F-Secure Content Scanner Server should be installed on a dedicated machine. This minimizes the extra load on the Microsoft Exchange Server. You should install F-Secure Anti-Virus for Microsoft Exchange in centralized administration mode on each Microsoft Exchange Server.
Figure 2-2 F-Secure Anti-Virus for Microsoft Exchange, medium to large installation
28
2.3.3
Performance-Critical Installation
In very large, performance-critical installations you should use multiple F-Secure Content Scanner Server installations. Each F-Secure Content Scanner Server should be installed on a dedicated machine. F-Secure Anti-Virus for Microsoft Exchange can share the virus scanning load between multiple F-Secure Content Scanner Servers.
Figure 2-3 F-Secure Anti-Virus for Microsoft Exchange with multiple F-Secure Content Scanner Servers
CHAPTER 2 Deployment F-Secure Anti-Virus for Microsoft Exchange should be installed in centralized administration mode on each Microsoft Exchange Server.
29
Figure 2-4 F-Secure Anti-Virus for Microsoft Exchange installed on each Microsoft Exchange Server
30
2.3.4
Microsoft Exchange Cluster Environment

F-Secure Anti-Virus for Microsoft Exchange can be installed on a Windows 2000 Advanced Server or Windows Server 2003 Enterprise Edition cluster. The product supports standard two-node Active-Passive and Active-Active clusters. Microsoft Exchange needs to be properly configured and running in the cluster before installing F-Secure Anti-Virus for Microsoft Exchange. F-Secure Anti-Virus for Microsoft Exchange needs to be installed separately on both cluster nodes. When installing in Microsoft Exchange cluster environment, the product must be installed in centrally managed mode, so that you can configure and manage the product with F-Secure Policy Manager. Changing the product settings with F-Secure Anti-Virus for Microsoft Exchange Web Console is not supported in cluster environments, but it can be used for some quarantine management functions. The settings on both cluster nodes must be identical. To ensure this, place the servers as their own domain in the F-Secure Policy Manager Console and configure all the settings on the domain level, not on the host level. It is recommended to install a local F-Secure Content Scanner Server on both cluster nodes. However, if a remote F-Secure Content Scanner Server is used, the dedicated IP address of each cluster node must be visible to the remote F-Secure Content Scanner Server. When installing the product, the setup program detects Microsoft Exchange Cluster automatically. The setup program also creates a cluster resource for the product automatically. The cluster resource makes it possible to use the product in the cluster, by giving the control of the resource to the cluster service. This and other resources together guarantee that the product works properly in the cluster in every situation. You can check the state of the resource in Microsoft Cluster Administrator console, under the same branch where the Exchange resources reside. For detailed instructions, see Deploying the Product on a Cluster, 349.
31
A Note about Installing on Active-Passive Cluster

The product can be installed either on an active or a passive cluster node. When installing on a passive node (which does not have active Microsoft Exchange services), the setup program may display a notification about missing Microsoft Exchange components, but the installation can be continued.
INSTALLATION
System Requirements ................................................................ 33 Improving Reliability and Performance....................................... 38 Installation Overview .................................................................. 39 Installing F-Secure Anti-Virus for Microsoft Exchange ............... 41 After the Installation.................................................................... 60 Upgrading the Previous Version................................................. 61 Upgrading the Evaluation Version .............................................. 64 Uninstalling F-Secure Anti-Virus for Microsoft Exchange........... 65
32
CHAPTER 3 Installation
33
3.1
System Requirements
F-Secure Anti-Virus for Microsoft Exchange is installed on the computer running Microsoft Exchange Server and requires the following hardware and software.
3.1.1
Minimum System Requirements

F-Secure Anti-Virus for Microsoft Exchange has to be installed to the same machine that runs Microsoft Exchange Server. You need to log in with administrator-level privileges to install F-Secure Anti-Virus for Microsoft Exchange. In order to install the product successfully on a non-english version of the operating system, your default system locale should be the same as the language of the operating system. You can set the locale in Control Panel > Regional Options > General > Your locale (location).
34
Operating system:
Windows 2000 Server Family: Microsoft Windows 2000 Server with Service Pack 3 or later
Microsoft Windows 2000 Advanced Server with Service Pack 3 or later
Windows 2003 Server Family: Microsoft Windows Server 2003, Standard Edition with latest service pack
Microsoft Windows Server 2003, Enterprise Edition with latest service pack
Microsoft Exchange Server:
Microsoft Exchange 2000 Server Family: Microsoft Exchange 2000 Server with Service Pack 3 or later Microsoft Exchange 2003 Server Family: Microsoft Exchange 2003 Server with latest service pack
Microsoft Exchange 2003 Enterprise Server with latest service pack
Processor: Memory: Disk space to install: Disk space for processing:
Intel Pentium 800 MHz or equivalent. 512 MB 70 MB. 500 MB or more. The required disk space depends on the number of mailboxes, amount of data traffic and the size of the Information Store.
35
SQL server (for quarantine database):
Microsoft SQL Server 2000 (Enterprise, Standard or Workgroup edition) with Service Pack 4 Microsoft SQL Server 2005 Microsoft SQL Server 2000 Desktop Engine (MSDE) with Service Pack 4

For more information, see Which SQL Server to Use for the Quarantine Database?, 35. When centralized quarantine management is used, the SQL server must be reachable from the network and file sharing must be enabled. F-Secure Policy Manager version: F-Secure Policy Manager 6.0 or newer. F-Secure Policy Manager is required only in centrally managed environments. For Microsoft Windows Server 2003 Service Pack 1 related support information, see http://support.f-secure.com/enu/corporate/w2003sp1/ The release notes document contains the latest information about the product and might have changes to system requirements and the installation procedure. It is highly recommended to read the release notes before you proceed with the installation.
3.1.2
Which SQL Server to Use for the Quarantine Database?

As a minimum requirement, the Quarantine database should have the capacity to store information about all inbound and outbound mail to and from your organization that would normally be sent during 2-3 days. Take into account the following SQL server specific considerations when deciding which SQL server to use:
36
Microsoft SQL Server Desktop Engine and SQL Server 2005 Express Edition
When using Microsoft SQL Server Desktop Engine (MSDE), the Quarantine database size is limited to 2 GB. MSDE includes a concurrent workload governor that limits the scalability of MSDE. For more information, see http://msdn.microsoft.com/library/?url=/library/en-us/architec/ 8_ar_sa2_0ciq.asp?frame=true. It is not recommended to use MSDE or SQL Server 2005 Express Edition if you are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations. MSDE is delivered together with F-Secure Anti-Virus for Microsoft Exchange, and you can install it during the F-Secure Internet Anti-Virus for Microsoft Exchange Setup. For more information, see Installation Overview, 39.
Microsoft SQL Server 2000/2005
If your organization sends a large amount of e-mails, it is recommended to use Microsoft SQL Server 2000/2005. It is recommended to use Microsoft SQL Server 2000/2005 if you are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations. For more information, see Performance-Critical Installation, 28. Note that the product does not support Windows Authentication when connecting to Microsoft SQL Server 2000/2005. The Microsoft SQL Server 2000/2005 that the product will use for the Quarantine database should be configured to use Mixed Mode authentication. If you plan to use Microsoft SQL Server 2005, you must purchase it and obtain your own license before you start to deploy F-Secure Anti-Virus for Microsoft Exchange. To purchase Microsoft SQL Server 2005, contact your Microsoft reseller.
37
3.1.3
Web Browser Software Requirements

In order to administer the product with F-Secure Anti-Virus for Microsoft Exchange Web Console, one of the following web browsers is required:

Microsoft Internet Explorer 6.0 or later Netscape Communicator 8.1 or later Mozilla Firefox 1.5 or later Opera 9.00 or later Konqueror 3.5 or later
Any other web browser supporting HTTP 1.0, SSL, Java scripts and cookies may be used as well. Microsoft Internet Explorer 5.5 or earlier cannot be used to administer the product.
38
3.2
Improving Reliability and Performance

You can improve the system reliability and overall performance by upgrading the following components.
Processor
If the system load is high, a fast processor on the Microsoft Exchange Server speeds up the e-mail message processing. As Microsoft Exchange Server handles a large amount of data, a fast processor alone is not enough to guarantee a fast operation of F-Secure Anti-Virus for Microsoft Exchange. Memory consumption is directly proportional to the size of processed mails - scanning a single mail may use memory in amounts up to three times the size of the mail concerned. If the average size of mail messages is big, or Microsoft Exchange Server has to process large messages regularly, increasing the amount of physical memory increases the overall performance. If large messages are processed only now and then, it might be enough to increase the size of the virtual memory. In this case, large messages will slow the system down.
Memory
Hard Drive
Hard drive size is an important reliability factor. Hard drive performance is crucial for Microsoft Exchange Server to perform well. For best performance, a RAID system is recommended; for servers with only moderate load, SCSI hard disks are adequate. If your server has an IDE hard disk, DMA access support is recommended. It is highly recommended to have the latest service packs for the operating system being used. These fixes make the platform more stable and thus increase the reliability of the system.
Operating System
39
3.3
Centrally Administered or Stand-alone Installation?

F-Secure Anti-Virus for Microsoft Exchange can be managed either with F-Secure Anti-Virus for Microsoft Exchange Web Console or F-Secure Policy Manager Console. You can select the management method when you install the product. If you already use F-Secure Policy Manager to administer other F-Secure products, it is recommended to install F-Secure Anti-Virus for Microsoft Exchange in centralized administration mode. The quarantined mails are managed using the F-Secure Anti-Virus for Microsoft Exchange Web Console in both centrally administered and stand-alone installations. In centrally managed environments all other features are managed with F-Secure Policy Manager. When installing in Microsoft Exchange cluster environment, the product must be installed in centrally managed mode, so that you can configure and manage the product with F-Secure Policy Manager.
3.4
Installation Overview
Before you start to install F-Secure Anti-Virus for Microsoft Exchange, uninstall any potentially conflicting products, such as anti-virus, file encryption, and disk encryption software that employ low-level device drivers. Close all Windows applications before starting the installation.
CHAPTER 3 Installation F-Secure Anti-Virus for Microsoft Exchange can be installed to the same computer that runs F-Secure Anti-Virus for Servers 5.50. You should uninstall any potentially conflicting products, such as other anti-virus, file encryption, and disk encryption software, which employ low-level device drivers, before you install F-Secure Anti-Virus for Microsoft Exchange. If you want to run F-Secure Anti-Virus for Servers 5.50 on the same computer where you install F-Secure Anti-Virus for Microsoft Exchange, make sure that F-Secure Anti-Virus for Servers 5.50 is installed before you install F-Secure Anti-Virus for Microsoft Exchange. To administer F-Secure Anti-Virus for Microsoft Exchange in centralized administration mode, you need to install F-Secure Policy Manager Console and F-Secure Policy Manager Server. Detailed information on F-Secure Policy Manager Console and F-Secure Policy Manager Server is provided in the F-Secure Policy Manager Administrator's Guide. Follow these steps to set up F-Secure Anti-Virus for Microsoft Exchange: Centralized Administration mode: 1. Run F-Secure Policy Manager setup to set up F-Secure Policy Manager Server. See F-Secure Policy Manager Administrators Guide for instructions.
40
2. Install F-Secure Anti-Virus for Microsoft Exchange. For more

information, see Installing F-Secure Anti-Virus for Microsoft Exchange, 41.
3. Import the product MIB files to F-Secure Policy Manager, if they

cannot be uploaded there during the installation. For more information, see Importing Product MIB files to F-Secure Policy Manager Console, 60.
4. Check that F-Secure Automatic Update Agent can retrieve the latest
virus definition databases. For more information, see Updating Virus and Spam Definition Databases, 345.
CHAPTER 3 Installation Stand-alone mode: 1. Install F-Secure Anti-Virus for Microsoft Exchange. For more information, see Installing F-Secure Anti-Virus for Microsoft Exchange, 41.
41
2. Check that F-Secure Automatic Update Agent can retrieve the latest
virus definition databases. For more information, see Updating Virus and Spam Definition Databases, 345. After the installation is complete, check and configure settings for F-Secure Content Scanner Server, F-Secure Anti-Virus for Microsoft Exchange and F-Secure Management Agent.
3.5
Installing F-Secure Anti-Virus for Microsoft Exchange

Follow these instructions to install F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange.
Step 1.
1. Insert the F-Secure CD in your CD-ROM drive.
2. Select F-Secure Anti-Virus for Microsoft Exchange from the Install

Software menu.
Step 2.
Read the information in the Welcome screen.
42
Click Next to continue.
Step 3.
Read the licence agreement.
CHAPTER 3 Installation If you accept the agreement, check the I accept the agreement checkbox and click Next to continue.
43
Step 4.
Enter the product keycode.
44
Step 5.
Choose the components to install.
If you want to install F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange on the Microsoft Exchange Server computer, select all components. Click Next to continue. When you install F-Secure Spam Control, or F-Secure Content Scanner Server in stand-alone mode, F-Secure Automatic Update Agent is automatically installed to provide virus definition database updates. For more information, see Automatic Updates with F-Secure Automatic Update Agent, 346.
45
Step 6.
Choose the destination folder for the installation.
46
Step 7.
Choose the administration method.
If you install F-Secure Anti-Virus for Microsoft Exchange in stand-alone mode, you cannot configure settings and receive alerts and status information in F-Secure Policy Manager Console. Click Next to continue. If you selected the stand-alone installation, continue to Step 10. , 49. If you select the stand-alone mode, use the F-Secure Anti-Virus for Microsoft Exchange Web Console to change product settings and statistics. For more information, see Administration with Web Console, 219.
47
Step 8.
Enter the path to the public management key file admin.pub that was created during F-Secure Policy Manager Console setup.
You can transfer the public key in various ways (use a shared folder on the file server, a floppy disk, or send the key as an attachment in an e-mail message). Click Next to continue.
48
Step 9.
Enter the IP address or URL of the F-Secure Policy Manager Server you installed earlier.
Click Next to continue. If the product MIB files cannot be uploaded to F-Secure Policy Manager during installation, you can import them manually. For more information, see Importing Product MIB files to F-Secure Policy Manager Console, 60.
49
Step 10.
Enter an SMTP address that will be used by F-Secure Anti-Virus for Microsoft Exchange to send warning and informational messages to end-users.
The SMTP address should be a valid, existing address that is allowed to send messages. Click Next to continue.
50
Step 11.
Select the user account that F-Secure Outbreak Manager should use.
Select either the local system account or enter the name and password for the user account that F-Secure Outbreak Manager should use. The account is used to run the outbreak handler scripts or programs. If you do need to see the outbreak handler script running on the desktop select Allow to interact with desktop. By default, the script or program runs in the background. For more information, see Outbreak Management, 158. Click Next to continue. If you want to use the default \SYSTEM account, do not enter any password. Make sure that the account has all the necessary privileges to run the outbreak handler script.
51
Step 12.
Specify the Quarantine management method.
If you want to manage quarantines locally, select Local quarantine management. Select Centralized quarantine management if you install the product on multiple instances. For more information, see Microsoft Exchange Cluster Environment, 30. Click Next to continue.
52
Step 13.
Specify the location of the Quarantine database.
If you want to install the Quarantine database on the same server as the product installation, select (a) Install and use Microsoft SQL Server Desktop Engine. If you are using Microsoft SQL Server or Microsoft SQL Server Desktop Engine already, select (b) Use the existing installation of MIcrosoft SQL Server or MSDE. Click Next to continue.
CHAPTER 3 Installation a Specify the installation directory for Microsoft SQL Server Desktop Engine and data files.
53
Enter the username and password for the server administrator account. Click Next to continue. b Specify the computer name of the SQL Server where you want to create the Quarantine database.
Enter the username and password to log on to the server. Click Next to continue.
54
If the server has a database with the same name, you can either use the existing database, remove the existing database and create a new one or keep the existing database and create a new one with a new name.
55
Step 14.
Select whether you want to install the product with F-Secure World Map Support.
The product can collect and send statistics about viruses and other malware to the F-Secure World Map service. if you agree to send statistics to F-Secure World Map, select Yes and click Next to continue.
56
Step 15.
If you selected the centralized administration mode, the installation program connects to specified F-Secure Policy Manager Server automatically to install F-Secure Anti-Virus for Microsoft Exchange MIB files. If the installation program cannot connect to F-Secure Policy Manager Server, the following dialog opens.
Make sure that the computer where you are installing F-Secure Anti-Virus for Microsoft Exchange is allowed to connect to the administration port on F-Secure Policy Manager Server, or if you use proxy, make sure that the connection is allowed from the proxy to the server. Check that any firewall does not block the connection. If you want to skip installing MIB files, click Cancel. You can install MIB files later either manually or by running the Setup again.
57
Step 16.
The list of components that will be installed is displayed.
Click Start to install listed components.
58
Step 17.
The installation status of the components is displayed.
59
Step 18.
The installation is completed.
Click Finish to close the Setup wizard.
Step 19.
If you are installing F-Secure Spam Control, the setup prompts you to select whether to restart the Microsoft Exchange Information Store service automatically to complete the installation. Click Yes to restart the Information Store service automatically.
60
3.6
After the Installation

This section describes what you have to do after the installation. These steps include:
Importing product MIBs to F-Secure Policy Manager (if that is required), and Initial configuration of the product.
3.6.1
Importing Product MIB files to F-Secure Policy Manager Console

If you are using the product in centrally managed mode, there are cases when the F-Secure Anti-Virus for Microsoft Exchange MIB JAR file cannot be uploaded to F-Secure Policy Manager Server during the installation. In these cases you will have to import the MIB files to F-Secure Policy Manager. You will have to import the MIB files if:
F-Secure Anti-Virus for Microsoft Exchange is located in a different network segment than F-Secure Policy Manager, and there is a firewall between them blocking access to Policy Managers administrative port (8080). F-Secure Policy Manager Server has been configured so that administrative connections from anywhere else than the localhost are blocked.
The recommended way is to import the MIBs via F-Secure Policy Manager Console Tools menu. You can do it as follows: 1. Open the Tools menu and select the Installation packages... option.
2. Click Import.... 3. When the Import Installation Packages dialog opens, browse to
locate the fsavmse660.mib.jar file located under the Jars subdirectory in the setup package. Then click Open.
4. After importing the new MIB files, restart F-Secure Policy Manager
Console.
61
3.6.2
Configuring the Product

After the installation, F-Secure Anti-Virus for Microsoft Exchange is functional, but it is using mostly default values. It is highly recommended to go through all the settings of all installed components. You should also retrieve the latest virus definition database updates.
Configure F-Secure Anti-Virus for Microsoft Exchange. If F-Secure Anti-Virus for Microsoft Exchange has been installed in the centralized administration mode, use F-Secure Policy Manager Console to configure the settings for F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange and distribute the policy. For more information, see Centrally Managed Administration, 127. If F-Secure Anti-Virus for Microsoft Exchange has been installed in stand-alone mode, use the F-Secure Anti-Virus for Microsoft Exchange Web Console to configure the settings of F-Secure Anti-Virus for Microsoft Exchange. For more information, see Administration with Web Console, 219.
Specify the domains which should be considered to be internal domains. For more information, see Internal Domains, 161. Retrieve virus definition database updates. For more information, see Updating Virus and Spam Definition Databases, 345.
3.7
Upgrading the Previous Version

If you have a previous version of F-Secure Anti-Virus for Microsoft Exchange installed on your computer, you can upgrade it easily. You do not need to remove your previous version, F-Secure Setup uninstalls it automatically.
CHAPTER 3 Installation During upgrade the setup will stop and restart Microsoft Exchange Information Store, IIS Admin Service and all services that depend on them:

62
Microsoft Exchange Information Store World Wide Web Publishing Service Simple Mail Transport Protocol (SMTP) Microsoft Exchange Routing Engine Microsoft Exchange POP3 Network News Transport Protocol (NNTP) Microsoft Exchange MTA Stacks Microsoft Exchange Information Store Microsoft Exchange IMAP4 IIS Admin Service
CHAPTER 3 Installation Follow these instructions to upgrade F-Secure Anti-Virus for Microsoft Exchange: 1. Run the Setup program. For more information, see Installing F-Secure Anti-Virus for Microsoft Exchange, 41.
63
2. Depending on the installed F-Secure products, F-Secure Setup will

suggest upgrading one or more components.
Select the components you want to upgrade.
3. The setup needs to stop and restart Microsoft Exchange Server

related services during the upgrade.
Click OK to continue.
4. After the Setup finishes, restart the computer if the Setup program
prompts you to do so.
64
5. Configure F-Secure Anti-Virus for Microsoft Exchange. For more

information, see Centrally Managed Administration, 127. If you installed F-Secure Anti-Virus for Microsoft Exchange in stand-alone mode, see Administration with Web Console, 219.
6. that F-Secure Automatic Update Agent can retrieve the latest virus
definition databases. For more information, see Updating Virus and Spam Definition Databases, 345.
3.8
Upgrading the Evaluation Version

If you want to use F-Secure Anti-Virus for Microsoft Exchange after your evaluation period expires, you need a new keycode. Contact your software vendor or renew your license online. After you have received the new keycode, you can either reinstall F-Secure Anti-Virus for Microsoft Exchange with your new keycode (see Installing F-Secure Anti-Virus for Microsoft Exchange, 41) or register the new keycode from F-Secure Settings and Statistics. To register the new keycode from F-Secure Settings and Statistics 1. Open F-Secure Settings and Statistics by double-clicking the F-Secure icon in the Windows system tray and select F-Secure Anti-Virus for Microsoft Exchange to open the evaluation screen.
2. Click Register Keycode... and enter the new keycode you have
received.
CHAPTER 3 Installation If you do not want to continue to use F-Secure Anti-Virus for Microsoft Exchange after your evaluation license expires, you should uninstall the software.
65
3.9
Uninstalling F-Secure Anti-Virus for Microsoft Exchange

To uninstall F-Secure Anti-Virus for Microsoft Exchange, select Add/ Remove Programs from the Windows Control Panel. To uninstall F-Secure Anti-Virus for Microsoft Exchange completely, uninstall the components in the following order: 1. F-Secure Anti-Virus for Microsoft Exchange
2. 3. 4. 5.
F-Secure SNMP Support (if it was installed) F-Secure Spam Control F-Secure Content Scanner Server F-Secure Automatic Update Agent IMPORTANT: If there is another F-Secure Anti-Virus product installed on the same computer, check whether it uses F-Secure Automatic Update Agent or F-Secure Policy Manager for getting virus definition database updates. If the other product gets the updates from F-Secure Policy Manager, you can uninstall F-Secure Automatic Update Agent.
USING F-SECURE ANTI-VIRUS FOR MICROSOFT EXCHANGE

Overview..................................................................................... 67 Administering F-Secure Anti-Virus for Microsoft Exchange........ 67 Using F-Secure Anti-Virus for Microsoft Exchange Web Console... 68 Home Page................................................................................. 71 Checking the Product Status...................................................... 71 Configuring the F-Secure Anti-Virus for Microsoft Exchange Web Console ...................................................................................... 74 Using F-Secure Policy Manager Console................................... 75 Modifying Settings and Viewing Statistics .................................. 76 Manually Processing Mailboxes and Public Folders .................. 78 Configuring Alert Forwarding.................................................... 121 Viewing Alerts........................................................................... 125
66
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange
67
4.1
Overview
F-Secure Anti-Virus for Microsoft Exchange can be used either in the stand-alone mode, or in the centrally administered mode, based on your selections during the installation and the initial setup.
4.2
Administering F-Secure Anti-Virus for Microsoft Exchange

In the centralized administration mode, you can administer F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Servers with F-Secure Policy Manager. You can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, check its current status and to connect to F-Secure Web Club for support, but you cannot change any settings with it. In the stand-alone mode, you use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, modify its settings, edit scheduled tasks and start manual processing. To open the F-Secure Anti-Virus for Microsoft Exchange Web Console, start it from F-Secure Settings and Statistics or select F-Secure Anti-Virus for Microsoft Exchange from the Windows Start menu > Programs > F-Secure Anti-Virus for Microsoft Exchange > F-Secure Anti-Virus for Microsoft Exchange Web Console. You can open F-Secure Settings and Statistics by double-clicking the F-Secure icon in the Windows system tray.
68
4.3
Using F-Secure Anti-Virus for Microsoft Exchange Web Console

In centrally managed installations of F-Secure Anti-Virus for Microsoft Exchange, the F-Secure Anti-Virus for Microsoft Exchange Web Console can be used for monitoring the system status and statistics. It can also be used for viewing the settings currently in use and executing some operations. However, in centrally managed installations it cannot be used for configuring the system or scanning settings; use F-Secure Policy Manager for this instead.
4.3.1
Logging in for the First Time

F-Secure Anti-Virus for Microsoft Exchange Web Console does not support Microsoft Internet Explorer 5.5 or older. Microsoft Internet Explorer 6.0 users: The address of the F-Secure Anti-Virus for Microsoft Exchange Web Console, https://127.0.0.1:25023/, should be added to the Trusted sites in Internet Explorer 6.0 Security Options. This ensures that the F-Secure Anti-Virus for Microsoft Exchange Web Console works properly in all environments. Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web Console for the first time, check that Java script and cookies are enabled in the browser you use.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange When you log in for the first time, your browser will display a Security Alert dialog window about the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console. You can create a security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console before logging in, and then install the certificate during the login process. If your company has an established process for creating and storing certificates, you can follow that process to create and store the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console.
69
Step 1.
Create the security certificate

1. Browse to the F-Secure Anti-Virus for Microsoft Exchange Web Console installation directory, for example: C:\Program Files\F-Secure\Web User Interface\bin\
2. Locate the certificate creation utility, makecert.bat, and double click it

to run the utility.
3. The utility creates a certificate that will be issued to all local IP

addresses, and restarts the F-Secure Anti-Virus for Microsoft Exchange Web Console service to take the certificate into use. Wait until the utility completes, and the window closes. Now you can proceed to logging in.
Step 2.
Log in and install the security certificate

1. Select Programs>F-Secure Anti-Virus for Microsoft Exchange>F-Secure Anti-Virus for Microsoft Exchange Web Console, or enter the address of the F-Secure Anti-Virus for Microsoft Exchange and the port number in your web browser. Note, that the protocol used is https. For example: https://127.0.0.1:25023
70
2. The Security Alert about the F-Secure Anti-Virus for Microsoft

Exchange Web Console certificate is displayed. If you install the certificate now, you will not see the Security Alert window again. Click View Certificate to view the certificate information and to install the certificate.
3. The Certificate window opens. Click Install Certificate to proceed to

the Certificate Import Wizard.
4. Follow the instructions in the Certificate Import Wizard. When the

wizard has completed, you are prompted to add the new certificate in the Certificate Root Store. Click Yes.
5. If the Security Alert window is still displayed, click Yes to proceed. 6. When the login page opens, enter the user name and the password.
Note, that you must have administrator rights to the host. Then click Log In.
Figure 4-1 F-Secure Anti-Virus for Microsoft Exchange Web Console Login
page
7. You will be forwarded to the home page, which displays a summary of

the system status.
71
Figure 4-2 F-Secure Anti-Virus for Microsoft Exchange Home page
4.4 4.5
Home Page Checking the Product Status

You can check the overall product status on the Home page. The Home page displays an overview of each component status and most important statistics of the installed F-Secure Anti-Virus for Microsoft Exchange components. From the Home page you can also open the product logs and proceed to configure the product components. This section describes the statistics and operations available on the Home page.
72

The Home page displays the status the F-Secure Anti-Virus for Microsoft Exchange as well as a summary of the F-Secure Anti-Virus for Microsoft Exchange statistics. Status indicator Displays the status of F-Secure Anti-Virus for Microsoft Exchange.
Processed messages Displays the total number of messages that have been processed. Infected messages Displays the number of infected messages found since the last reset of statistics.
Stripped attachments Displays the number of attachments that have been stripped. Click Configure to configure F-Secure Anti-Virus for Microsoft Exchange. For more information, see Overview, 220.
F-Secure Content Scanner Server

The Home page displays the status the F-Secure Content Scanner Server as well as a summary of the F-Secure Content Scanner Server statistics. Status indicator Last time virus definition databases updated Displays the status of F-Secure Content Scanner Server. Displays the last date and time when the virus definition databases were updated.
Database update version Displays the version of the virus definition database update.
73
The version is shown in YYYY-MM-DD_NN format, where YYYY-MM-DD is the release date of the update and NN is the number of the update for that day. Scanned files Last time infection found Displays the number of files the server has scanned for viruses. Displays the last infection detected by the server.
Click Configure to configure F-Secure Content Scanner Server. For more information, see F-Secure Content Scanner Server Settings, 278.
F-Secure Automatic Update Agent

Status indicator Communication method Last connection to the server Displays the status of F-Secure Automatic Update Agent. Displays the currently used client protocol. Displays the last date and time when F-Secure Automatic Update Agent polled the F-Secure Automatic Update Server for new updates.
Click Configure to configure F-Secure Automatic Update Agent. For more information, see Updating Virus and Spam Definition Databases, 345.
F-Secure Management Agent

Status indicator Management method Displays the status of F-Secure Management Agent. Displays if the host is standalone (configured locally) or networked (at least sometimes connected through a network or a temporary link).
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange Click Configure to configure the F-Secure Management Agent. For more information, see F-Secure Management Agent Settings, 308.
74
Toolbar Buttons
Click Show F-Secure Log to view the F-Secure log file (LogFile.log) in a new Internet browser window. Click Download to download and save the LogFile.log for later use. Click Export Settings to open a list of all F-Secure Anti-Virus for Microsoft Exchange settings in a new Internet browser window. Select File > Save As... to save the file for later use. Click Export Statistics to open a list of all F-Secure Anti-Virus for Microsoft Exchange statistics in a new Internet browser window. Select File > Save As... to save or print the file for later use. Click Configure Console to configure the F-Secure Anti-Virus for Microsoft Exchange Web Console. For instructions, see Configuring the F-Secure Anti-Virus for Microsoft Exchange Web Console, 74. Click Help to open the online help.
4.6
Configuring the F-Secure Anti-Virus for Microsoft Exchange Web Console

On the F-Secure Anti-Virus for Microsoft Exchange Web Console Configuration page you can specify settings for connections to the server. You can also open the F-Secure Anti-Virus for Microsoft Exchange Web Console access log from this page. Limit session timeout Specify the length of time a client can be connected to the server. When the session expires, the F-Secure Anti-Virus for Microsoft Exchange Web Console displays a warning. The default value is 60 minutes.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange Click Show Access Log to view the F-Secure Anti-Virus for Microsoft Exchange Web Console access log. Note that the Web Console access log differs from standard web server access logs, as it logs only the first request per session. Listen on address Specify the IP address of the F-Secure Anti-Virus for Microsoft Exchange Web Console Server. Specify the port where the server listens for connections. The default port is 25023. Specify a list of hosts which are allowed to connect to F-Secure Anti-Virus for Microsoft Exchange Web Console.
75
Port Accept connections from the following hosts
To add a new host in the list, click Add to add new a new line in the table and then enter the IP address of the host.
4.7
Using F-Secure Policy Manager Console

In the centralized administration mode, you can open F-Secure Anti-Virus for Microsoft Exchange components from the Windows Start menu > Programs > F-Secure Policy Manager Console. When the Policy Manager Console opens, go to the Advanced Mode user interface by selecting View > Advanced Mode (this step is required in F-Secure Policy Manager version 5.50 and later). Then select the Policy tab to view the F-Secure Anti-Virus for Microsoft Exchange components. F-Secure Policy Manager Console is used to create policies for F-Secure Anti-Virus for Microsoft Exchange installations that are running on selected hosts or groups of hosts. Policies are created by assigning values to variables shown on the Policy tab of the Properties pane (the middle pane) in F-Secure Policy Manager Console. To assign a value, select a variable marked by the leaf icon in the Properties pane and enter the value in the Editor pane (the right pane). After a policy is created, it must be distributed to hosts by choosing Distribute from the File menu.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange After changing the settings and distributing the policy, you have to wait for F-Secure Anti-Virus for Microsoft Exchange to poll the policy. For testing purposes you may also want to change the polling intervals. To do that, select the domain in F-Secure Policy Manager console and set the Incoming Packages Polling Interval and Outgoing Packages Update Interval variables to 30-45 seconds. The variables are located under each of the two trees in the F-Secure Management Agent / Settings / Communications branch. Note that since the default polling interval is 10 minutes, it might take up to 10 minutes for the new setting to take effect. Alternatively, you can click Poll the server now in F-Secure Management Agent. For detailed information on installing and using F-Secure Policy Manager console, see the F-Secure Policy Manager Administrators Guide.
76
4.8
Modifying Settings and Viewing Statistics

This section describes how you can modify product settings and view product statistics in both centrally administered and stand-alone mode.
4.8.1
Centrally Administered Mode

To change F-Secure Anti-Virus for Microsoft Exchange settings in the centrally administered mode, select F-Secure Anti-Virus for Microsoft Exchange from the Properties pane. Make sure the Policy tab is selected and assign values to variables under the Settings branch. Modify settings by assigning new values to the basic leaf node variables (marked by the leaf icons) shown in the Policy tab of the Properties pane. Initially, every variable has a default value, which is displayed in gray. Select the variable from the Properties pane and enter the new value in the Editor pane to change it. You can either type the new value or select it from a list
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange box. If you enter an invalid value, it will be displayed in red in the Properties pane. Click Clear to revert to the default value or Undo to cancel the most recent change that has not been distributed. For detailed explanations of all variables, see F-Secure Anti-Virus for Microsoft Exchange Settings, 128. Settings that are configured during the installation and the initial setup require that you select the Final check box from the Product View pane. These settings include Primary and Backup Content Scanner Servers and Quarantine settings. Select the Status tab of the Properties pane to view statistics and the settings that were configured during the installation of F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange. Statistics are updated periodically and can be reset by choosing Reset Statistics on the Policy tab of the Properties pane. For more information, see F-Secure Anti-Virus for Microsoft Exchange Statistics, 186.
77
Changing Settings That Have Been Modified During Installation or Upgrade

If you want to change a setting that has been modified locally during installation or upgrade, you need to mark the setting as Final in the restriction editor. The settings descriptions in this manual indicate the settings for which you need to use the Final restriction. You can also check in F-Secure Policy Manager Console whether you need to use the Final restriction for a setting. Do the following: 1. Select the Policy tab and then select the setting you want to check.
2. Now select the Status tab to see if the setting has been modified
locally.
If the setting is not shown in grayed font in the Status view, then the product uses the setting from the base policy and therefore the Final restriction is not needed. If the setting is shown in normal black font, then the setting has been modified locally. You must mark the setting as Final when you change it.
78
4.8.2
Stand-alone Mode
To change F-Secure Anti-Virus for Microsoft Exchange settings in stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange Web Console and select the variables you want to change from the options tree. For detailed explanations of all variables, see Administration with Web Console, 219. To view statistics for real-time scanning, select Summary on the options tree. To reset all counters to zero, click Reset Statistics. To view statistics for the latest manual scan, select Manual Scanning on the options tree. The Manual Scanning property page displays the following statistics: the number of processed mailboxes, the number of processed Public Folders, the numbers of processed, infected, and suspicious messages in mailboxes and in the Public Folders. Manual scanning statistics are reset every time a new manual scan is performed.
4.9
Manually Processing Mailboxes and Public Folders

You can scan mailboxes and Public Folders for viruses and strip attachments manually at any time. You can also create scheduled scan tasks to scan mailboxes and Public Folders periodically.
79
4.9.1
Centrally Administered Mode

You can perform virus scans and strip attachments manually by using controls under the F-Secure Anti-Virus for Microsoft Exchange / Operations branch.
To start a manual scan, select Start under F-Secure Anti-Virus for Microsoft Exchange / Operations / Manual Scanning. Click Start in the Editor pane. Choose Distribute from the File menu. To stop a manual scan, select Stop under F-Secure Anti-Virus for Microsoft Exchange / Operations / Manual Scanning. Click Stop in the Editor pane. Choose Distribute for the File menu. To view the scanning report - the total numbers of mailboxes and Public Folders, and the numbers of processed mailboxes and Public Folders, open the Reports tab. For information how to configure options for manual scans, see Manual Processing, 161.
Creating Scheduled Operation

Open F-Secure Anti-Virus for Microsoft Exchange > Settings > Scheduled Processing settings branch and click Add to start the Scheduled Operation Wizard.
Step 1.
Enter the name for the new task and select how frequently you want the operation to be performed.

Once - Only once at the specified time. Daily - Every day at the specified time, starting from the specified date. Weekly - Every week at the specified time on the same day when the first operation is scheduled to start. Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
80
Do not use any special characters in the task name.
Step 2.
Specify whether you want to process all messages or only those messages that have not been processed previously during the manual processing. Specify how many concurrent transactions the scanner can have with F-Secure Content Scanner Server.
81
82
Step 3.
Choose mailboxes that should be processed during the scheduled operation.

Do not scan mailboxes - Do not process any mailboxes. Scan all mailboxes - Process all mailboxes. Scan only included mailboxes - Process all mailboxes specified in the list. Scan all except excluded mailboxes - Process all except those mailboxes specified in the list.
Click Add to add a new mailbox to the list. Click Edit to edit a previously created entry. Click Remove to remove the selected folder or Remove All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes.
83
Step 4.
Choose settings for virus scanning of mailboxes during the scheduled operation, and Click Next to continue.
For settings descriptions, see Virus Scanning, 132.
84
Step 5.
Choose settings for stripping attachments during the scheduled operation, and click Next to continue.
For settings descriptions, see Stripping Attachments, 149.
85
Step 6.
Select Public Folders that should be processed during the scheduled operation.

Do not scan Public Folders - Do not process any Public Folders. Scan all Public Folders - Process all notes posted to all Public Folders. Scan only included Public Folders - Process all notes posted to Public Folders specified in the list. Scan all except excluded Public Folders - Process all notes posted to all Public Folders, except those specified in the list.
Click Add to add a new Public Folder to the list. Click Edit to edit a previously created entry. Click Remove to remove the selected folder or Remove All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders. Click Next to continue.
86
Step 7.
Choose settings for virus scanning of Public Folders during the scheduled operation, and click Next to continue. For settings descriptions, see Virus Scanning, 132.
87
Step 8.
Choose settings for stripping attachments during the scheduled operation, and click Next to continue.
88
Step 9.
The Scheduled Operation Wizard displays the summary of created operation. Click Finish accept the new scheduled operation and to exit the wizard.
4.9.2
Stand-alone Mode
Specify the manual scanning settings on the Manual Scanning property pages. After you have specified the manual scanning settings, select the Manual Processing and click Start. Under Progress, you can view the progress of the manual scan - the total numbers of mailboxes and Public Folders, and the numbers of processed mailboxes and Public Folders. In the bottom of the property page, the results of the previous manual scan are shown - the numbers of processed, infected and suspicious messages in the mailboxes and in the Public Folders.
89
4.9.3
Creating Scanning Operations

To process mailboxes manually, you need to set up a manual processing task. For more information, see Creating Manual Scanning Operation, 89. If you want to run scanning tasks frequently, you can set up scheduled operations. For more information, see Creating Scheduled Operation, 104.
Creating Manual Scanning Operation

Start the Manual Scanning Wizard by clicking the Configure... button on the Manual Scanning page.
Step 1.
Specify Messages to Process
1. Specify whether you want to process all messages or only those messages that have not been processed previously.
2. Specify how many concurrent transactions the scanner can have with
F-Secure Content Scanner Server.
90
3. Click Next to continue.

If F-Secure Anti-Virus for Microsoft Exchange is operating on a system that has multiple processors or you are using a high-performance computer, you can increase performance by increasing the number of concurrent transactions. If you want to use the default settings for most of the scanning settings, click Last to proceed to the last page of the Manual Scanning wizard where you can see a summary of the scanning task settings.
Step 2.
Select Mailboxes to Process
1. Choose mailboxes that should be processed during the manual scanning operation.

Do not process mailboxes - Do not process any mailboxes. Process all mailboxes - Process all mailboxes. Process only these mailboxes - Process all specified mailboxes. Process all except these mailboxes - Process all except specified mailboxes.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange Click Add... to add a new mailbox to the list. Click the checkbox in the column to mark a mailbox to be removed. Click Clear to remove all currently marked entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes.
91
Step 3.
Specify Virus Scanning Settings for Mailboxes
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange 1. Choose settings for virus scanning of mailboxes. Attachments to scan Specify which message attachments are checked for viruses. Do not scan attachments for viruses - Process messages without scanning any attachments for viruses. Scan all attachments - Scan all message attachments regardless of filename extension. Scan all attachments with these extensions Scan all attachments with specified filename extensions. Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message body Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies. Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body.
92
93
Enable File Type Recognition
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, Intelligent File Type Recognition is disabled during the real-time processing. Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the rtf filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the doc filename extension). Intelligent File Type Recognition can degrade the system performance.
Action Action on infected attachments Specify whether infected attachments should be disinfected or dropped. Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
94
By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Quarantine infected attachments Specify whether infected attachments should be placed in the Quarantine or not. For more information, see Quarantine Management, 311. Specify whether to send a message to the mailbox owner when an infected attachment is found. Click Edit... to edit the informational text file that replaces the infected attachment if it is dropped.
Send warning message to mailbox owner
Step 4.
Specify Attachment Stripping Settings for Mailboxes
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange 1. Choose settings for stripping attachments. Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments except these allowed - Strip all except specified attachments. Strip only these disallowed attachments - Strip only specified attachments. You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
95
Action Action on stripped attachment Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine Management, 311. Drop attachment - All stripped attachments are deleted automatically.
96
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. Send informational message to the mailbox owner Notify administrator Specify whether an informational message should be sent to the owner of the mailbox when an attachment is stripped. Click Edit to edit the message. Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment. Do not notify - Do not send any notification to the administrator. Send informational alert - Send an informational alert to the administrator. Send warning alert - Send a warning alert to the administrator. Send security alert - Send a security alert to the administrator.
97
Step 5.
Select Public Folders to Process
1. Select Public Folders that should be processed.

Do not process public folders - Do not process any Public Folders. Process all public folders - Process all notes posted to all Public Folders. Process only included public folders - Process all notes posted to the listed Public Folders. Process all except excluded public folders - Process all notes posted to all Public Folders, except the listed ones. The notes and attachments to be processed in the selected folders are defined with the Attachments to Scan and Scan Mail Message Body settings.
Click Add to add a new Public Folder to the list. Click Clear to remove the selected folder or Clear All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders.
98
Step 6.
Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders. Attachments to scan Specify which message attachments are checked for viruses. Do not scan attachments for viruses - Do not scan any attachments. Scan all attachments - Scan all message attachments. Scan all attachments with these extensions Scan all attachments with specified filename extensions. Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions.
99
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message body Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies. Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, Intelligent File Type Recognition is disabled during the real-time processing. Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the rtf filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the doc filename extension). Intelligent File Type Recognition can degrade the system performance. Action Action on infected attachments Specify whether infected attachments should be disinfected or dropped.
100
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Quarantine infected attachments Specify whether infected attachments should be placed in the Quarantine or not. For more information, see Quarantine Management, 311. Specify whether to send a warning message to the originator of the public folder message, which contained an infected attachment. Click Edit to edit the message.
Send warning message to the originator
101
Step 7.
Specify Attachment Stripping Settings for Public Folders
1. Choose settings for stripping attachments. Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments except these allowed - Strip all except specified attachments. Strip only these disallowed attachments - Strip only specified attachments.
102
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
Action Action on stripped attachments Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine Management, 311. Drop attachment - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. Send the informational message to the originator Specify whether an informational message should be sent to the originator of the message when an attachment is stripped. Click Edit to edit the message.
103
Notify administrator
Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment. Do not notify - Do not send any notification to the administrator. Send informational alert - Send an informational alert to the administrator. Send warning alert - Send a warning alert to the administrator. Send security alert - Send a security alert to the administrator.
104
Step 8.
Finish
The Manual Scanning Wizard displays the summary of created operation. Click Finish accept the new manual scanning operation and to exit the wizard.
Creating Scheduled Operation

Start the Scheduled Operation Wizard by clicking Add Task...in the Scheduled Processing window.
105
Step 1.
Specify Scanning Task Name and Schedule
1. Enter the name for the new task and select how frequently you want the operation to be performed.

Once - Only once at the specified time Daily - Every day at the specified time, starting from the specified date Weekly - Every week at the specified time on the same day when the first operation is scheduled to start. Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
2. Enter the start time of the task in hh:mm format. 3. Enter the start date of the task in mm/dd/yyyy format.
Do not use any special characters in the task name.
106
Step 2.
Specify Messages to Process
1. Specify whether you want to process all messages or only those messages that have not been processed previously during the scheduled processing.
2. Specify how many concurrent transactions the scanner can have with
F-Secure Content Scanner Server.
107
Step 3.
Select Mailboxes to Process
1. Choose mailboxes that should be processed during the scheduled operation.

Do not process mailboxes - Do not process any mailboxes. Process all mailboxes - Process all mailboxes. Process only these mailboxes - Process all specified mailboxes. Process all except these mailboxes - Process all except specified mailboxes. Click Add... to add a new mailbox to the list. Click the checkbox in the column to mark a mailbox to be removed. Click Clear to remove all currently marked entries from the list.
By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes.
108
Step 4.
Specify Virus Scanning Settings for Mailboxes
1. Choose settings for virus scanning of mailboxes during the scheduled operation. Attachments to scan Specify which message attachments are checked for viruses. Do not scan attachments for viruses - Process messages without scanning any attachments for viruses. Scan all attachments - Scan all message attachments regardless of filename extension. Scan all attachments with these extensions Scan all attachments with specified filename extensions.
109
Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message body Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies. Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, Intelligent File Type Recognition is disabled during the real-time processing. Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the rtf filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the doc filename extension). Intelligent File Type Recognition can degrade the system performance.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange Action Action on infected attachments Specify whether infected attachments should be disinfected or dropped. Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Quarantine infected attachments Specify whether infected attachments should be placed in the Quarantine or not. For more information, see Quarantine Management, 311. Specify whether to send a message to the mailbox owner when an infected attachment is found. Click Edit... to edit the informational text file that replaces the infected attachment if it is dropped.
110
Send warning message to mailbox owner
111
Step 5.
Specify Attachment Stripping Settings for Mailboxes
1. Choose settings for stripping attachments during the scheduled operation. Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments except these allowed - Strip all except specified attachments. Strip only these disallowed attachments - Strip only specified attachments.
112
Action Action on stripped attachment Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine Management, 311. Drop attachment - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. Send the informational message to the mailbox owner Specify whether an informational message should be sent to the owner of the mailbox when an attachment is stripped. Click Edit to edit the message.
113
Step 6.
Select Public Folders to Process
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange 1. Select Public Folders that should be processed during the scheduled operation.
114
Do not process public folders - Do not process any Public Folders. Process all public folders - Process all notes posted to all Public Folders. Process only included public folders - Process all notes posted to the listed Public Folders. Process all except excluded public folders - Process all notes posted to all Public Folders, except the listed ones. The notes and attachments to be processed in the selected folders are defined with the Attachments to Scan and Scan Mail Message Body settings.
Click Add to add a new Public Folder to the list. Click Clear to remove the selected folder or Clear All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders.
115
Step 7.
Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders during the scheduled operation. Attachments to scan Specify which message attachments are checked for viruses. Do not scan attachments for viruses - Do not scan any attachments. Scan all attachments - Scan all message attachments. Scan all attachments with these extensions Scan all attachments with specified filename extensions. Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions.
116
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message body Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies. Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, Intelligent File Type Recognition is disabled during the real-time processing. Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the rtf filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the doc filename extension). Intelligent File Type Recognition can degrade the system performance. Action Action on infected attachments Specify whether infected attachments should be disinfected or dropped.
117
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Quarantine infected attachments Specify whether infected attachments should be placed in the Quarantine or not. For more information, see Quarantine Management, 311. Specify whether to send a warning message to the originator of the public folder message, which contained an infected attachment. Click Edit to edit the message.
Send warning message to the originator
118
Step 8.
Specify Attachment Stripping Settings for Public Folders
1. Choose settings for stripping attachments during the scheduled operation. Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments except these allowed - Strip all except specified attachments. Strip only these disallowed attachments - Strip only specified attachments.
119
Action Action on stripped attachment Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine Management, 311. Drop attachment - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. Send the informational message to the originator Specify whether an informational message should be sent to the originator of the message when an attachment is stripped. Click Edit to edit the message.
120
121
Step 9.
Finish
The Scheduled Operation Wizard displays the summary of created operation. Click Finish accept the new scheduled operation and to exit the wizard.
4.10
Configuring Alert Forwarding

Alerts are sent if security has been compromised or a program wants to notify about some specific events, such as starting/stopping modules, low disk space, etc. Alerts are also sent when a program or operation has encountered a problem.
4.10.1 Centrally Administered Mode

You can configure where F-Secure Anti-Virus for Microsoft Exchange sends alerts by editing the Alert Forwarding table, which is located under F-Secure Management Agent / Settings / Alerting / Alert Forwarding.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange You can specify where an alert is sent according to its severity level. You can send the alert to any of the following:

122
F-Secure Policy Manager Console Windows Event Viewer E-mail SNMP. All events are sent to the log file in addition to other locations you choose.
Figure 4-3 The Alert Forwarding table in F-Secure Policy Manager
You should configure settings in the F-Secure Management Agent / Settings / Alerting / Alerting Agents branch accordingly. If you choose to forward alerts to e-mail, you will need to specify the recipients e-mail address. This is done as follows: 1. Click Add to add a new row in the E-mail Address table.
2. Type the e-mail address on the new row. 3. Select the types of alerts that are to be sent to this address. 4. Click Apply.
If you choose to send alerts as e-mails to administrators using the SMTP protocol, you will need to specify the e-mail address of the recipient as shown below. This dialog opens once you have selected the e-mail checkbox in the Alert Forwarding table.
123
Figure 4-4 The Addresses dialog for specifying alert recipients
By default, information-level and warning-level alerts are not sent to F-Secure Policy Manager console and are not displayed for the user, either. These lower priority alerts and notifications can be very useful for troubleshooting, but enabling their alerting will substantially increase the number of transmitted alerts. If you have a large domain structure, specifying very strict alert-forwarding rules may flood F-Secure Policy Manager console with alerts. In addition, you can configure the alert target by setting the policy variables under target-specific branches. For example, F-Secure Management Agent / Settings / Alerting / F-Secure Policy Manager Console / Retry Send Interval specifies how often a host will attempt to send alerts to F-Secure Policy Manager console if previous attempts have failed. Since F-Secure Anti-Virus for Microsoft Exchange is a fundamental part of the network, more alerts will probably be forwarded from it to F-Secure Policy Manager than from other hosts.
4.10.2 Stand-Alone Mode
124
4.11
Alert Forwarding
You can configure alert forwarding by editing the Alert Forwarding table in the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can access it from the Home page by clicking the Configure... button in the F-Secure Management Agent section. When the F-Secure Management Agent Configuration page opens, click the Alert Forwarding... button to open the F-Secure Management Agent Configuration > Alert Forwarding page.
Figure 4-5 F-Secure Management Agent Configuration > Alert Forwarding page
You can specify where an alert is sent according to its severity level. You can send an alert to any of the following:

F-Secure Policy Manager Console Windows Event Viewer E-mail SNMP.
CHAPTER 4 Using F-Secure Anti-Virus for Microsoft Exchange To forward alerts to an e-mail, specify the e-mail address of the recipient. Follow these instructions: 1. Click Add to add a new row in the E-mail Address table.
125
2. Type the e-mail address on the new row. 3. Select the types of alerts that are to be sent to this address. 4. Click Apply.
Informational and warning-level alerts are not sent to F-Secure Policy Manager Console by default. If you want to use centralized administration mode, it is recommended to have all alerts sent to F-Secure Policy Manager Console.
4.12
Viewing Alerts
When F-Secure Anti-Virus for Microsoft Exchange has encountered a problem, it sends an alert to the administrator. Alerts are also sent if security has been compromised or a program wants to notify about some specific events - the product has found a virus, there is not enough disk space to do some operation, and so on. Alerts are displayed on the Alerts tab of the Properties pane. When an alert is received, Alert in the F-Secure Policy Manager Console toolbar will light up. To view the alerts, click Alert. The Alerts tab in the Properties pane will open. Every received alert is displayed in the following format:
Ack Severity
Click Ack to acknowledge the alert. If all alerts are acknowledged, Ack is grayed out. The severity of the alert. Each severity level has its own icon: Info Normal operating information from the host
126
Warning Error
Warning from the host Recoverable error on the host
Fatal error Unrecoverable error on the host Security alert Date/Time Description Host/User Product Virus or other security hazard detected
Date and time of the alert. Description of the problem. Name of the host and user where the alert originated. The F-Secure product that sent the alert.
When an alert is selected from the list, the Editor pane displays more specific information about the alert. F-Secure Anti-Virus for Microsoft Exchange reports fatal errors, virus alerts, and other events as configured in the Alert Forwarding table under F-Secure Management Agent / Settings / Alerting branch.
CENTRALLY MANAGED ADMINISTRATION

Overview................................................................................... 128 F-Secure Anti-Virus for Microsoft Exchange Settings .............. 128 F-Secure Anti-Virus for Microsoft Exchange Statistics ............. 186 F-Secure Content Scanner Server Settings ............................. 195 F-Secure Content Scanner Server Statistics............................ 210 F-Secure Automatic Update Agent Settings............................. 214 F-Secure Management Agent Settings .................................... 216
127
CHAPTER 5 Centrally Managed Administration
128
5.1
Overview
If F-Secure Anti-Virus for Microsoft Exchange is installed in the centrally administered mode, F-Secure Anti-Virus for Microsoft Exchange is managed centrally with F-Secure Policy Manager. In the centralized administration mode, you can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to check the current status of F-Secure Anti-Virus for Microsoft Exchange and to connect to F-Secure Web Club for support, but you cannot change any settings with it.
5.2
F-Secure Anti-Virus for Microsoft Exchange Settings

In the centralized administration mode, you can change settings and start operations using F-Secure Policy Manager Console. For more information, see Using F-Secure Policy Manager Console, 75.
Figure 5-1 F-Secure Anti-Virus for Microsoft Exchange setting categories
Settings Language
Defines the language used in reports, alerting and warning messages, and in the Quarantine information. Currently the only supported language is English.
CHAPTER 5 Centrally Managed Administration Real-Time Processing Change real-time virus scanning, content blocking and outbreak management settings. F-Secure Anti-Virus for Microsoft Exchange uses these settings while it is processing mailboxes and Public Folders in real-time. For more information, see Real-Time Processing, 130. If you have F-Secure Spam Control installed, the Spam Control settings are displayed under this branch. For settings descriptions, see Spam Control Settings in Centrally Managed Environments, 333. Manual Processing Change manual processing settings. F-Secure Anti-Virus for Microsoft Exchange uses these settings when you manually process mailboxes and Public Folders. For more information, see Manual Processing, 161. For more information on how to start the manual processing, see Manually Processing Mailboxes and Public Folders, 78. Change scheduled processing settings. F-Secure Anti-Virus for Microsoft Exchange can process mailboxes and Public Folders at scheduled times. For more information, see Scheduled Processing, 176.
129
Scheduled Processing
Content Scanner Servers Change settings F-Secure Anti-Virus for Microsoft Exchange uses to connect to F-Secure Content Scanner Servers. For more information, see Content Scanner Servers, 177. Quarantine Change Quarantine settings. All infected and blocked messages and notes can be moved to the Quarantine. For more information, see Quarantine, 180.
CHAPTER 5 Centrally Managed Administration Reporting Change the address of the notification sender. For more information, see Reporting, 184. Change mailbox and Public Folder polling intervals. For more information, see Advanced, 184. Use operations to reset F-Secure Anti-Virus for Microsoft Exchange statistics or manually scan mailboxes and Public Folders for viruses. For more information, see Manually Processing Mailboxes and Public Folders, 78.
130
Advanced
Operations Reset Statistics Manual Scanning
5.2.1
Real-Time Processing
You can change real-time virus scanning and content blocking settings and make changes to the outbreak management settings from the F-Secure Anti-Virus for Microsoft Exchange / Settings / Real-Time Processing branch. You can also define domains that belong to the internal network of the company.
Figure 5-2 Real-Time Processing settings
131
Virus Scanning
Change settings used when scanning messages and attachments for viruses in real-time. For more information, see Virus Scanning, 132. Change settings used when stripping attachments in real-time. For more information, see Content Blocking, 147. Change settings used when incoming messages are scanned for spam. For more information, see Spam Control Settings in Centrally Managed Environments, 333. The Spam Control settings branch is displayed only if you have F-Secure Spam Control installed.
Content Blocking
Spam Control
Outbreak Management
Change virus outbreak notification settings. For more information, see Outbreak Management, 158. Define internal domains of the company network. For more information, see Internal Domains, 161.
Internal Domains
132
Virus Scanning
F-Secure Anti-Virus can examine message bodies and attachments, intercept them and send them to F-Secure Content Scanner Server, which scans them for malicious code.
Figure 5-3 Real-Time Processing / Virus Scanning settings
Examine Attachments Specify which message attachments are checked for viruses. All Attachments - Scan all message attachments in e-mail messages and public folder notes for malicious code. All Attachments with Included Extensions - Scan all attachments with extensions specified in the Included Extensions setting.
133
All Attachments except Excluded Extensions Scan all attachments, except for those with extensions specified in the Excluded Extensions setting. Do not Scan - Do not scan any attachments in e-mail messages and public folder notes. By default, F-Secure Anti-Virus for Microsoft Exchange examines all files with included extensions. Included Extensions Specify extensions of attachments to be scanned if the Examine Attachments setting is set to All Files with Included Extensions. Specify extensions of files that are not scanned if the Examine Attachments setting is set to All Attachments except Excluded Extensions. You can modify Included Extensions and Excluded Extensions lists as needed. Separate each extension by a space ( ). Wildcards * and ? can be used. To specify the files that have no extension, type a dot ('.'). Action On Infected Attachments Specify whether infected attachments should be disinfected or dropped. Disinfect - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
Excluded Extensions
134
By default, F-Secure Anti-Virus for Microsoft Exchange disinfects infected attachments. Quarantine Infected Attachments Specify whether infected or suspicious attachments should be quarantined. Yes - All infected and suspicious attachments are placed to the Quarantine. For more information, see Quarantine, 180. No - Infected and suspicious attachments are not quarantined. By default, F-Secure Anti-Virus for Microsoft Exchange places all infected attachments to the Quarantine. Virus Informational File Text If the infected attachment is dropped, F-Secure Anti-Virus for Microsoft Exchange replaces it with the Virus Informational File. Specify the text of the replacement file. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans the message body. Although scanning message bodies can slow down the performance, it is recommended as some viruses can be carried inside message bodies. Scan OLE Objects Specify whether linked and embedded OLE objects in messages should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans OLE objects.
Scan Message Body
135
Intelligent File Type Recognition
136
Inbound Mail
Figure 5-4 Real-Time Processing / Virus Scanning / Inbound Mail settings
137
Trusted Mailboxes
Define users mailboxes that should be excluded from real-time virus scanning. To add mailboxes to the table, click Add in the Editor pane of F-Secure Policy Manager Console. A new table row appears. Double-click the Mailbox cell and enter the name of the trusted mailbox. It is not safe to use trusted mailboxes. You should not send or copy messages from trusted mailboxes to other mailboxes. Keep all trusted mailboxes on a separate message store, as messages are scanned always when they are sent to another store.
Stop the Whole Message Specify whether F-Secure Anti-Virus for if Infection Found Microsoft Exchange should stop inbound messages that contain malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange does not stop these messages. Yes - Inbound messages with infected attachment(s) will be stopped completely. No - Infected attachments will be automatically disinfected or dropped from inbound messages. In both cases, a warning message will be sent to the sender if Send Warning Message to Sender is set to Yes.
138
Add Warning Message
Specify whether a virus warning message should be added to the mail message which had infected content and which goes to the original message recipient. If you want to add the warning message, the original message is embedded in the virus warning message without the infected attachment. By default, F-Secure Anti-Virus for Microsoft Exchange adds the virus warning message.
Warning Subject
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the warning message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. Specify whether a virus warning message should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is attached to the virus warning message without the infected attachment. By default, F-Secure Anti-Virus for Microsoft Exchange does not send the virus warning message to the sender.
Warning Message
Send Warning Message To Sender
Warning Subject For Sender
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369.
139
Warning Message For Sender
Specify the text of the warning message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. The virus warning message will be sent to the sender of the infected message only if the sender belongs to an internal domain that has been defined in the Internal Domains settings. F-Secure Anti-Virus for Microsoft Exchange does not send the warning message outside the company domain. For more information, see Internal Domains, 161.
Proactive Virus Threat Detection
Specify whether proactive virus threat detection is enabled or disabled. Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms. When proactive virus threat detection is enabled, the product analyzes inbound e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe. Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected. When proactive virus threat detection is disabled, inbound mails are only scanned by antivirus engines.
140
Outbound
Figure 5-5 Real-Time Processing / Virus Scanning / Outbound Mail settings
141
Stop The Whole Message If Infection Found
Specify whether all outgoing messages that have infected content should be stopped or not. Yes - Stop all outbound messages with infected content completely. No - Disinfect or drop the infected attachment before sending the outbound message. In both cases a warning message is sent to the sender if the Send Warning Message to Sender setting is set to Yes. By default, F-Secure Anti-Virus for Microsoft Exchange stops the whole message.
A note about MAPI clients: If you set F-Secure Anti-Virus for Microsoft Exchange to disinfect infected files and to stop the whole message if an infection is found, messages that are sent from MAPI clients are not stopped if they can be disinfected. Messages are scanned and disinfected when they are in the Outbox. When a message leaves the Outbox folder, it does not contain malicious code anymore, so it is not stopped.
142
Send Warning Message To Sender
Specify whether a virus warning message should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message. The warning is sent only if the sender of the message with the infected attachment is an internal user. No warnings will be sent outside the organization.
Warning Subject
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the warning message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. If the sender sends an infected message to internal and external recipients, the sender can receive two warning messages about the same infection.
Warning Message
Add Disclaimer
Specify whether you want to add a disclaimer to all outgoing messages. By default, F-Secure Anti-Virus for Microsoft Exchange adds a disclaimer.
Disclaimer Proactive Virus Threat Detection
Specify the disclaimer text. Specify whether proactive virus threat detection is enabled or disabled.
143
Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms. When proactive virus threat detection is enabled, the product analyzes inbound e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe. Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected. When proactive virus threat detection is disabled, inbound mails are only scanned by antivirus engines.
Public Folders
The Real-Time Processing / Public Folders settings include real-time scanning for viruses and real-time stripping of attachments. Real-time scanning of Public Folders checks all notes posted to Public Folders for malicious code. Real-time scanning for viruses removes infected attachments from Public Folder notes.
144
Figure 5-6 Real-Time Processing / Virus Scanning / Public Folders settings
145
Examine Public Folders
Specify Public Folders that should be processed in real-time. Process All Public Folders - Process all notes posted to all Public Folders. Process Only Included Folders - Process all notes posted to the Public Folders specified in the Included Folders setting. Process All except Excluded Folders Process all notes posted to all Public Folders, except those specified in the Excluded Folders setting. Do not Process Public Folders - Do not process any Public Folders. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders.
Included Folders
Specify Public Folders to be scanned for viruses if the Examine Public Folders setting is set to Process Only Included Folders. Specify Public Folders to be excluded from scanning if the Examine Public Folders setting is set to Process All except Excluded Folders.
Excluded Folders
To add Public Folders to Included Folders and Excluded Folders table, click Add in the Editor pane of F-Secure Policy Manager Console. Double-click the Folder Name cell in the new table row and enter the name and path of the Public Folder. Double-click the Include Subfolders cell and select Yes if you want to include or exclude all subfolders of the folder you entered. The folder name should start from the name of the Public folder tree. You can use wildcards in folder names. All infected messages which are sent to public folders with Outlook WebAccess are disinfected or dropped regardless of the Examine Public Folders setting.
146
Send Warning Message To Originator
Specify whether a virus warning message should be sent to the original writer of the note which had infected content that was not disinfected. By default, F-Secure Anti-Virus for Microsoft Exchange sends the virus warning message to the originator. The warning will be sent only if the originator of the note with the infected attachment belongs to an internal domain. This means that no warnings will be sent outside the company.
Warning Subject
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the warning message. For more information about the variables you can use in the text, Variables in Warning Messages, 369.
Warning Message
147
Content Blocking
F-Secure Anti-Virus for Microsoft Exchange can strip unwanted attachments and filter content from inbound and outbound messages during the on-access scanning of mailboxes.
Figure 5-7 Content Blocking settings categories
On-Access Inbound Mail
Specify the settings used during the on-access scanning of messages. Inbound mail includes all e-mail messages coming into the Microsoft Exchange Information Store from external sources such as an SMTP server. It also includes all internal mail that someone inside the organization sends to another mailbox which is inside the organization. For more information, see Internal Domains, 161. Inbound Mail settings consist of the following settings: Trusted Mailboxes - Define users mailboxes that should be excluded from real-time attachment stripping and content filtering.
148
It is not safe to use trusted mailboxes. You should not send or copy messages from trusted mailboxes to other mailboxes. Keep all trusted mailboxes on a separate message store, as messages are scanned always when they are sent to another store. If you are using F-Secure Anti-Virus for Microsoft Exchange in centrally managed mode and have multiple Microsoft Exchange servers running under the same domain, only those trusted mailboxes that belong to the current server are trusted. Stripping Attachments - Define attachments that should be stripped from inbound messages. For more information, see Stripping Attachments, 149. Content Filtering - Define how inbound content should be filtered based on keywords. For more information, see Content Filtering, 153. Outbound Mail Outbound mail includes all e-mail messages which leave the Microsoft Exchange Information Store and go out via SMTP. Outbound Mail settings consist of the following settings: Stripping Attachments - Define attachments that should be stripped from outbound messages.For more information, see Stripping Attachments, 149. Content Filtering - Define how outbound content should be filtered based on keywords. For more information, see Content Filtering, 153.
149
Stripping Attachments
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove attachments in real-time from inbound and outbound messages and during the on-access scanning by their file name or the file extension even without scanning them for malicious code. F-Secure Anti-Virus for Microsoft Exchange can strip attachments from mailboxes and Public Folders when you run the manual scan. For more information, see Manual Processing, 161. For more information on how to run the manual scan, see Manually Processing Mailboxes and Public Folders, 78.
Figure 5-8 The Stripping Attachments settings in On-Access, Inbound Mail and Outbound Mail branches
Strip Attachments
Specify which attachments should be stripped from messages and Public Folder notes. Disabled - Do not strip any attachments. All Files - Strip all attachments from all messages and notes.
150
All Disallowed Attachments - Strip all attachments specified in the Disallowed Attachments setting. All Attachments Except Allowed - Strip all attachments except those specified in the Allowed Attachments setting. By default, F-Secure Anti-Virus for Microsoft Exchange strips all disallowed attachments. Allowed Attachments Specify attachments that should not be stripped if the Strip Attachments setting is set to All Attachments Except Allowed. Specify attachments that should be stripped if the Strip Attachments setting is set to All Disallowed Attachments. You can modify Allowed Attachments and Disallowed Attachments lists as needed. Separate each extension by a comma (,). Wildcards * and ? can be used. To specify the files that have no extension, type a dot ('.'). Intelligent File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, the Intelligent File Type Recognition is disabled during the real-time processing and enabled during the manual processing.
Disallowed Attachments
151
Action on Stripped Attachments
Specify whether stripped attachments should be quarantined or dropped. Quarantine - All stripped attachments are placed in the Quarantine. For more information, see Quarantine, 180. Drop - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Add Informational Message
Specify whether an informational message should be added to the mail message which originally had the stripped attachment. During the on-access scanning, the informational message can be sent to the mailbox owner or to the originator of an infected message or an infected Public Folder note. By default, F-Secure Anti-Virus for Microsoft Exchange does not add the informational message.
Informational Subject
Specify the subject of the informational message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the informational message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. The informational message cannot be added to outbound messages.
Informational Message
152
Notify Administrator
Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment. No Alerts - Do not send any notification to the administrator. Informational - Send an informational alert to the administrator. Warning - Send a warning alert to the administrator. Security - Send a security alert to the administrator. By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator. For more information, see Configuring Alert Forwarding, 121.
Send Informational Message To Sender
Specify whether an informational message should be sent to the sender of the mail message which had the stripped attachment. By default, F-Secure Anti-Virus for Microsoft Exchange does not send informational message to the sender.
Informational Subject For Specify the subject of the informational Sender message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Informational Message For Sender Specify the text of the informational message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369.
153
The informational message will be sent to the sender of the stripped attachment only if the sender belongs to the internal domain. F-Secure Anti-Virus for Microsoft Exchange does not send the informational message outside the company domain. For more information, see Internal Domains, 161. If a message contains some stripped and some disinfected content, the message is considered to be infected. In these cases, the only message that is sent is the virus warning message, and no informational messages about the stripped attachment is sent.
Content Filtering
F-Secure Anti-Virus for Microsoft Exchange can be configured to filter messages in real-time from inbound and outbound mail traffic based on a list of keywords that have been defined as denied. You can specify a separate list of keywords for message subjects and message text.
154
Figure 5-9 Real-Time Processing / Content Blocking / Inbound Mail / Content Filtering settings
155
Filter content
Specify whether keyword-based content filtering should be enabled or disabled. By default keyword-based content filtering is disabled.
Disallowed Keywords in Message Subject
Specify disallowed keywords in message subject. When Content Filtering is enabled, messages that have these keywords in their subjects are filtered out. The action to take on these messages depends on the Action on Disallowed Content setting (see below). Specify disallowed keywords in message bodies. When Content Filtering is enabled, messages that have these keywords in the body text are filtered out. Specify whether filtered messages should be quarantined or dropped. Quarantine - All filtered messages are placed in the Quarantine. For more information, see Quarantine, 180. Drop - All filtered messages are deleted automatically.
Disallowed Keywords in Message Text
Action on Disallowed Content
156
Send Informational Message to Recipient
Specify whether an informational message should be sent to the recipient of the disallowed content that was filtered. (This setting exists in the Inbound Mail branch only.) By default, F-Secure Anti-Virus for Microsoft Exchange does not send the informational message. The informational message will be sent only if the recipient of the message with the disallowed content is an internal user. This means that no informational messages will be sent outside the company.
Informational Subject for Recipient
Specify the subject of the informational message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. (This setting exists in the Inbound Mail branch only.) Specify the text of the informational message. For more information about the variables you can use in the text, Variables in Warning Messages, 369. (This setting exists in the Inbound Mail branch only.)
Informational Message for Recipient
157
Notify Administrator
Specify whether an alert should be sent to the administrator when F-Secure Anti-Virus for Microsoft Exchange filters a message, and what type of an alert it should be. No Alerts - Do not send any notification to the administrator. Informational - Send an informational alert to the administrator. Warning - Send a warning alert to the administrator. Security - Send a security alert to the administrator. By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator. For more information, see Configuring Alert Forwarding, 121. F-Secure Management Agent alert forwarding table controls where alerts with certain severity level will be sent.
Send Informational Message to Sender
Specify whether an informational message should be sent to the sender of the disallowed content which was dropped or quarantined. (This setting exists in the Outbound Mail branch only.) By default, F-Secure Anti-Virus for Microsoft Exchange does not send informational message to the sender.
CHAPTER 5 Centrally Managed Administration Informational Subject for Sender Specify the subject of the informational message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. (This setting exists in the Outbound Mail branch only.) Specify the text of the informational message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. (This setting exists in the Outbound Mail branch only.) The informational message will be sent to the sender of the disallowed content only if the sender belongs to the internal domain. F-Secure Anti-Virus for Microsoft Exchange does not send the informational message outside the company domain. For more information, see Internal Domains, 161.
158
Informational Message for Sender
Outbreak Management
F-Secure Anti-Virus for Microsoft Exchange can alert administrators when the number of infections detected within a specified time frame exceeds a specified value.
159
Figure 5-10 Real-Time Processing / Outbreak Management settings
Notify When Number Of Infections Detected Exceeds
Specify the number of infected objects that should be found within the time period specified in the Notify When Number Of Infections Detected Within setting, which should be considered as a virus outbreak. Use the value zero (0) to disable the outbreak notification. By default, the outbreak notification is disabled (0).
Notify When Number Of Infections Detected Within
Specifies the outbreak notification time frame. By default, the time frame is 30 minutes.
160
Send Security Alert
Specify whether a security alert should be sent to the administrator when a virus outbreak is detected. For more information, see Configuring Alert Forwarding, 121.By default, F-Secure Anti-Virus for Microsoft Exchange sends the security alert.
Send Outbreak Notification
Specify whether outbreak notification e-mail should be sent to the notification addresses specified in the Notification Addresses setting when a virus outbreak is detected. By default, F-Secure Anti-Virus for Microsoft Exchange does not send the outbreak notification.
Notification Addresses
Specify the e-mail addresses of the recipients who should receive the outbreak notification e-mail. Separate each address with a comma (,) or space ( ). Specify the subject of the outbreak notification e-mail message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the outbreak notification e-mail message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. Specify whether an outbreak handler script should be run when a virus outbreak is detected.
Notification Subject
Notification Message
Run Outbreak Handler Script
161
Outbreak Handler Script
Specify the pathname and filename of an external program or script that should be run when a virus outbreak is detected. Use quotation marks if the path or the filename contains spaces, for example C:\Program Files\Example\Outbreak Detected.exe. You can use the following environment variables in the script: $INTERVAL-MINUTES - The outbreak detection interval in minutes. $INFECTIONS-LIMIT - The number of infections that must be found within the specified detection interval to trigger the outbreak alert. $INFECTIONS-FOUND - The actual number of infections found within detection interval. If you want to run a batch file, use the format cmd batch.bat.
Internal Domains
Specify the domains which should be considered to be internal domains. All messages which are going to internal domains are considered to be inbound messages. Separate each domain name with a space. You can use * wildcard, for example, *example.com.
5.2.2
Manual Processing
Variables located under F-Secure Anti-Virus for Microsoft Exchange / Settings / Manual Processing / Common configure the options that are common for manual scans of mailboxes and Public Folders. For information how to manually process mailboxes and Public Folders, see Manually Processing Mailboxes and Public Folders, 78.
162
Figure 5-11 Manual Processing settings categories
Common
Specify whether you want to process all messages every time you manually process mailboxes and Public Folders, or just the messages that have not been processed yet. For more information, see Common, 163. Specify manual mailbox processing settings. For more information, see Mailboxes, 165. Specify manual Public Folder processing settings. For more information, see Public Folders, 171.
Mailboxes Public Folders
163
Common
Figure 5-12 Manual Processing / Common settings
Incremental Scanning
Specify whether you want to process all messages or only those messages that have not been processed previously. All Messages - Process all messages every time you run a manual scan. Only Recent Messages - Process only recent messages, which have not been processed previously. By default, F-Secure Anti-Virus for Microsoft Exchange processes only recent messages. You can process all messages for example after the F-Secure Anti-Virus for Microsoft Exchange virus definition database has been updated. For more information, see Updating Virus and Spam Definition Databases on page 70.
164
Number of Concurrent Transactions
Specify how many concurrent transactions the scanner can have with F-Secure Content Scanner Server. By default, F-Secure Anti-Virus for Microsoft Exchange uses two concurrent transactions with F-Secure Content Scanner Server. You can increase the performance on a multiprocessor system by increasing the number of concurrent transactions.
165
Mailboxes
Figure 5-13 Manual Processing / Mailboxes settings
Examine Mailboxes
Specify which mailboxes should be processed during the manual scanning. Process Only Included Mailboxes - Process all mailboxes specified in the Included Mailboxes setting. Process All Except Excluded Mailboxes Process all mailboxes, except those specified in the Excluded Mailboxes setting. Process All Mailboxes - Process all mailboxes. Don't Process Mailboxes - Do not process any mailboxes.
166
Examine Mailboxes Included Mailboxes
By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes. Specify mailboxes that should be scanned if the Examine Mailboxes setting is set to Process Only Included Mailboxes. Specify mailboxes that should not be scanned if the Examine Mailboxes setting is set to Process All Except Excluded Mailboxes.
Excluded Mailboxes
To add a new mailbox to Included and Excluded Mailboxes lists, click Add in the Editor pane of F-Secure Policy Manager Console. Then, double-click the Mailbox cell and enter the name of the mailbox to be included. Check the Inbox, Outbox, Sent Items and Deleted Items check boxes to include or exclude them from the scan. The Others check box contains all other folders of the selected mailbox. You can change whether folders should be included or excluded from the scan by double-clicking the cell and selecting either Yes or No. Attachments To Scan Specify which attachments should be scanned for viruses. All Attachments with Included Extensions Scan all attachments with extensions specified under the Included Extensions setting. All Attachments Except Excluded Extensions - Scan all attachments, except the ones with extensions specified under the Excluded Extensions setting. All Attachments - Scan all attachments. None - Do not scan attachments.
167
By default, F-Secure Anti-Virus for Microsoft Exchange scans all files. Included Extensions Specify extensions of attachments to be scanned if the Examine Mailboxes setting is set to All Attachments with Included Extensions. Specify extensions of files that are not scanned if the Examine Mailboxes setting is set to All Attachments except Excluded Extensions. You can modify the default set of Included and Excluded Extensions as needed. Separate each extension by a space ( ). Wildcards * and ? can be used. To specify the files that have no extension, type a dot ('.'). Intelligent File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, the Intelligent File Type Recognition is enabled during the manual processing.
Excluded Extensions
168
Action On Infected Attachments
Specify whether infected attachments should be disinfected or dropped. Disinfect - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. Drop - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange disinfects infected attachments.
Send Warning Message To Mailbox Owner
Specify whether a virus warning message should be sent to the mailbox owner of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message. By default, F-Secure Anti-Virus for Microsoft Exchange sends the warning message to mailbox owner.
Warning Subject
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the warning message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369.
Warning Message
169
Quarantine Infected Attachments
Specify whether infected attachments should be placed in the Quarantine or not. Yes - All infected and dropped attachments are placed in the Quarantine. For more information, Quarantine, 180. No - All infected and dropped files are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange places infected attachments in the Quarantine.
Scan Message Body
Specify whether the body of the e-mail message should be scanned for malicious code. As some viruses can be carried inside a message body, it is recommended to scan them. Scanning message bodies can slow down the performance. By default, F-Secure Anti-Virus for Microsoft Exchange scans message body.
170
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove attachments according to the file name or the file extension, without even scanning them for malicious code. Using the variables under the Manual Scanning / Mailboxes / Stripping Attachments branch you can configure the options for stripping attachments during manual processing of the mailboxes.
Figure 5-14 Manual Processing / Mailboxes / Stripping Attachments settings
For more information, see Stripping Attachments, 149.
171
Public Folders
Use the variables under Manual Scanning / Public Folders to configure options for manual processing of Public Folders.
Figure 5-15 Manual Processing / Public Folders settings
Examine Public Folders
Specify Public Folders that should be scanned for viruses. Process Only Included Folders - Process all notes posted to the Public Folders specified in the Included Folders setting. Process All Except Excluded Folders Process all notes posted to all Public Folders, except those specified in the Excluded Folders setting. Process All Public Folders - Process all notes posted to all Public Folders.
172
Don't Process Public Folders - Do not process any Public Folders for viruses. The notes and attachments to be processed in the selected folders are defined with the Attachments to Scan and Scan Message Body settings. Examine Public Folders Included Folders By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders. Specify Public Folders to be scanned for viruses if the Examine Public Folders setting is set to Scan Only Included Folders. Specify Public Folders to be excluded from scanning if the Examine Public Folders setting is set to Scan All Except Excluded Folders. To add Public Folders to Included and Excluded Folders tables, click Add in the Editor pane of F-Secure Policy Manager Console. Double-click the Folder Name cell and enter the name and path of the Public Folder. Double-click the Include Subfolders cell and select Yes if you want to include or exclude all subfolders of the folder you entered. You can use \* to specify folders that have not been specified otherwise.
Excluded Folders
173
Attachments To Scan
Specify which attachments will be checked for malicious code during the manual processing of Public folders. All Attachments - All attachments will be checked for malicious code during the manual processing. All Attachments with Included Extensions Only attachments with extensions specified in the Included Extensions setting will be scanned. All Attachments except Excluded Extensions - All attachments will be scanned, except files with the extensions specified in the Excluded Extensions setting. None - Attachments will not be checked for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans all attachments.
Included Extensions
Specify attachments that should be scanned if the Attachments To Scan setting is set to All Attachments with Included Extensions. Specify extensions of files that are not scanned if the Attachments To Scan setting is set to All Attachments except Excluded Extensions. You can modify the default Included and Excluded Extensions lists as needed. Separate each extension by a space ( ). Wildcards * and ? can be used. To specify the files that have no extension, type a dot ('.').
Excluded Extensions
174
Intelligent File Type Recognition
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, the Intelligent File Type Recognition is enabled during the manual processing.
Specify whether infected attachments should be disinfected or dropped. Disinfect - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
Drop - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange disinfects infected files.
Send Warning Message To Originator
Specify whether a virus warning message should be sent to the original writer of the note which had infected content. By default, F-Secure Anti-Virus for Microsoft Exchange does not send the warning message to the originator.
175
Warning Subject
Specify the subject of the virus warning message. For more information about the variables you can use in the subject line, see Variables in Warning Messages, 369. Specify the text of the warning message. For more information about the variables you can use in the text, see Variables in Warning Messages, 369. Specify whether infected attachments should be placed in the Quarantine or not. Yes - All infected and dropped attachments are placed in the Quarantine. For more information, see Quarantine, 180. No - All infected and dropped files are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange places infected attachments in the Quarantine.
Warning Message
Quarantine Infected Attachments
Scan Message Body
Specify whether the body of the message should be scanned for malicious code. As some viruses can be carried inside a message body, it is recommended to scan message bodies. Scanning message bodies can slow down the performance. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
For more information, see Stripping Attachments, 149.
176
5.2.3
Scheduled Processing
Displays all scheduled tasks and date and time when the next scheduled task occurs for the next time. Deactivate scheduled tasks in the list by clearing the checkbox in front of the task. Activate it again by checking the checkbox. Click Add to start the Scheduled Operation Wizard. To duplicate a task, select it from the list and click Copy. To edit a previously created task, click Edit. To remove the selected task from the list, click Clear Row. Click Clear Table to remove all tasks from the list. Force Row enforces the current scheduled task to be active in all subdomains and hosts. Force Table enforces all current scheduled tasks to be active in all subdomains and hosts. For more information, see Policy Manager 5 Administrators Guide. For information how to create scheduled operations, see Creating Scheduled Operation, 79.
177
5.2.4
Content Scanner Servers
Figure 5-16 Content Scanner Server settings
Primary Servers
Specify all F-Secure Content Scanner Servers where F-Secure Anti-Virus for Microsoft Exchange should send files to be processed. If you list more than one F-Secure Content Scanner Server, F-Secure Anti-Virus for Microsoft Exchange uses load sharing between them. IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
178
Backup Servers
Specify F-Secure Content Scanner Servers that act as backup servers from primary servers. If F-Secure Anti-Virus for Microsoft Exchange cannot contact primary F-Secure Content Scanner Servers, it interacts with backup servers. IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
Local Interaction Mode
This setting controls how F-Secure Anti-Virus Agent interacts with a Content Scanner Server running on the same host. Enabled - Data are transferred via local temporary files and/or shared memory, which provides the best performance possible. Disabled - Data are transferred via data stream sockets. Usually, you do not need to change this setting. It is recommended to use the local interaction mode to obtain the optimum performance.
Max Size of Data Processed in Memory
Specifies the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds that, a local temporary file will be used for data transfer. If the option is set to zero (0), all data transfers via shared memory are disabled. The setting is ignored if the local interaction mode is disabled.
179
Working Directory
Specify the name and location of the working directory, where temporary files are placed. IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product. During the installation, F-Secure Anti-Virus for Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
Connection Timeout
Specify the time interval (in seconds) how long F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure Content Scanner Server before it stops attempting to send or receive data. By default, the connection timeout is 900 seconds (15 minutes).
180
5.2.5
Quarantine
Figure 5-17 Quarantine settings
181
Quarantine Storage
Specify the path to the Quarantine storage where all quarantined mails and attachments are placed. If you change the Quarantine Storage setting, select the Final checkbox in the Restriction Editor to override initial settings. During the installation, F-Secure Anti-Virus for Microsoft Exchange adjusts the access rights to the Quarantine Storage so that only the product, operating system and the local administrator can access it. If you change the Quarantine Storage setting, make sure that the new location has secure access permissions.
Retain Items in Quarantine
Specify how long quarantined e-mails are stored in the Quarantine before they are deleted automatically. The setting defines the default retention period for all Quarantine categories. To change the retention period for different categories, configure Quarantine Cleanup Exceptions settings.
Delete Old Items Every
Specify how often old items are deleted from the Quarantine. The setting defines the default cleanup interval for all Quarantine categories. To change the cleanup interval for different categories, configure Quarantine Cleanup Exceptions settings.
Quarantine Cleanup Exceptions
Specify separate Quarantine retention periods and cleanup intervals for each Quarantine category.
182
Quarantine Size Threshold
Specify the minimum amount of free disk space (in megabytes) required on the disk where the Quarantine storage resides. If the specified value is reached, the product sends a warning alert. If the threshold is specified as zero (0), the amount of free disk space is not checked.
Quarantined Items Threshold
Specify the critical number of items in the Quarantine. When the Quarantine holds the critical number of items, the product sends an alert to the administrator. If the threshold is specified as zero (0), the amount of items is not checked.
Notify When Quarantine Threshold is Reached Quarantine Worms
Specify the level of the alert that is sent to administrator when threshold levels are reached. Specify if the product should quarantine mails infected with mass mail worms or viruses such as Netsky or Bagle. Specify if mails that contain malformed or broken attachments should be quarantined for later analysis or recovery. Specify the subject of the message released from the Quarantine. Specify the body of the message released from the Quarantine. The Released Quarantine Message is generated only for items which have been removed from the Microsoft Exchange store and it is sent automatically when the administrator releases the message to the intended recipient.
Quarantine Problematic Mails Released Quarantine Message Subject Released Quarantine Message Body
183
Automatically Process Unsafe Messages
Specify how often the product tries to reprocess unsafe messages that are retained in the Quarantine. Set the value to Disabled to keep all unsafe to process unsafe messages manually.
Max Attempts to Process Specify how many times the product tries to Unsafe Messages reprocess unsafe messages that are retained in the Quarantine. Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts. Final Action on Unsafe Messages Specify the action to unsafe messages after the maximum number of reprocesses have been attempted. Leave in Quarantine - Leave messages in the Quarantine and process them manually. Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients. Quarantine Log Directory Specify the path to the directory where Quarantine logfiles are placed. Rotate Quarantine Logs Every Specify how often the product rotates Quarantine logfiles. At the end of each rotation time a new log is created.
Keep Rotated Quarantine Specify how many rotated log flies should be Logs kept.
184
5.2.6
Reporting
Figure 5-18 Reporting settings
Notification sender address
Specify the address used by F-Secure Anti-Virus Agent for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
5.2.7
Advanced
Figure 5-19 Advanced settings
185
New Mailbox Polling Interval
Specify how often (in seconds) F-Secure Anti-Virus for Microsoft Exchange should check for newly established mailboxes. You can disable the new mailbox polling by using the value 0 (zero). By default, F-Secure Anti-Virus for Microsoft Exchange polls new mailboxes every 1 hour.
New Folder Polling Interval
Specify how often (in seconds) F-Secure Anti-Virus for Microsoft Exchange should check for newly established Public Folders. You can disable the new mailbox polling by using the value 0 (zero). By default, F-Secure Anti-Virus for Microsoft Exchange polls new folders every 1 hour.
Max Levels of Nested Messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited. Note: It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS (Denial-of-Service) attacks.
186
Action on Mails with Exceeding Nesting Levels
Specify the action to take on inbound e-mail messages with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting. Drop - E-mail messages with exceeding nesting levels are not delivered to the recipient(s). The nested messages are quarantined if the Quarantine Problematic Mails setting under F-Secure Anti-Virus for Microsoft Exchange / Settings / Real-Time Processing / Quarantine is set to Yes. Pass Through - Nested e-mail messages will be scanned up to level specified in the Max Levels of Nested Messages setting and then delivered to the recipient(s).
5.3
F-Secure Anti-Virus for Microsoft Exchange Statistics

To view statistics, open the Status tab from the Properties pane and open the Statistics subtree. It displays statistics for the host for each F-Secure Anti-Virus for Microsoft Exchange installation. If a policy domain is selected, the Status view displays the number of hosts in the domain and which hosts are disconnected from F-Secure Policy Manager.
Resetting Statistics
You can reset statistics by using controls under the F-Secure Anti-Virus for Microsoft Exchange / Operations branch.
CHAPTER 5 Centrally Managed Administration To reset real-time scanning statistics, use the variables under F-Secure Anti-Virus for Microsoft Exchange / Operations / Reset Statistics. Select Reset and click Start in the Editor pane. The Status above the button will display "Operation still in progress" until the program reports that statistics have been reset.
187
5.3.1
Common
Figure 5-20 Common statistics
Version Previous Reset of Statistics MIB Version Installation Directory
Displays the F-Secure Anti-Virus for Microsoft Exchange version number. Displays the last date and time when the statistics were reset. Displays the MIB version number. Displays the complete path where F-Secure Anti-Virus for Microsoft Exchange is installed. Displays the F-Secure Anti-Virus for Microsoft Exchange build number. Displays the product name and lists all installed hotfixes.
Build Common
188
Status
Displays whether F-Secure Anti-Virus for Microsoft Exchange is running (started), stopped, or whether the current status of the agent is unknown. Displays the number of mailboxes and Public Folders that are protected in real-time. For more information, see Real-Time Processing, 188. Displays the statistics of the last manual scan and attachment stripping. For more information, see Manual Processing, 191.
Manual Processing
5.3.2
Real-time processing statistics displays the number of mailboxes and Public Folders that are protected in real-time.
Figure 5-21 Real-Time Processing statistics
189
Protected Mailboxes Protected Public Folders Total Number of Infections Found Number of Infections Found Within Outbreak Interval
Displays the number of currently protected mailboxes. Displays the number of currently protected Public Folders. Displays the number of viruses F-Secure Anti-Virus for Microsoft Exchange has detected. Displays the number of viruses F-Secure Anti-Virus for Microsoft Exchange has detected within the last outbreak interval. For more information, see Outbreak Management, 158. Displays the real-time inbound mail processing statistics. See the following section for more information. Displays the real-time outbound mail processing statistics. See the following section for more information. Displays the real-time Public Folder processing statistics. See the following section for more information. Displays the name of the last virus that was found. Displays the time when the last virus was found.
Inbound Mail
Outbound Mail
Public Folders
Last Infection Found Last Time Infection Found
190
Inbound, Outbound Mail and Public Folders

Inbound, Outbound Mail and Public Folders Statistics display the statistics of processed, infected, and suspicious mail messages.
Inbound Mail includes e-mail messages coming into Microsoft Exchange Information Store from external sources such as SMTP connector, and internal mail flowing inside organization. Outbound Mail includes e-mail messages leaving Exchange Information Store and going out via SMTP, NNTP or IMAP4. Public Folders statistics display statistics for processed Public Folder notes.
Figure 5-22 Inbound Mail, Outbound Mail and Public Folders statistics
Processed Messages Infected Messages Suspicious Messages
Displays the total number of processed messages. Displays the total number of messages that have been infected with malicious code. Displays the number of messages that have not been scanned reliably. The message is considered to be suspicious if it is encrypted or it has been compressed with unknown algorithm, or there was a scanning problem when the message was being scanned. Displays the number attachments that have been stripped from messages.
Stripped Attachments
191
Filtered Messages
Displays the total number of inbound messages that contained disallowed keywords. Displays the name of the last virus found. Displays the date and time when the last infection was found. Displays the total number of inbound messages found to be spam. (This setting exists under the Inbound Mail branch only.) Displays the total size (in kilobytes) of the inbound mail messages considered spam. (This setting exists under the Inbound Mail branch only.)
Last Infection Found Last Time Infection Found Number of Spam Messages Size of Spam Messages
5.3.3
Manual Processing
Manual processing statistics displays the statistics of the last manual scan and attachment stripping.
Figure 5-23 Manual Processing statistics
192
Total Amount of Mailboxes
Displays the total number of mailboxes in the Exchange Store that F-Secure Anti-Virus for Microsoft Exchange processes during the manual processing. Displays the number of mailboxes that have been scanned. Displays the total number of Public Folders in the Exchange Store that F-Secure Anti-Virus for Microsoft Exchange processes during the manual processing. Displays the number of Public Folders that have been scanned. Displays the estimated time left to finish the manual processing. Displays the time that has elapsed since the manual processing was started. Displays the manual mailbox processing statistics. See the following section for more information. Displays the manual Public Folders processing statistics. See the following section for more information.
Scanned Mailboxes Total Amount of Public Folders
Scanned Public Folders Estimated Time Left Elapsed Time Mailboxes
Public Folders
193
Manual Processing of Mailboxes and Public Folders
Figure 5-24 Manual Processing / Mailboxes and Manual Processing / Public Folders statistics
Previous Scanning Processed Messages Infected Messages Suspicious Messages
Displays the date and time of the previous processing. Displays the total number of processed messages. Displays the total number of messages that have been infected with malicious code. Displays the number of messages that have not been scanned reliably. The message is considered to be suspicious if it is encrypted or it has been compressed with an unknown algorithm, or there was a scanning problem when the message was being scanned. Displays the number attachments that have been stripped from messages. Displays the name of the last virus found. Displays the date and time when the last infection was found.
Stripped Attachments Last Infection Found Last Time Infection Found
194
Currently Processed Mailbox
Displays the name of the mailbox that was the last one to be processed during manual scan. (This setting exists under the Mailboxes branch only.) Displays the name of the public folder that was the last one to be processed during manual scan. (This setting exists under the Public Folders branch only.)
Currently Processed Public Folder
5.3.4
Quarantine
Quarantine statistics displays the details of the items in Quarantine and statistics by Quarantine categories. Total Number of Quarantined Items Displays the total number of items in the Quarantine. E-mail messages and infected, suspicious and disallowed attachments are stored as separate items in the Quarantine storage. For example, if a message has 3 attachments and only one attachment is infected, 2 items will be created in the Quarantine storage, and both items have the same Quarantine ID in the Quarantine database. Total Size of Quarantine Storage Displays the total size (in megabytes) of the Quarantine storage.
Statistics by Category Displays the number and total size of quarantined messages by category.
195
5.4
F-Secure Content Scanner Server Settings

Use the variables under the F-Secure Content Scanner Server / Settings branch to define the settings for content providers and to change the general content scanning options.
Figure 5-25 F-Secure Content Scanner Server Settings categories
Interface Virus Scanning
Specify how the server will interact with clients. Specify the scanning engines to be used when F-Secure Content Scanner Server scans files for viruses, and the files that should be scanned. For more information, see Virus Scanning, 198. Specify the settings for the list of Most Active Viruses. for more information, see Virus Statistics, 201. Specify how you want to keep the virus definition databases up-to-date. For more information, see Database Updates, 203. Specify the number of Spam Scanner instances to be created and used for spam analysis. For more information, see Spam Filtering, 204.
Virus Statistics
Database Updates
Spam Filtering
196
Threat Detection Engine
Configure the virus outbreak and spam threat detection. For more information, see Threat Detection Engine, 206. Specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center. For more information, see Proxy Configuration, 207. Specify the location and the minimum size of the Working directory. For more information, see Advanced, 208
Proxy Configuration
Advanced
197
5.4.1
Interface
Specify how the server will interact with clients.
Figure 5-26 Interface settings
IP Address
Specifies the service listen address in case of multiple network interface cards or multiple IP addresses. If you do not assign an IP address (0.0.0.0), the server responds to all IP addresses assigned to the host. Specifies the TCP port that the server listens for incoming requests. The default port number is 18971. If you change this port number, you must modify the connection settings of the client accordingly, so that the client sends requests to the same port. Specifies a comma-separated list of IP addresses the server accepts incoming requests from. If the list is empty, the server accepts connections from any host.
TCP Port
Accept Connections
198
Max Connections
Specifies the maximum number of simultaneous connections the server can accept. Value zero (0) means no limit. Specifies the maximum number of simultaneous connections the server can accept from a particular host. Value zero (0) means no limit. Specifies how long the server should wait before it timeouts on sending data to the client.
Max Connections Per Host
Send Content Timeout
Receive Content Timeout Specifies how long the server should wait before it timeouts when receiving data from the client. Keep Alive Timeout Specifies the length of time before the server closes an inactive/idle connection. This ensures that all connections are closed if the protocol fails to close a connection.
5.4.2
Virus Scanning
Select the scanning engines to be used and the files that should be excluded from the Scan Engines table.
199
Figure 5-27 Virus Scanning settings
Scan Engines
Scan engines can be enabled or disabled. If you want to disable the scanning just for certain files, enter the appropriate file extensions to Excluded extensions field and separate each extension with a space. The Excluded extensions field supports * and ? wildcards. Specify whether files inside compressed archive files should be scanned for viruses, if they are not excluded from scanning. Scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Scan Inside Archives
200
Max Levels in Nested Archives
If Scan Inside Archives is enabled, F-Secure Content Scanner Server can scan files inside archives that may exist inside of other archives. Furthermore, these nested archives can contain other archives. Specify the number of levels F-Secure Content Scanner Server goes through before the action selected in Suspect Max Nested Archives takes place. The default setting is 3. Increasing the value increases the load on the system and thus decreases the overall system performance. This means that the system becomes more vulnerable for denial of service attacks.
Suspect Max Nested Archives
If the amount of nested archives exceeds the value specified in the Max Levels in Nested Archives, the file is stopped if Treat as Unsafe is selected. If Treat as Safe is selected, the archive file is sent to the user. Compressed archive files can be protected with passwords. These archives can be opened only with a valid password, so F-Secure Content Scanner Server cannot scan their content. Password protected archives can be stopped by selecting Treat as Unsafe. If Treat as Safe is selected, password protected archives are delivered to recipient. Specify the acceptable unpacked size (in kilobytes) for archive files. If the unpacked size of an archive file exceeds this threshold, the server will consider the archive suspicious and corresponding action will be taken.
Suspect Password Protected Archives
Acceptable Unpacked Size Threshold
201
Scan Extensions Inside Archives Extensions Allowed in Password Protected Archives Max Scan Timeout
Enter all the extensions you want to scan inside archives. Define a space-separated list of the file extensions allowed in password protected archives. Wildcards (*, ?) can be used. Example: "DO? *ML". Specify the maximum time that one scanning task can last. The Max Scan Timeout is 10 minutes by default.
5.4.3
Virus Statistics
Select the number of most active viruses and the number of days to be displayed on the Top 10 virus list.
202
Figure 5-28 Virus Statistics settings
Time Period
Specify the time period for the most active viruses list. The product shows statistics about most active viruses detected during the specified time period. The possible value range is from 1 hour to 90 days. Specify the number of most active viruses to be displayed for the time period specified in the 'Time Period' setting. The possible values are Top 5, Top 10 and Top 30. The product can collect and send statistics about viruses and other malware to the F-Secure World Map service. When the F-Secure World Map support is enabled, the product sends encrypted e-mail reports periodically to the service. These reports list only the name and the amount of found malware and they do not contain any sensitive information such as IP or e-mail addresses or user names. You can also forward unencrypted reports to a configurable e-mail address and use the same statistics for your own internal purposes.
Viruses to Show
Send Statistics to F-Secure World Map
203
Mail Server Address
Specify the IP address of mail transfer agent where you want to send the unencrypted report. Specify the port of the mail transfer agent. Specify e-mail addresses where the unencrypted report is sent.
Mail Server Port E-mail Addresses for Unencrypted Reports
5.4.4
Database Updates
Figure 5-29 Database Updates settings
Verify Integrity of Downloaded Databases
Specify whether the product should verify that the downloaded virus definition databases are the original databases published by F-Secure Corporation and that they have not been altered or corrupted in any way before taking them to use.
204
Notify When Databases Become Old
Specify whether F-Secure Content Scanner Server should notify the administrator if virus definition databases have not been updated recently. Specify the time (in days) how old virus definition databases can be before F-Secure Content Scanner Server sends the notification to the administrator.
Notify When Databases Older Than
5.4.5
Spam Filtering
Figure 5-30 Spam Filtering settings
CHAPTER 5 Centrally Managed Administration The number of spam scanner instances can be configured in F-Secure Content Scanner Server / Settings / Spam Filtering. Number of spam scanner Specify the number of Spam Scanner instances instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages will undergo spam analysis simultaneously. The default value is 3. You might need to modify this setting if you enable Realtime Blackhole Lists (DNSBL/ RBL) for spam filtering. For more information, see Enabling Realtime Blackhole Lists, 238 and Optimizing F-Secure Spam Control Performance, 240. The server must be restarted after this setting has been changed. IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately 25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
205
206
5.4.6
Threat Detection Engine
Figure 5-31 Threat Detection Engine settings
The virus outbreak and spam threat detection can be configured in F-Secure Content Scanner Server / Settings / Threat Detection Engine. VOD Cache Size Specify the maximum number of patterns to cache for the virus outbreak detection service. By default, the cache size is 10000 cached patterns. Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns. Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes. Action on Connection Specify the action for messages when the threat Failure detection center cannot be contacted and the threat detection engine cannot classify the message. Pass through - The message is passed through without scanning it for spam.
Class Cache Size
207
Heuristic Scanning - F-Secure Content Scanner Server checks the message using spam heuristics. Trusted Networks Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies. Define the network as a network/netmask pair (10.1.0.0/255.255.0.0), with the network/nnn CIDR specification (10.1.0.0/16), or use * wildcard to match any number and - to define a range of numbers (172.16.*.1, 172.16.4.10-110).
5.4.7
Proxy Configuration
Figure 5-32 Proxy configuration
CHAPTER 5 Centrally Managed Administration Specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center. Use Proxy Server Specify whether F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center.
208
Proxy Server Address Specify the address of the proxy server. Proxy Server Port Specify the port number of the proxy server.
5.4.8
Advanced
209
Working Directory
Specify where temporary files are stored. The Working directory should be on a local hard disk for the best performance. Make sure that there is enough free disk space for temporary files. IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product. During the setup, access rights are adjusted so that only the operating system and the local administrator can access files in the Working directory. If you make changes to Working Directory settings, make sure that the new directory has the same rights.
Working Directory Clean Interval
Specify the time after which the inactive temporary files in the Working directory are deleted. The default clean interval is 15 minutes. Specify when F-Secure Content Scanner Server should send a low disk space alert to the administrator. The default setting is 100 megabytes. Specifies the maximum number of transactions the server processes simultaneously.
Free Space Threshold
Max Number of Concurrent Transactions
210
5.5
F-Secure Content Scanner Server Statistics
Figure 5-34 F-Secure Content Scanner Server Statistics
The Statistics branch in the F-Secure Content Scanner Server tree displays the version of F-Secure Content Scanner Server that is currently installed on the selected host, the MIB version and the location of F-Secure Content Scanner Server installation directory.
5.5.1
Server
The Server branch contains the following information: Version Status The version of the F-Secure Content Scanner Server daemon. The status of F-Secure Content Scanner Server, whether it has been started and it is running or it is stopped. The date and time when the server was started. The date and time of the last reset of statistics. The number of currently active processors.
Start Time Previous Reset of Statistics Number of Active Processors
211
Number of Scanned Files The number of files that have been scanned. Last Database Update Last Infection Found Last Time Infection Found The last date and time when virus definition database was updated. The name of the last infection that was encountered. The date and time when the last infection was found.
5.5.2
Scan Engines
The Scan Engines table displays the scan engine statistics and information. Name Version Status The name of the scan engine. The version number of the scan engine. The status of the scan engine, whether it has been loaded and enabled, is loaded but disabled, has not been loaded at all, or is malfunctioning. The last date and time when virus definition database was taken into use for this scan engine. The date the virus signature database for this scan engine was created. Displays the last infection found by this scan engine. Displays the date and time of the last infection found by this scan engine.
Last Database Update
Database Date Last Infection Found Last Time Infection Found
212
Processed Files Infected Files Disinfected Files
Displays the number of files processed by this scan engine. Displays the number of infected files found by this scan engine. Displays the number of files successfully disinfected by this scan engine.
5.5.3
Common
The Common statistics branch displays the list of installed product hotfixes.
5.5.4
Spam Control
The Spam Control branch displays the following information: Spam Scanner Version Status Previous Reset of Statistics Database Version Last Database Update Displays the version and build number of the Spam Scanner. Displays the status of the Spam Scanner. Displays when the Spam Scanner statistics were reset last time. Displays the version of the database currently used by the Spam Scanner. Displays the date and time when the Spam Scanner database was last updated.
213
Number of Processed Messages Total Spam Statistics
Displays the total number of e-mail messages that have been analyzed for spam. These statistics show how many mail messages have been identified with each spam confidence level rating.
5.5.5
Virus Statistics
The Virus Statistics branch displays the following information:
Figure 5-35 F-Secure Content Scanner Server Statistics / Virus Statistics
Last Updated Most Active Viruses
Displays the date and time when the virus statistics were updated last time. Displays the list of most active viruses.
214
5.6
F-Secure Automatic Update Agent Settings
Figure 5-36 F-Secure Automatic Update Agent Communications settings
To edit F-Secure Automatic Update Agent Settings, go to F-Secure Automatic Update Agent > Settings > Communications. Automatic updates Enable and disable the automatic virus definition updates. By default, automatic updates are enabled. Specify whether the product should check for a usable Internet connection before trying to connect to the Update Server. Configure HTTP proxy settings. If you use HTTP proxy, all connections to the Update Server or F-Secure Policy Manager Proxy go through the proxy. If the HTTP proxy cannot be reached, the product connects directly to the Update Server. Specify whether you want to limit automatic updates to certain time periods.
Internet connection checking HTTP settings
Use download schedule
215
Download schedule
Specify time periods when the product may connect to the Update Server. If the table is empty, the product can connect to the Update Server any time. Policy Manager Proxy can be used to reduce the load on the server by caching Policy Manager content in the proxy. You can set Policy Manager Proxies in priority order. Updates are downloaded from the primary sources first, secondary update sources can be used as a backup. The product connects to the Update Server through any configured Policy Manager Proxies. If the product cannot connect to Policy Manger Proxy, it connects directly to the Update Server
PM Proxies
Intermediate Server failover time
Define the failover time to connect to specified update servers. If the product cannot connect to update servers during the specified time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
Intermediate Server polling interval Allow fetching updates from F-Secure Update Server
Define how often the product checks the virus definition database update sources for new updates. Enable the product to download virus definition updates from F-Secure Update Server when it cannot connect to specified update servers.
216
5.7
F-Secure Management Agent Settings

If the F-Secure Anti-Virus for Microsoft Exchange is working in centrally administered mode, you have to make sure F-Secure Anti-Virus for Microsoft Exchange sends and receives data from F-Secure Policy Manager Server. To do this, change communications settings from F-Secure Management Agent. For detailed information on F-Secure Management Agent, see the F-Secure Policy Manager Administrator's Guide.
217
Communications
Host Configuration Mode Shows whether the host is stand-alone or centrally administered. Active Protocol Protocols Sets the active protocol. A subdirectory containing the settings for the File Sharing and the HTTP protocol. These settings should be carefully checked before distribution. Errors can result in problems with communicating with the hosts. This setting can be used to disallow F-Secure Management Agent from downloading large remote installation packages over slow network connections. F-Secure Management Agent measures the speed of the network link to F-Secure Policy Manager Server and stops the download if the minimum speed specified by this setting is not met.
Slow Connection Definition
HTTP
Management Server Address URL of the F-Secure Policy Manager Server. The URL should not have a slash at the end. For example: http://fsms.example.com.
218
Incoming Packages Polling Interval
Defines how often the host tries to fetch incoming packages (such as Base Policy files or new virus signature databases) from the F-Secure Policy Manager Server. Defines how often the host tries to transmit to the administrator information that is periodically updated (such as statistics). The maximum time the host will store the information it is unable to transmit.
Outgoing Packages Update Interval Spool Time Limit
ADMINISTRATION WITH WEB CONSOLE

Overview................................................................................... 220 F-Secure Anti-Virus for Microsoft Exchange Settings .............. 221 F-Secure Content Scanner Server Settings ............................. 278 F-Secure Automatic Update Agent Settings............................. 301 F-Secure Management Agent Settings .................................... 308
219
CHAPTER 6 Administration with Web Console
220
6.1
Overview
This section describes how to use Web Console to administer F-Secure Anti-Virus for Microsoft Exchange. If F-Secure Anti-Virus for Microsoft Exchange is installed in the stand-alone mode, it can be administered with F-Secure Anti-Virus for Microsoft Exchange Web Console. The Web Console is installed with F-Secure Anti-Virus for Microsoft Exchange. To open the Web Console, double-click the F-Secure Settings and Statistics icon in the Windows system tray and double-click F-Secure Anti-Virus for Microsoft Exchange, or select it from the Start menu > Programs > F-Secure Anti-Virus for Microsoft Exchange.
221
6.2
F-Secure Anti-Virus for Microsoft Exchange Settings

You can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, modify its settings, edit scheduled tasks and start manual processing.
6.2.1
Summary
The Summary page displays the current status of the product and a summary of the most important product statistics.
Figure 6-1 Summary page
222
Status Status The current status of F-Secure Anti-Virus for Microsoft Exchange. F-Secure Anti-Virus for Microsoft Exchange is Started when it is Running and Stopped when it has been stopped or disabled. The version and the build number of installed F-Secure Anti-Virus for Microsoft Exchange. Displays the number of currently protected mailboxes. Displays the number of currently protected Public Folders. Displays the number of infections found. Displays the number of infections that have been found within the currently defined outbreak interval. Displays the date and time when the last infection was found. Displays the name of the last infection that was found.
Version Protected mailboxes Protected public folders Infections found Infections found within outbreak interval Last time infection found Last infection found
Click Start to start the product and Stop to stop it. Click Reset Statistics to reset the statistics displayed on this page.
223
6.2.2
Virus Scanning
Virus Scanning settings are used to specify how inbound and outbound messages and Public Folder notes that are sent to F-Secure Content Scanner Server are to be checked for malicious code.
Figure 6-2 Virus Scanning / Statistics page
Statistics Infections found Infections found within outbreak interval Last time infection found Displays the total number of infections found. Displays the number of infections that have been found during the currently defined outbreak interval. Displays the date and time when the last infection was found.
224
Last infection found Processed Infected Suspicious
Displays the name of the last infection that was found. Displays the number of processed message bodies and attachments. Displays the number of attachments that have been infected with malicious code. Displays the number of stripped messages and messages that have not been scanned reliably. The message is considered to be suspicious if it is encrypted or it has been compressed with an unknown algorithm, or there was a scanning problem when the message was being scanned.
225
Common
Edit the Virus Scanning / Common settings to specify which messages should be scanned for malicious code. Note that you may have to scroll the page to view all the settings.
Figure 6-3 Virus Scanning / Common settings
226
Scan mail and public folders for viruses Scan mail and public folders for viruses Specify which message attachments are checked for viruses. Do not scan - Do not scan any attachments Scan all - Scan all message attachments Scan all attachments with these extensions Scan all attachments with specified filename extensions. Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message body Specify whether the body of the e-mail message should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies. Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Scan OLE objects Specify whether linked and embedded OLE objects in messages should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans OLE objects.
227
Enable File Type Recognition
Max level of nested messages
Set the maximum number of levels of messages inside messages that F-Secure Anti-Virus for Microsoft Exchange should scan. If the number of levels exceeds the specified limit, F-Secure Anti-Virus for Microsoft Exchange performs the action specified in the Action on messages with exceeding nesting levels setting.
Action Action on infected attachments Specify whether infected attachments should be disinfected or dropped. Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
228
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Action on messages Specify the action to take on e-mail messages with exceeding nesting with nesting levels exceeding the upper level levels specified in the Max Levels of Nested Messages setting. Drop - E-mail messages with exceeding nesting levels are not delivered to the recipient(s). The nested messages are quarantined if the Quarantine Problematic Mails setting on the General / Quarantine page is set to Yes. Pass Through - Nested e-mail messages will be scanned up to level specified in the Max Levels of Nested Messages setting and then delivered to the recipient(s). Quarantine infected attachments Specify whether infected attachments should be placed in the Quarantine or not. For more information, see Quarantine, 260.
Virus informational text Edit the informational text file that replaces the file infected attachment if it is dropped. Reporting Notification sender address Define the SMTP address to use when sending notifications to end-users. The SMTP address should be a valid, existing address that is allowed to send messages.
229
Inbound Mail
Edit Virus Scanning / Inbound Mail settings to define whether the whole message should be stopped if an infection is found and to specify the trusted mailboxes and the warning messages for infected, inbound mails. These settings are specific to the mails that are destined to the internal domains defined under the General / Internal Domains branch. For more information, see Internal Domains, 276.
Figure 6-4 Real-Time Scanning / Inbound Mail settings
230
Processing options Stop the whole message if infection found Specify whether F-Secure Anti-Virus for Microsoft Exchange should stop inbound messages that contain malicious code. When this setting is enabled, inbound messages with infected attachment(s) will be stopped completely. When this setting is disabled, infected attachments will be disinfected automatically or dropped from inbound messages. In both cases, a warning message will be sent to the sender if the Send Warning Message to Sender setting enabled. When this setting is enabled, all messages are scanned when they enter the system. The clean messages will be delivered to the mailbox server, where they will be scanned again. On the other hand, enabling this setting reduces internal network traffic, because infected messages are stopped before they enter the system. Trusted mailboxes Trusted mailboxes Define users mailboxes that should be excluded from real-time virus scanning. Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message will be scanned.
231
Editing Trusted Mailboxes List

Click Specify to open a dialog box where you can add new trusted mailboxes, or remove trusted mailboxes from the list.
To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list. It is not safe to use trusted mailboxes. You should not send or copy messages from trusted mailboxes to other mailboxes. Keep all trusted mailboxes on a separate message store, as messages are scanned always when they are sent to another store.
Notification message options Add warning message Specify whether a virus warning message to the original message should be added to the mail message which had infected content and which goes to the original message recipient. If you want to add the warning message, the original message is embedded in the virus warning message without the infected attachment. Click Edit to edit the warning message that is added to the mail message. By default, F-Secure Anti-Virus for Microsoft Exchange does not add the virus warning message. Send warning message to sender Specify whether a virus warning message should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message without the infected attachment.
232
Click Edit to Edit the warning message that is sent to the sender of the mail message which had infected content. By default, F-Secure Anti-Virus for Microsoft Exchange does not send the virus warning message to the sender. The virus warning message will be sent to the sender of the infected message only if the sender belongs to the internal domain. F-Secure Anti-Virus for Microsoft Exchange does not send the warning message outside the company domain.
233
Outbound Mail
Edit Virus Scanning / Outbound Mail real-time processing settings to define what should be done to infected outbound messages and set warning messages to infected, outbound mails.
Figure 6-5 Virus Scanning / Outbound Mail settings
234
Processing options Stop the whole message if infection found Specify whether all outgoing messages that have infected content should be stopped or not. Check the checkbox to stop all outbound messages with infected content completely. The original message will be attached to the warning and bounced back to the sender with disinfected content. Clear the checkbox to disinfect or drop the infected attachment before sending the outbound message. By default, F-Secure Anti-Virus for Microsoft Exchange stops the whole message. If you set F-Secure Anti-Virus for Microsoft Exchange to disinfect infected files and stop the whole message if an infection is found, messages are not stopped if they are send from a MAPI client if they can be disinfected. Messages are scanned and disinfected when they are in the Outbox. When a message leaves the Outbox folder, it does not contain malicious code anymore, so it is not stopped. Notifications Send warning message to sender Specify whether a virus warning message should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message. Click Edit to edit the warning message. If the sender sends an infected message to internal and external recipients, the sender can receive two warning messages about the same infection.
235
Add disclaimer to all outgoing messages
Specify whether you want to add a disclaimer to all outgoing messages. Click Edit to edit the disclaimer text. By default, F-Secure Anti-Virus for Microsoft Exchange adds a disclaimer.
Public Folders
Edit Public Folders real-time processing settings to define which Public Folders should be scanned for malicious code and to set warning messages to infected Public Folder notes.
Figure 6-6 Virus Scanning / Public Folders settings
236
Examine public folders Examine public folders Specify public folders that should be scanned for viruses. Do not scan public folders - Do not process any Public Folders. Scan all public folders - Process all notes posted to all Public Folders. Scan only included public folders - Process all notes posted to the listed Public Folders. Scan all except excluded public folders Process all notes posted to all Public Folders, except to the ones in the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders.
Editing Public Folders

Click Specify to open a dialog box where you can add new Public Folders, or remove Public Folders from the list.
To add new Public Folder to the list, click Add. Select Public Folders from the list and click OK. To select all subfolders of the Public Folder in the list, check the checkbox in column. To delete a Public Folder from the list, click on column to select Public Folders that you want to delete. Click Clear to delete the currently marked Public Folders from the list. All infected messages which are sent to public folders with Outlook WebAccess are disinfected or dropped regardless of the Examine Public Folders setting.
237
Notifications Send warning message to originator Specify whether a virus warning message should be sent to the original writer of the note which had infected content that could not be disinfected. Click Edit to edit the warning message. By default, F-Secure Anti-Virus for Microsoft Exchange sends the virus warning message to the originator.
Outbreak Detection
F-Secure Anti-Virus for Microsoft Exchange can alert administrators when the number of infections detected within a specified time frame exceeds a specified value.
238
Figure 6-7 Virus Scanning / Outbreak Detection settings
Condition Notify when number of Specify the number of infected objects that infections detected should be found within a specified time period, exceed for it to be considered as a virus outbreak. Use the value zero (0) to disable the outbreak notification. By default, the outbreak notification is disabled (0). Action Send security alert to the administrator Specify whether a security alert should be sent to the administrator when a virus outbreak is detected.
239
Send outbreak notification message
Specify whether outbreak notification e-mail should be sent to the notification addresses specified in the Notification Addresses setting when a virus outbreak is detected. By default, F-Secure Anti-Virus for Microsoft Exchange does not send the outbreak notification. Click Edit to edit the outbreak notification message.
Run outbreak handler script
Specify an external program that should be run when a virus outbreak is detected. The external program is run using the user account defined during the installation.
6.2.3
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove attachments in real-time from inbound and outbound messages by their file name or the file extension even without scanning them for malicious code. The Statistics page displays the number of attachments stripped from inbound and outbound mail and public folders.
240
Figure 6-8 Stripping Attachments / Statistics page
Statistics Attachments stripped Displays the number of stripped attachments in inbound mail, outbound mail and public folders.
On-Access
Edit On-Access stripping attachments settings to set which attachments should be stripped during the on-access scanning. Note that you have to scroll the page to view all the settings.
241
Figure 6-9 Content Blocking / On-Access / Stripping Attachments settings
Strip attachments Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments except these allowed - Strip all except specified attachments. Strip only these disallowed attachments - Strip only specified attachments.
242
Action on stripped attachment Action on stripped attachment Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine, 260. Drop attachment - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. Add informational message Specify whether an informational message should be added to the mail message which originally had the stripped attachment. During the on-access scanning, the informational message can be sent to the mailbox owner or to the originator of an infected message or an infected Public Folder note. Click Edit to edit the message that is added to the message which contained the stripped attachment.
243
By default, F-Secure Anti-Virus for Microsoft Exchange does not add the informational message. Send the informational Specify whether an informational message message to sender should be sent to the sender of the mail message which had the stripped attachment. Click Edit to edit the message that is sent to the sender of the mail message which contained the stripped attachment. By default, F-Secure Anti-Virus for Microsoft Exchange does not send an informational message to the sender. Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment. Do not notify - Do not send any notification to the administrator. Send informational alert - Send an informational alert to the administrator. Send warning alert - Send a warning alert to the administrator. Send security alert - Send a security alert to the administrator. By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator.
244
Inbound Mail
Edit Stripping Attachments / Inbound Mail settings to specify which attachments should be stripped from the inbound mail. For settings descriptions, see below. Note that you may have to scroll the page to view all the settings.
Figure 6-10 Stripping Attachments / Inbound Mail settings
245
Strip attachments Strip attachments Specify which attachments should be stripped from messages and public folder notes. Do not strip - Do not strip any attachments. Strip all attachments - Strip all attachments from all messages and notes. Strip all attachments with these extensions Strip all except specified attachments. Strip all attachments except with these extensions - Strip only specified attachments. You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Enable File Type Recognition Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, the Intelligent File Type Recognition is disabled during the real-time processing and enabled during the manual processing.
CHAPTER 6 Administration with Web Console Trusted mailboxes Trusted mailboxes Define users mailboxes that should be excluded from real-time content filtering and attachment stripping. Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message will be scanned.
246

To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list.
Action on stripped attachment Action on stripped attachment Specify whether stripped attachments should be quarantined or dropped. Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see Quarantine, 260. Drop attachment - All stripped attachments are deleted automatically. By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
247
Add informational message
Specify whether an informational message should be added to the mail message which originally had the stripped attachment. During on-access scanning, the informational message can be sent to the mailbox owner or to the originator of an infected message or an infected Public Folder note. Click Edit to edit the warning message that is added to the mail message. By default, F-Secure Anti-Virus for Microsoft Exchange does not add the informational message.
Send informational message to sender
Specify whether an informational message should be sent to the sender of the mail message which had the stripped attachment. Click Edit to edit the warning message that is sent to the sender of the mail message which contained the stripped attachment. By default, F-Secure Anti-Virus for Microsoft Exchange does not send an informational message to the sender.
Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment. Do not notify - Do not send any notification to the administrator. Send informational alert - Send an informational alert to the administrator. Send warning alert - Send a warning alert to the administrator.
248
Send security alert - Send a security alert to the administrator. By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator. For more information, see Alert Forwarding, 124. F-Secure Management Agent alert forwarding table controls where alerts with certain severity level will be sent.
Outbound Mail
Edit Stripping Attachments / Outbound Mail attachment stripping settings to set which attachments should be stripped from the outbound mail. For settings descriptions, see Inbound Mail, 244. Note that you have to scroll the page to view all the settings.
249
Figure 6-11 Stripping Attachments / Outbound Mail settings
6.2.4
Content Filtering
The Content Filtering settings specify how content should be filtered based on keywords found in message subject and content. The Spam Control settings are also located under the Content Filtering branch, but they are displayed only if you have installed F-Secure Spam Control with the product.
250
Figure 6-12 Content Filtering / Statistics page
Statistics Spam messages Size of spam messages Filtered inbound messages Filtered outbound messages Displays the total number of spam messages that have been found. Displays the total size of spam messages that have been found. Displays the total number of inbound messages that have been filtered. Displays the total number of outbound messages that have been filtered.
251
Spam Control
For information on F-secure Spam Control settings, see Spam Control Settings in Web Console, 336.
Inbound Mail
Edit Content Filtering / Inbound Mail settings to define how content should be filtered in the inbound mail based on keywords in message subjects and text. For settings descriptions, see below.
252
Figure 6-13 Content Filtering / Inbound Mail settings
Processing options Enable content filtering Specify whether the content of inbound messages is filtered based on the subjects and texts of the messages as defined on this tab. List of disallowed keywords in message subject List of disallowed keywords in message text Lists the keywords that are not allowed in message subject and that are used as filtering criteria. Lists the keywords that are not allowed in message text and that are used as filtering criteria.
253
Click Edit to open a dialog box where you can add new disallowed keywords, or remove keywords from the list. Select the checkbox in the column to mark the entries that you want to remove. Click Clear from the list. to remove the selected entries
Editing Keyword Lists

Click Edit to open a dialog box where you can add new disallowed keywords, or remove keywords from the list.

To add new keyword to the list, click Add. To add multiple entries at once, click Import. To delete a keyword from the list, click on column to select keywords that you want to delete. Click Clear to delete the currently marked keywords from the list.
Trusted mailboxes Trusted mailboxes Define users mailboxes that should be excluded from real-time content filtering and attachment stripping. Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message content will be filtered and attachments stripped.
254

To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list.
Action on message with disallowed content Action Specify the action to take on a message with disallowed content. Quarantine message - The filtered message is placed in the Quarantine. Drop message - The filtered message will be deleted automatically. Send informational message to recipient Specify whether a warning message will be sent to the recipient of the disallowed content that has been filtered. The warning message will be sent only if the recipient of the message with the disallowed content is a user belonging to an internal domain (for more information, see Internal Domains, 276). This means that no informational messages will be sent outside the company. Click Edit to edit the warning message text. Notify administrator Specify whether an alert will be sent to the administrator when an attachment is stripped from a message and what type of an alert it should be.
255
Do not notify - Do not send any notification to the administrator. Send informational alert - Send an informational alert to the administrator. Send warning alert - Send a warning alert to the administrator. Send security alert - Send a security alert to the administrator. F-Secure Management Agent alert forwarding table controls where alerts with certain severity level will be sent.
Outbound Mail
Edit Outbound Mail content blocking settings to set which attachments should be stripped from the outbound mail and how messages should be blocked based on keywords found in the message subjects and text. For settings descriptions, see Inbound Mail, 251.
256
Figure 6-14 Content Filtering / Outbound Mail settings
6.2.5
Manual Scanning
You can process mailboxes and public folders manually as needed.
257
Figure 6-15 Manual Processing page
258
Processing Mailboxes Manually

The Status field displays the current status of the manual process.
To start processing mailboxes manually, click Start. Click Stop to terminate the currently running manual scan Click Configure... to set up a new manual processing task. For more information, see Creating Manual Scanning Operation, 89. Click Show Report to view the report of the last manual processing task.
Progress Estimated time Elapsed time Processed number mailboxes Last processed mailbox Processed number public folders Last processed public folder Messages in Mailboxes Messages in Public Folders Displays the estimated time that is left of the manual processing. Displays the time that has elapsed since the manual processing was started. Displays the number of mailboxes that have been processed out of the total number of mailboxes. Displays the mailbox that is currently being processed. Displays the number of public folders that have been processed out of the total number of public folders. Displays the public folder that is currently being processed. Displays the number of processed, infected and suspicious messages in mailboxes. Displays the number of processed, infected and suspicious messages in Public Folders.
259
Scheduled Scan Tasks
Figure 6-16 Scheduled Processing page
Editing Scheduled Tasks

The Scheduled tasks table displays all scheduled tasks and the date and time when the next scheduled task occurs for the next time.
CHAPTER 6 Administration with Web Console Clear the checkbox in front of the task to deactivate a scheduled. Check the checkbox to activate it again.
260
When the scheduled scanning task is complete, column reports completed scheduled scanning tasks. you can view the report by clicking the Report... link displayed in this column. Click the Edit... link displayed in task column to edit a scanning
Click Show Latest Report to display a report of performed scheduled tasks. Click Add Task... to start the Scheduled Operation Wizard. For more information, see Creating Scheduled Operation, 104. To delete a scheduled tasks from the list, click on column to select scheduled tasks that you want to delete. Click Clear to delete the currently marked scheduled tasks from the list.
6.2.6
Quarantine
Quarantine in F-Secure Anti-Virus for Microsoft Exchange is handled through a SQL database. The product is able to quarantine e-mails and attachments which contain malicious or otherwise unwanted content, such as spam messages. The Quarantine management is divided into two different parts:

Quarantine-related configuration, and the management of the quarantined content, for example searching for and deleting quarantined content.
In stand-alone installations, quarantine-related settings are configured and the quarantined files managed through the Web Console. The Quarantine Query page in Web Console is used for searching the quarantined content. When the product places content to the Quarantine, it saves the content as separate files into the Quarantine Storage (a directory specified in the Quarantine settings) and inserts an entry to the Quarantine Database with information about the quarantined content. For more information, see Quarantine Management, 248.
261
Quarantine Thresholds
Figure 6-17 Quarantine thresholds settings
262
Quarantine thresholds Quarantined items threshold Specify the critical number of items in the Quarantine storage. If the specified value is reached or exceeded, the product sends an alert. If zero (0) is specified, the number of items in the Quarantine storage is not checked. The default value is 100000 items. E-mail messages and infected, suspicious and disallowed attachments are stored and counted as separate items in the Quarantine storage. For example, if a message has three attachments and only one of them has been found infected, two items will be created in the Quarantine storage. These items still have the same Quarantine ID in the Quarantine database. Quarantine size threshold Specify the critical size (in megabytes) of the quarantine folder. If the specified value is reached, the product sends an alert. The default value is 200. If zero (0) is specified, the size of the Quarantine is not checked. The allowed value range is from 0 to 10240.
263
Notify when quarantine threshold is reached
Specify how the administrator should be notified when the Quarantine Size Threshold and/or Quarantined Items Threshold are reached. No alert is sent if both thresholds are set to zero (0). The options available are:
Quarantine Reprocess, Retention and Cleanup

When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For more information, see Reprocessing the Quarantined Content, 323.
264
Figure 6-18 Quarantine cleanup settings
Reprocess unsafe messages Automatically reprocess unsafe messages Specify how often the product tries to reprocess unsafe messages that are retained in the Quarantine. Set the value to Disabled to keep all unsafe to process unsafe messages manually. Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine. Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts.
Max attempts to process unsafe messages
265
Final action on unsafe messages
Specify the action to unsafe messages after the maximum number of reprocesses have been attempted. Leave in Quarantine - Leave messages in the Quarantine and process them manually. Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
Quarantine retention and cleanup Retain items in quarantine Specify how long quarantined items should be retained in the Quarantine before they are deleted. Use the Quarantine Cleanup Exceptions table to change the retention period for a particular Quarantine category. Delete old items every Specify how often the storage should be cleaned of old quarantined items. Use the Quarantine Cleanup Exceptions table to change the cleanup interval for a particular Quarantine category. Exceptions Specify separate quarantine retention period and cleanup interval for each Quarantine category. If retention period and cleanup interval for a category are not defined in this table, then the default ones (specified above) are used. Active -Enable or disable the selected entry in the table. Quarantine category - Select a category the retention period or cleanup interval of which you want to modify. The categories are:

266
Infected Disallowed Suspicious Spam Scan failure Unsafe
Retention period - Specify an exception to the default retention period for the selected Quarantine category. Cleanup interval - Specify an exception to the default cleanup interval for the selected Quarantine category.

Send informational alert Send warning alert Send error alert Send security alert
267
Quarantine Logging
Figure 6-19 Quarantine logging settings
Logging Quarantine log directory Rotate quarantine logs Keep rotated quarantine logs Specify the path for Quarantine log files. Specify how often the product rotates Quarantine log files. At the end of each rotation time a new log file is created. Specify how many rotated log flies should be stored in the Quarantine.
268
Quarantine Options
Quarantine Options Quarantine worms Specify whether the product should Quarantine files infected with mass worms or mail viruses such as Sobig or Bagle. Specify if messages that contain malformed or broken attachments should be quarantined for later analysis or recovery. This setting works together with the Security Options/Action on Malformed Mails setting in the inbound and outbound mail settings.
Quarantine problematic messages
269
Quarantine Database
Figure 6-20 Quarantine database settings
You can specify the database where information about quarantined e-mails is stored and from which it is retrieved. Quarantine database SQL server name Database name User name Password The name of the SQL server where the database is located. The name of the Quarantine database. The default name is FSMSE_Quarantine. The user name the product uses when accessing the database. The password the product uses when accessing the database.
270
Quarantine Storage
Quarantine storage Specify the location of the Quarantine Storage where quarantined e-mails and attachments are placed. WARNING: During the setup, access rights are adjusted so that only the operating system, the product itself and the local administrator can access files in the Quarantine. If you make changes to the Quarantine storage settings, make sure that the new directory has the same rights. IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product. Make sure that F-Secure Anti-Virus for Microsoft Exchange service has write access to this directory. Adjust the access rights to the directory so that only the F-Secure Anti-Virus for Microsoft Exchange service and the local administrator can access files in the Quarantine.
6.2.7
Advanced
Advanced settings control mail delivery and scanning timeout settings and polling intervals for new mailboxes and Public Folders. IMPORTANT: These settings control the Virus Scanning interface of Microsoft Exchange Server and modifying them may seriously affect system performance. Use them with caution.
271
Mail Delivery Settings Mail opening timeout Max mail sending retries Mail sending timeout Specify the number of seconds to try to open a message. Specify the number of times to try to send a message if sending it fails. Specify the number of seconds to wait to try sending a message.
Scanning Interface Parameters Number of scanning threads Specify the maximum number of scans to be run simultaneously. When the upper limit of simultaneous scanning threads is reached, messages are queued until a thread is finished.
CHAPTER 6 Administration with Web Console Advanced New mailbox polling interval Specify how often F-Secure Anti-Virus for Microsoft Exchange should check for newly established mailboxes. You can disable the new mailbox polling by using the value 0 (zero). By default, F-Secure Anti-Virus for Microsoft Exchange polls new mailboxes every 60 minutes. New Public Folder polling interval Specify how often F-Secure Anti-Virus for Microsoft Exchange should check for newly established Public Folders. You can disable the new mailbox polling by using the value 0 (zero). By default, F-Secure Anti-Virus for Microsoft Exchange polls new folders every 60 minutes. Message scan timeout Specify the maximum time to wait (in seconds) to scan a message.
272
273
Scanning Servers
Edit the Servers settings to configure the connection between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server. Note that you may have to scroll the page to view all the settings.
Figure 6-22 Advanced / Scanning Servers settings
274
Scanning servers Primary Content Scanner Servers Specify all F-Secure Content Scanner Servers where F-Secure Anti-Virus for Microsoft Exchange should send files to be processed. If you list more than one F-Secure Content Scanner Server, F-Secure Anti-Virus for Microsoft Exchange uses load sharing between them. Specify F-Secure Content Scanner Servers that act as backup servers for primary servers. If F-Secure Anti-Virus for Microsoft Exchange cannot contact primary F-Secure Content Scanner Servers, it interacts with backup servers.
Backup Content Scanner Servers
Editing F-Secure Content Scanner Server Addresses

To add new F-Secure Content Scanner Server IP addresses or host names to the list, click Add. To delete a address from the list, click on column to select addresses that you want to delete. Click Clear to delete the currently marked addresses permanently. Enter the time interval (in seconds) that specifies how long F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure Content Scanner Server before stopping attempts to send or receive data. Enter the time interval (in seconds) that specifies how long F-Secure Anti-Virus for Microsoft Exchange will wait before attempting a new connection with the primary F-Secure Content Scanner Servers, in case the previous connection attempt failed or a connection with the server was lost.
Connection timeout
Restore connection interval
275
Use local interaction mode
Specify whether the product should interact with F-Secure Content Scanner Server in the local interaction mode. When F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server are installed on the same host and the local interaction mode is enabled, data are transferred via local temporary files and/or shared memory. This provides the best possible performance. If local interaction mode is disabled, data is transferred via data stream sockets. It is recommended to use the local interaction mode to obtain the optimum performance.
Maximum shared memory data size
Specify the maximum size of data to be transferred between the Anti-Virus Agent and the F-Secure Content Scanner Server via shared memory. By default, the maximum size is 1024 kilobytes. When the amount of data exceeds the maximum size, a local temporary file will be used for data transfer. If the option is set to zero (0), all data transfers via shared memory are disabled. This setting is ignored if local interaction mode is disabled.
276
Working directory
Specify the name and location of the Working directory, where temporary files are placed. During the installation, F-Secure Anti-Virus for Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
6.2.8
Internal Domains
Specify the domains which should be considered to be internal domains. All messages which are going to internal domains are considered to be inbound messages. Separate each domain name with a space. You can use * wildcard, for example, *example.com.
277
Figure 6-23 Internal Domains settings
You can define how the mails destined for the internal domains are processed by configuring the Virus Scanning / Inbound Mail, Stripping Attachments / Inbound Mail and Content Filtering / Inbound Mail settings.
Editing Internal Domain Addresses

To add a new domain name to the list, click Add. You can use * wildcard. For example, *example.com. To import a list of domain addresses from a CSV file, click Import.... To delete a domain name from the list, click on column to select addresses that you want to delete. Click Clear to delete the currently marked addresses permanently.
278
6.3
F-Secure Content Scanner Server Settings

F-Secure Content Scanner Server can be administered with the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can check the system status, check statistics and modify the settings of F-Secure Content Scanner Server on the computer where the product is installed and running. Note that if the product is installed in the centralized administration mode, you cannot change any settings from the F-Secure Anti-Virus for Microsoft Exchange Web Console and should use F-Secure Policy Manager Console instead.
6.3.1
Summary
You can see the current status of the F-Secure Content Scanner Server, and virus and spam scanner statistics under the Summary branch.
Status
You can see the statistics of all virus scans on the Status page of F-Secure Content Scanner Server. The statistics display the number of scanned files, the last database update, the last virus found and the last time a virus was found.
279
Figure 6-24 Summary page
Status Status Version Start time Scanned files Last database update Displays whether F-Secure Content Scanner Server is currently running or not. Displays the current version number and build of F-Secure Content Scanner Server. Displays the start date and time of F-Secure Content Scanner Server. Displays how many files have been scanned since the last reset. Displays the last date and time when virus definition databases were updated.
280
Database Update Version
Displays the version of the virus definition database update. The version is shown in YYYY-MM-DD_NN format, where YYYY-MM-DD is the release date of the update and NN is the number of the update for that day.
Last infection found Last time infection found
Displays the name of the last virus that was found. Displays the date and time the last virus was found.
Click Start to start F-Secure Content Scanner Server and Stop to stop F-Secure Content Scanner Server. Click Reset Statistics to reset the statistics in this window.
Virus Statistics
You can see the list of most active viruses on the Summary > Virus Statistics page in F-Secure Anti-Virus for Microsoft Exchange Web Console.
281
Figure 6-25 Summary / Virus Statistics settings
Most active viruses Most active viruses table This table displays a list of the 5, 10 or 30 most often found viruses during the specified time period. It also displays the number of times each virus has been found and the percentage that each virus represents of the total number of viruses encountered. Click Configure to specify the statistics you want to view. Time period - Specify the number of days from which the virus information is displayed.
282
Viruses to show - Specify the number of most active viruses to show in the Virus Statistics table. The options available are Top 5, Top 10 and Top 30. F-Secure World Map The product can collect and send statistics about viruses and other malware to the F-Secure World Map service. When the F-Secure World Map support is enabled, the product sends encrypted e-mail reports periodically to the service. These reports list only the name and the amount of found malware and they do not contain any sensitive information such as IP or e-mail addresses or user names. You can also forward unencrypted reports to a configurable e-mail address and use the same statistics for your own internal purposes. MTA IP address MTA port Recipients Specify the IP address of mail transfer agent where you want to send the unencrypted report. Specify the port of the mail transfer agent. Specify e-mail addresses where the unencrypted report is sent.
Spam Scanner Statistics

This page is displayed only if you have installed F-Secure Spam Control. On the Spam Control page you can see the status of F-Secure Spam Control, spam definition databases and the spam scanning statistics.
283
Figure 6-26 Summary / Spam Scanner Statistics page
Spam Control statistics Version Status Shows the version and build number of the F-Secure Spam Scanner. Shows the status of the F-Secure Spam Scanner. The possible statuses are: Unknown or not installed - This status might be displayed right after installation when the product statistics are not yet updated, or if the F-Secure Spam Scanner is not installed.
284
Not loaded - This status is displayed when the F-Secure Content Scanner Server failed to load the scan engine for some reason. You should check the logfile.log for the reason of the failure. It might be, for example, that one or more database files are missing or corrupted. Loaded but disabled - This status is displayed when the engine is loaded but disabled by the administrator. It means that the disabled scan engine will not be used on scanning. A scan engine should be disabled for troubleshooting purposes only. Loaded and enabled - This status is normally shown for the scan engine. It means that the engine has been loaded and will be used for scanning. Database version Last database update Number of processed files Shows the version of the database currently used by the F-Secure Spam Scanner. Shows the date and time when the F-Secure Spam Scanner database was last updated. Shows the total number of files that have been analyzed for spam.
Total spam statistics table: Confidence level rating Shows the confidence levels used in the spam scanning. The scale used is from 1 to 9. Number of messages Shows the number of messages that have received a certain spam confidence level when scanned by F-secure Spam Scanner.
Click Reset Statistics to reset the statistics in this window.
285
6.3.2
Database Updates
F-Secure Content Scanner Server can notify the administrator if it detects that virus and/or spam definition databases are outdated. You can change the notification and other database updates settings on the Updates page. For more information about virus definition database updates, see Updating Virus and Spam Definition Databases, 345.
286
Figure 6-27 Database Updates settings
Database updates Verify integrity of Specify whether the product verifies that the downloaded databases downloaded virus definition databases are the original databases published by F-Secure Corporation and that they have not been altered or corrupted in any way before taking them to use. Notify when databases Specify what kind of an alert F-Secure Content become old Scanner Server should send to the administrator when virus definition databases are not up-to-date. Send informational alert - Send an informational alert to the administrator.
287
Send warning alert - Send a warning alert to the administrator. Send security alert - Send a security alert to the administrator. Do not notify - Do not send any notification to the administrator. Notify when databases Specify when virus definition databases are older than outdated. If databases are older than the specified amount of days, F-Secure Content Scanner Server sends an alert to the administrator.
6.3.3
Scan Engines
F-Secure Content Scanner Server uses multiple top quality scanning engines to ensure the highest possible detection rate and disinfection capability. You can view an overview of the engine statuses and updates on the Scan Engines page.
288
Figure 6-28 Virus Scanning page
Scan engines Scan Engine Version Database Date Last Updated Displays the name of the scan engine. Displays the version number of the scan engine. Displays the date of the currently used virus definition database. Displays the last date when the virus definition database was updated.
289
Properties
You can view the detailed statistics and statuses of the scan engines on the Scan Engines > Properties page. Note that you have to scroll the page to view all the settings.
Figure 6-29 Scan Engines > Properties page
Scan engine Number of processed files Number of files found infected Displays the number of files the selected scan engine has scanned. Displays the number of infected files the selected scan engine has found.
290
Number of disinfected files Database date Last database update Last infection found Last time infection found Engine excluded extensions
Displays the number of infected files the selected scan engine has successfully disinfected. Displays the date of the currently used virus definition database for the selected scan engine. Displays the last date when the virus definition database was updated. Displays the name of the latest infection that was found with the selected scan engine. Displays the date and time of the last infection. Specify a space-separated list of file extensions excluded from scanning by the engine. You can also use wildcards: ? matches exactly one character, * matches any number of characters, including zero (0) characters. For example: PP?, PDF, X*.
Click Reset Statistics to reset the statistics for a scan engine. Select the scan engine and click Enable to turn it on or Disable to turn it off.
Threat Detection
You can configure the virus outbreak and spam threat detection on the Scan Engines > Threat Detection page.
291
Figure 6-30 Scan Engines > Threat Detection page
Cache VOD cache size Specify the maximum number of patterns to cache for the virus outbreak detection service. By default, the cache size is 10000 cached patterns. Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns. Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes. Advanced Action on connection failure Specify the action for messages when the threat detection center cannot be contacted and the threat detection engine cannot classify the message.
Class cache size
292
Pass through - The message is passed through without scanning it for spam. Heuristic Scanning - F-Secure Content Scanner Server checks the message using spam heuristics. Trusted networks Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies. Define the network as a network/netmask pair (10.1.0.0/255.255.0.0), with the network/nnn CIDR specification (10.1.0.0/16), or use * wildcard to match any number and - to define a range of numbers (172.16.*.1, 172.16.4.10-110).
6.3.4
Proxy Configuration
You can specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center on the Proxy Configuration page.
293
Figure 6-31 Proxy Configuration page
Proxy Configuration Use proxy server Specify whether F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center.
Proxy server address Specify the address of the proxy server. Proxy server port Authentication method Specify the port number of the proxy server. Specify the authentication method to use to authenticate to the proxy server. NoAuth - The proxy server does not require authentication. Basic - The proxy uses the basic authentication scheme. NTLM - The proxy uses NTLM authentication scheme.
294
User name Password Domain
Specify the user name for the proxy server authentication. Specify the password for the proxy server authentication. Specify the domain name for the proxy server authentication.
295
6.3.5
Archive Scanning
F-Secure Content Scanner Server can scan files inside archives. You can change the archive scanning and other advanced settings in the Virus Scanning / Archive Scanning page.
Figure 6-32 Archive Scanning settings page
296
Virus scanning Scan inside archives Select whether F-Secure Content Scanner Server should scan files inside the archives for possible infections. Set the number of levels of archives inside archives that F-Secure Content Scanner Server should scan. Note that nested archives can be used in denial-of-service attacks, so it is not recommended to set the maximum value very high. Specify whether F-Secure Content Scanner Server should treat archives with more nested levels than you have set above as safe or unsafe. Treat as safe - Archives are scanned to the specified level and allowed through if no infections are found. Treat as unsafe - Archives with exceeding nested levels are always quarantined. Suspect password protected archives Password protected archives cannot be scanned. Select whether to treat them as safe or unsafe. As password protected archives cannot be inspected without knowing the password, the user who receives the password protected archive should have up-to-date virus protection on the workstation if they are treated as safe. Treat as safe - Password protected archives are allowed to go through. Treat as unsafe - Password protected archives are quarantined.
Max levels in nested archives
Suspect max nested archives
297
Acceptable unpacked size threshold
Specify the acceptable unpacked size (in kilobytes) for archive files. If the unpacked size of an archive file exceeds this threshold, the server will consider the archive suspicious and corresponding action will be taken.
Scan these extensions Specify files that are scanned inside archives. in archive files Click Modify to edit the list of extensions you want to scan inside archives. Extensions allowed in password protected archives Specify a space-separated list of the file extensions allowed in password protected archives. Wildcards (*, ?) can be used. Example: "DO? *ML".
298
6.3.6
Advanced
You can change the Working Directory settings from the Advanced page. The Working directory specifies where temporary files are stored.
Advanced Working directory Specify the working directory. Enter the complete path to the field or click Browse to browse to the path you want to set as the new working directory. Specify how often the working directory is cleaned of all files that may be left there. By default, files are cleaned every 30 minutes.
Working directory clean interval
299
Free space threshold
Set the free space threshold of the working directory. F-Secure Content Scanner Server sends an alert to the administrator when the drive has less than the specified amount of space left. Specify how many files F-Secure Content Scanner Server should process simultaneously. Specify how long a scan task can be carried out before it is automatically cancelled. Specify the number of Spam Scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages will undergo spam analysis simultaneously. The default value is 3. You might need to modify this setting if you enable Realtime Blackhole Lists (DNSBL/ RBL) for spam filtering. The server must be restarted after this setting has been changed. IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately 25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
Max number of concurrent transactions Max scan timeout Number of spam scanner instances
300
6.3.7
Interface
You can specify how F-Secure Content Scanner Server should interact with F-Secure Anti-Virus Agent for Microsoft Exchange.
Figure 6-34 Interface settings
Service connections IP address Specify the IP address that F-Secure Content Scanner Server listens to. If you do not assign any IP address (0.0.0.0), F-Secure Content Scanner Server responds to all connections. Specify the port number that F-Secure Content Scanner Server listens for incoming connections. By default, the port number is 18971.
TCP port
301
Accept connections
Specify the hosts that are allowed to connect to F-Secure Content Scanner Server. If you do not specify any clients, F-Secure Content Scanner Server accepts connections from all clients. Specify the maximum number of simultaneous connections that F-Secure Content Scanner Server accepts. If you do not want to limit the number of connections, set the value to 0. Specify the maximum number of simultaneous connections per client that F-Secure Content Scanner Server accepts. If you do not want to limit the number of connections per client, set the value to 0. Specify how long F-Secure Content Scanner Server tries to send data to a client before it stops sending it. Specify how long F-Secure Content Scanner Server waits to receive data from a client before it stops listening. Specify how long F-Secure Content Scanner Server keeps an inactive connection open.
Limit max connections to
Limit max connections per host to
Send content timeout
Receive content timeout Keep alive timeout
6.4
F-Secure Automatic Update Agent Settings

With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published. When a new virus is found, F-Secure provides a new virus definition database update.
302
6.4.1
Summary
Status Version Channel name Channel address Latest installed update Last check time Last check result
Displays the current status of F-Secure Automatic Update Agent. Displays the version number of F-Secure Automatic Update Agent. Displays the channel from where the updates are downloaded. Displays the address of the Automatic Updates Server. Displays the version and name of the latest installed update. Displays the date and time when the last update check was done. Displays the result of the last update check.
303
Next check time Last successful check time Current HTTP proxy Current Policy Manager proxy
Displays the date and time for the next update check. Displays the date and time when the last successful update check was done. Displays the address of the HTTP proxy that is currently used. Displays the address of the F-Secure Policy Manager proxy that is currently used.
Downloads
Available Packages
Title Download time Size Displays the title of the downloaded package. Displays the download date and time. Displays the size of the downloaded package.
304
Installed Packages
TItle Installation time Result Displays the title of the downloaded package. Displays the date and time when the update was installed. Displays the installation status.
6.4.2
Automatic Updates
You can configure the Download options on the Downloads page.
Updates
Enable automatic updates Select whether automatic updates are enabled or disabled.
305
Download Schedule
Use download schedule Select whether download schedule should be used. When download schedule is used, the client will check for new updates only during the periods defined in the download schedule table. Define the days when downloads are to be done. The starting time for the downloads. The format used is HH:MM (24 hour format). The ending time for the downloads. The format used is HH:MM (24 hour format).
Days From To
306
6.4.3
HTTP Settings
Internet connection checking
Use Detect connection, unless you experience problems with that setting. The options available are: Assume always connected - Assume that the computer is always connected to the Internet. Detect connections - Detect when the computer is connected to the Internet. Detect traffic - Assume that there is an Internet connection when the product detects any traffic.
Use HTTP proxy
Select whether HTTP proxy should be used. No - HTTP proxy is not used.
307
From browser settings - Use the same HTTP proxy settings as the web browser. User defined - Define the HTTP proxy. User defined proxy Define the HTTP proxy address.
6.4.4
PM Proxies
Active Address Server failover time Enable or disable the F-Secure Policy Manager Proxy. Specify the address of F-Secure Policy Manager Proxy. Define (in hours) the failover time to connect to specified update servers.
Server polling interval Define (in minutes) how often the product checks F-Secure Policy Manager Proxies for new updates. Allow fetching updates from F-Secure Update Server Enable the product to download virus definition updates from F-Secure Update Server when it cannot connect to specified update servers.
308
6.5
F-Secure Management Agent Settings

F-Secure Management Agent enforces the security policies set by the administrator. It handles all management functions on the local workstations and provides a common interface for all F-Secure applications. and operates within the policy-based management infrastructure. You can access F-Secure Management Agent settings from F-Secure Anti-Virus for Microsoft Exchange Web Console Home page by clicking the Configure... button in the F-Secure Management Agent section. Note that you may have to scroll the page to view all the settings.
309
Figure 6-35 F-Secure Management Agent Configuration page
Status The Status section displays detailed information on the host, for example the DNS and WINS names and the IP address. In addition, it displays the date and time when the policy file that is currently in use was issued and the date and time when the host connected to the server last time.
CHAPTER 6 Administration with Web Console Communication method F-Secure Policy Manager If you use F-Secure Policy Manager Server, Server specify the URL of F-Secure Policy Manager Server. Do not add a slash at the end of the URL. For example: http://fsms.example.com. Network communication directory If you use the network communication directory, Specify the path to the Communication directory hierarchy. This must be specified as a UNC path (for example, \\server\commdir). Do not use mapped drive letters (for example, S:\commdir). User account - The user account that is used for accessing the shared directory. Password - The password of the account that is used for accessing the shared directory. Stand-alone Select Stand-alone if you have use F-Secure Anti-Virus for Exchange Web Console to administer the product.
310
Advanced Maximum size of F-Secure log file Specify the maximum size for F-Secure log file. The default value is 5000 KB.
QUARANTINE MANAGEMENT
Introduction............................................................................... 312 Configuring Quarantine Options............................................... 314 Searching the Quarantined Content......................................... 314 Query Results Page ................................................................. 318 Viewing Details of a Quarantined Message.............................. 321 Reprocessing the Quarantined Content ................................... 323 Releasing the Quarantined Content ......................................... 324 Removing the Quarantined Content......................................... 326 Deleting Old Quarantined Content Automatically..................... 326 Quarantine Logging.................................................................. 327 Quarantine Statistics ................................................................ 328 Moving the Quarantine Storage................................................ 329
311
CHAPTER 7 Quarantine Management
312
7.1
Introduction
You can manage and search quarantined mails with the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can search for quarantined content by using different search criteria, including the quarantine ID, recipient and sender address, the time period during which the message was quarantined, and so on. You can reprocess and delete messages, and specify storage and automatic deletion times based on the reason for quarantining the message. If you have multiple F-Secure Anti-Virus for Microsoft Exchange installations, you can manage the quarantined content on all of them from one single F-Secure Anti-Virus for Microsoft Exchange Web Console. For more information, see Performance-Critical Installation, 28 and Microsoft Exchange Cluster Environment, 30. The quarantine consists of:

Quarantine database Quarantine storage.
Quarantine Database
The quarantine database contains information about the quarantined messages. If there are several F-Secure Anti-Virus for Microsoft Exchange installations in the network, they can either have their own quarantine databases, or they can use a common quarantine database. An SQL database server is required for the quarantine database. For more information on the SQL database servers that can be used for deploying the quarantine database, see F-Secure Internet Gatekeeper Administrators Guide. The following SQL databases can be used for storing information about the quarantined content:

Microsoft SQL Server 2000 Desktop Engine (MSDE) Microsoft SQL Server 2000 Microsoft SQL Server 2005
CHAPTER 7 Quarantine Management MSDE is delivered together with the product. If you want to use another database (Microsoft SQL Server 2000), you must buy it and get your own license before you start to deploy F-Secure Anti-Virus for Microsoft Exchange. For more information on the SQL servers recommended for different environments, see Which SQL Server to Use for the Quarantine Database?, 35.
313
Quarantine Storage
The quarantine storage where the quarantined messages are stored is located on the server where F-Secure Anti-Virus for Microsoft Exchange is installed. If there are several F-Secure Anti-Virus for Microsoft Exchange installations in the network, they all have their own storages. The storages are accessible from a single F-Secure Anti-Virus for Microsoft Exchange Web Console.
Quarantine Reasons
The quarantine storage can store:
Messages and attachments that are infected and cannot be automatically disinfected. (Infected) Suspicious content, for example password-protected archives, nested archives and malformed messages. (Suspicious) Messages and attachments that have been blocked by their filename or filename extension. (Disallowed) Messages that are considered spam. (Spam) Files that could not be scanned, for example severely corrupted files. (Scan failure) Messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a spam or virus outbreak. (Unsafe)

314
7.2
Configuring Quarantine Options

In stand-alone installations, all the quarantine settings can be configured on the Quarantine page in F-Secure Anti-Virus for Microsoft Exchange Web Console. For more information on the settings, see Quarantine, 260. In centrally managed installations, the quarantine settings are configured with F-secure Policy Manager in the F-Secure Anti-Virus for Microsoft Exchange / Settings / Quarantine branch. For more information, see Quarantine, 180. The actual quarantine management is done through F-Secure Anti-Virus for Microsoft Exchange Web Console.
7.3
Searching the Quarantined Content

You can search the quarantined content on the F-Secure Anti-Virus for Microsoft Exchange > Quarantine page in the Web Console.
315
Figure 7-1 Quarantine query options
You can use the following search criteria: Quarantine ID Enter the quarantine ID of a quarantined message. The quarantine ID is displayed in the notification sent to the user about the quarantined message. Select the type of the quarantined content. Attachment - Search for quarantined attachments. You can also specify the Name of the attachment and the Location of the mailbox or public folder where the quarantined attachment was found.
Object type
316
Mail - Search for quarantined mails. You can also specify the Message ID and the Sender host of the quarantined mail. Mails and attachments - Search for both quarantined mails and attachments. Reason Select the quarantining reason from the drop-down menu. For more information, see Quarantine Reasons, 313. Specify details about the scanning or processing results that caused the message to be quarantined. For Example: The message is classified as spam - the field displays the spam confidence level rating and a list of spam tests that triggered the spam level. The message is infected - the field displays the name of the infection found. Sender Enter the e-mail sender address. You can only search for one address at a time, but you can widen the search by using the wildcards. Enter the e-mail recipient address. Enter the message subject to be used as search criteria. You can use this option to view the current status of messages that you have set to be reprocessed, released or deleted. Because processing a large number of e-mails may take time, you can use this option to monitor how the operation is progressing. The options available are:
Reason details
Recipients Subject Show only
317
Unprocessed e-mails - Displays only e-mails that the administrator has not set to be released, reprocessed or deleted. E-mails to be released - Displays only e-mails that are currently set to be released, but have not been released yet. E-mails to be reprocessed - Displays only e-mails that are currently set to be reprocessed, but have not been reprocessed yet. E-mails to be reprocessed and released Displays e-mails that are currently set to be reprocessed or released, but have not been reprocessed or released yet. Search period Select the time period when the data has been quarantined. Select Exact start and end dates to specify the date and time (year, month, day, hour, minute) when the data has been quarantined. Specify how the search results are sorted by selecting one of the options in the Sort Results by: drop-down menu: based on Date, Sender, Recipients, Subject or Reason. Select how many items you want to view per page.
Sort Results
Display
Click Query to start the search. The Quarantine Query Results page is displayed once the query is completed. If you want to clear all the fields on the Query page, click Reset.
318
Using Wildcards
You can use the following SQL wildcards in the quarantine queries: Wildcard % _ (underscore) [] [^] Explanation Any string of zero or more characters. Any single character. Any single character within the specified range ([a-f]) or set ([abcdef]). Any single character not within the specified range ([^a-f]) or set ([^abcdef]). If you want to search for '%', '_' and '[' as regular symbols in one of the fields, you must enclose them into square brackets: '[%]', '[_]', '[[]'
7.4
Query Results Page
Figure 7-2 Quarantine Query Results Page
CHAPTER 7 Quarantine Management The Quarantine Query Results page displays a list of mails and attachments that were found in the query. To view detailed information about a quarantined content, click the Quarantine ID (QID) number link in the QID column. For more information, see Viewing Details of a Quarantined Message, 321. The Query Results page displays status icons of the content that was found in the search: Icon E-mail status Quarantined e-mail. The administrator has not specified any actions to be taken on this e-mail. Quarantined e-mail with attachments. The administrator has not specified any actions to be taken on this e-mail. Quarantined e-mail that the administrator has set to be released. The release operation has not been completed yet. Quarantined e-mail that the administrator has set to be reprocessed. The reprocessing operation has not been completed yet. Quarantined e-mail that the administrator has set to be deleted. The deletion operation has not been completed yet. Quarantined e-mail set to be released, which failed. Quarantined e-mail set to be reprocessed, which failed.
319
320
Quarantined Mail Operations

You can select an operation to perform on the messages that were found in the query:
Click Reprocess to scan the currently selected e-mail again, or click Reprocess All to scan all e-mail messages that were found. For more information, see Reprocessing the Quarantined Content, 323. Click Release to deliver the currently selected e-mail without further processing, or click Release All to deliver all e-mail messages that were found. For more information, see Releasing the Quarantined Content, 324. WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that were found. For more information, see Removing the Quarantined Content, 326.
Quarantined Attachment Operations

You can select an operation to perform on the attachments that were found in the query:
Click Send to deliver the currently selected attachment without further processing, or click Send All to deliver all attachments that were found. For more information, see Releasing the Quarantined Content, 324. WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that were found. For more information, see Removing the Quarantined Content, 326.
321
7.5
Viewing Details of a Quarantined Message

To view the details of a quarantined message, do the following: 1. On the Query Search Results page, click the Quarantine ID (QID) number link in the QID column.
2. The Quarantined Content Details page opens.
Figure 7-3 Quarantined Content Details page
CHAPTER 7 Quarantine Management The Quarantined Content Details page displays the following information about the quarantined mails:

322
QID - Quarantine ID. Submit date - The date and time when the item was placed in the quarantine. Processing server - The F-Secure Anti-Virus for Microsoft Exchange server that processed the message. Sender - The address of the message sender. Recipients - The addresses of all the message recipients. Sender host - The address of the sender mail server or client. Subject - The message subject. Message size - The size of the quarantined message. Quarantine reason - The reason why the content was quarantined.

Click the Show... link to access the content of the quarantined message. Click Download to download the quarantined message to your computer to check it. WARNING: In many countries, it is illegal to read other peoples messages.
CHAPTER 7 Quarantine Management The Quarantined Content Details page displays the following information about the quarantined attachments:

323
QID - Quarantine ID. Submit date - The date and time when the item was placed in the quarantine. Sender - The address of the attachment sender. Recipients - The addresses of all the attachment recipients. Location - The location of the mailbox or public folder where the quarantined attachment was found. Subject - The message subject. Attachment name - The name of the attachment. Attachment size - The size of the attachment file. Quarantine reason - The reason why the content was quarantined.

Click Download to download the quarantined attachment to your computer to check it. WARNING: In many countries, it is illegal to read other peoples messages.
7.6
Reprocessing the Quarantined Content

When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For example, if some content was placed in the quarantine because of an error situation, you can use the time period when the error occurred as search criteria, and then reprocess the content. This is done as follows: 1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page.
2. Select the start and end dates and times of the quarantining period
from the Start time: and End Time: drop-down menus.
324
3. If you want to specify how the search results are sorted, select the
sorting criteria and order from the Sort results by: and order: drop-down menus.
4. Select the number of items to be displayed on a results page from the

Display: drop-down menu.
5. Click the Query button. 6. When the query is finished, the query results page is displayed. Click
the Reprocess All button to reprocess the displayed quarantined content.
7. The e-mails that have been reprocessed and found clean are
delivered to the intended recipients. They are also automatically deleted from the quarantine. The progress of the reprocessing operation is displayed in the Web Console.
7.7
Releasing the Quarantined Content

When quarantined content is released, it is sent to the intended recipients without any further processing. You might need to do this, for example, to deliver a password-protected archive from the quarantine to the recipient. In the example below the quarantined message is searched for by using the Quarantine ID as the search criteria. The Quarantine ID is included in the notification message delivered to the user. WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned. If you need to release a quarantined message, it is done as follows: 1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page.
2. Enter the Quarantine ID of the message in the Quarantine ID field. 3. Click Query.
325
4. When the query is finished, the query results page is displayed. Click
the Release button to release the displayed quarantined content. The Release Quarantined Content dialog opens.
5. Specify whether you want to release the content to the original

recipient or specify an address where the content is to be forwarded. It may not be legal to forward the e-mail to anybody else than the original recipient.
6. Specify what happens to the quarantined content after it has been

released by selecting one of the Action after release options:

Leave in the quarantine Delete from quarantine
7. Click Release. The content is now delivered to the recipient.
326
7.8
Removing the Quarantined Content

Quarantined messages are removed from the quarantine based on the currently configured quarantine retention and cleanup settings. For an example on how to configure those settings, see Deleting Old Quarantined Content Automatically, 326. If you want to remove a large amount of quarantined messages at once, for example all the messages that have been categorized as spam, do the following: 1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page in the Web Console.
2. Select the quarantining reason, Spam, from the Reason: drop-down

menu.
3. Click Query. 4. When the query is finished, the query results page is displays all
quarantined messages that have been classified as spam. Click the Delete All button to delete all the displayed quarantined content.
5. You are prompted to confirm the deletion. Click OK. The content is
now removed from the quarantine.
7.9
Deleting Old Quarantined Content Automatically

Quarantined content is deleted automatically based on the Quarantine Retention and Cleanup settings on the Quarantine > Options page. By default all types of quarantined content are stored in quarantine for one month, and quarantine clean-up task is executed once an hour. You can specify exceptions to the default retention and clean-up times in the Exceptions table. These exceptions are based on the quarantine category. If you want, for example, to have infected messages deleted sooner, you can specify an exception rule for them as follows: 1. Go to the Quarantine > Options page.
2. Click the Add button below the Exceptions table. A new row is added
in the table.
327
3. Select the category for which you want to specify the exception, for
example Infected, from the Quarantine Category drop-down menu.
4. Specify a retention period that is shorter than the default value, for
example 1 day, in the Retention Period column.
5. Specify a cleanup interval that is shorter than the default value, for
example 30 minutes, in the Cleanup Interval column.
6. Enable the exception you just created by selecting the Enabled check
box.
7. Click Apply.
7.10
Quarantine Logging
To view the Quarantine Log, open the F-Secure Anti-Virus for Microsoft Exchange tab in the Web Console, and go to the Quarantine page. Then click the Show Log File button.
328
7.11
Quarantine Statistics
The Quarantine statistics page displays the number of quarantined items in each quarantine category, and the total size of the quarantine.
Figure 7-4 Quarantine > Statistics page
E-mail messages and infected, suspicious and disallowed attachments are stored and counted as separate items in the quarantine storage. For example, if a message has three attachments and only one of them has been found infected, two items will be created in the quarantine storage. These items still have the same quarantine ID in the quarantine database.
329
7.12
Moving the Quarantine Storage

When you want to change the Quarantine storage location either using the F-Secure Policy Manager Console or F-Secure Anti-Virus for Microsoft Exchange Web Console, note that the product does not create the new directory automatically. Before you change the Quarantine storage directory, make sure that the directory exists and it has proper security permissions. You can use the xcopy command to create and change the Quarantine storage directory by copying the existing directory with the current ownership and ACL information. In the following example, the Quarantine storage is moved from C:\Program Files\F-Secure\Quarantine Manager\quarantine to D:\Quarantine: 1. Stop F-Secure Quarantine Manager service to prevent any quarantine operations while you move the location of the Quarantine storage. Run the following command from the command prompt: net stop "F-Secure Quarantine Manager"
2. Run the following command from the command prompt to copy the
current content to the new location: xcopy "C:\Program Files\F-Secure\Quarantine Manager\quarantine" D:\Quarantine\ /O /X /E Note the use of backslashes in the source and destination directory paths.
3. Change the path for FSMSEQS$ shared folder. If the product is

installed in the local quarantine management made, you can skip this step.
CHAPTER 7 Quarantine Management To change the FSMSEQS$ path, follow these steps: a. Open Windows Control Panel > Administrative Tools > Computer Management. b. Open System Tools > Shared Folders > Shares. and find FSMSEQS$ there. c. Right-click FSMSEQS$ and select Stop Sharing. Confirm that you want to stop sharing FSMSEQS$.
330
d. Right-click FSMSEQS$ again and select New Share. e. Follow Share a Folder Wizard instructions to create FSMSEQS$ shared folder. i. Specify the new directory (in this example, D:\Quarantine) as the folder path, FSMSEQS$ as the share name and F-Secure Quarantine Storage as the description. On the Permissions page, select Administrators have full access; other users have read-only access. Note that the Quarantine storage has file/directory security permissions set only for the SYSTEM and Administrators group.
ii.
f.
Click Finish.
4. Change the location of the Quarantine storage from the F-Secure

Policy Manager Console (F-Secure Anti-Virus for Exchange/Settings/ Quarantine/Quarantine Storage) or F-Secure Anti-Virus for Microsoft Exchange Web Console (Anti-Virus for Microsoft Exchange > Quarantine > Options > Quarantine Storage).
5. Make sure that the product has received new settings. 6. Restart F-Secure Quarantine Manager service. Run the following
command from the command prompt: net start "F-Secure Quarantine Manager" For more information about the xcopy command and options, refer to MS Windows Help and Support.
ADMINISTERING F-SECURE SPAM CONTROL

Overview................................................................................... 332 Spam Control Settings in Centrally Managed Environments.... 333 Spam Control Settings in Web Console ................................... 336 Realtime Blackhole List Configuration...................................... 341
331
CHAPTER 8 Administering F-Secure Spam Control
332
8.1
Overview
When F-Secure Spam Control is enabled, incoming messages that are considered spam are marked automatically by adding an X-header with the spam flag or predefined text in the message header. The end users can then create filtering rules that direct the messages marked with the spam flag header into a junk mail folder. F-Secure Spam Control databases can be updated with F-Secure Automatic Update Agent. In order to update the databases, F-Secure Automatic Update Agent must be installed on the same computer as F-Secure Spam Control. Database updates are digitally signed for maximum security, and you can use only these updates for updating the F-Secure Spam Control spam definition databases. F-Secure Spam Control databases are needed for the heuristic spam scanning only. In Microsoft Exchange 2003 environment, the Microsoft Exchange server can move messages to the Junk mail folder based on the spam confidence level value. This feature is available immediately after the product has been installed, if the end user has activated this functionality. For more information about how to configure this functionality at the end users computer, see the Microsoft Outlook 2003 or Microsoft Outlook Web Access online help.
333
8.2
Spam Control Settings in Centrally Managed Environments

Change the settings in F-Secure Anti-Virus for Microsoft Exchange/ Settings / Real-time Processing / Spam Control to configure how F-Secure Anti-Virus for Microsoft Exchange scans incoming mail for spam. These settings are used only if F-Secure Spam Control is installed with the product. Otherwise they will be ignored.
Figure 8-1 Spam Control settings in a centrally managed environment
Spam filtering
Specify whether inbound mails should be scanned for spam. Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering from the settings. For information on configuring Realtime Blackhole Lists, see Realtime Blackhole List Configuration, 341.
Heuristic Spam Analysis
Specify whether heuristic spam analysis is used to filter inbound mails for spam.
334
When the heuristic spam analysis is enabled, all messages that the threat detection engine does not classify as spam are further analyzed for spam. When the heuristic spam analysis is disabled, only the threat detection engine scans inbound mails for spam. Heuristic spam analysis slows down the performance but improves the spam detection rate. Spam filtering level Specify the spam filtering level. Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam. Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam. For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam may pass undetected, but a smaller number of regular mails will be falsely identified as spam. The allowed values are from 1 to 9. Action on Spam Message Specify the action to take with a message considered spam. Pass through - The product allows the message to pass through. Quarantine - The product places the message into the quarantine folder. Drop - The message is deleted.
335
Add X-Header with Spam flag
Specifies if the spam flag will be added to the mail as a X-Spam-Flag header in the following format: X-Spam-Flag: <flag> where <flag> is either "YES" or "NO". YES - the mail is considered spam. NO - the mail is not considered spam. Example: X-Spam-Flag: YES Specify if the summary of triggered hits will be added to the mail as X-Spam-Status header in the following format: X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests> where

Add X-Header with summary
<flag> is Yes or No, <scr> is the spam confidence rating returned by the spam scanner, <sfl> is the current spam filtering level, <tests> is the comma-separated list of tests run against the mail.

Example: X-Spam-Status: Yes, hits=8 required=5 tests=DATE_IN_FUTURE_03_06,DATE_SPAMWAR E_Y2K,FORGED_MUA_THEBAT_BOUN,MISSING_MI MEOLE,MISSING_OUTLOOK_NAME
336
Modify spam message Specify if the product modifies the subject of mail subject messages considered spam. Add this text to spam message subject Max message size Specifies the text that will be added in the beginning of the subject of an e-mail considered spam. Specify the maximum size of mail messages to be scanned for spam. If the size of a mail message exceeds the specified maximum size, spam filtering for this mail will be omitted.
Since all spam messages are relatively small in size, it is recommended to use the default value.
8.3
Spam Control Settings in Web Console

You can configure the spam control settings on the Spam Control page of the F-Secure Anti-Virus for Microsoft Exchange Web Console. These settings are used only if F-Secure Spam Control is installed with the product, otherwise they are be ignored.
337
Figure 8-2 Spam Control settings in a locally managed environment
Check messages for spam
Specify whether inbound mails should be scanned for spam. Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering from the settings. For information on configuring Realtime Blackhole Lists, see Realtime Blackhole List Configuration, 341.
Enable heuristic spam analysis
Specify whether heuristic spam analysis is used to filter inbound mails for spam. When the heuristic spam analysis is enabled, all messages that the threat detection engine does not classify as spam are further analyzed for spam.
338
When the heuristic spam analysis is disabled, only the threat detection engine scans inbound mails for spam. Heuristic spam analysis slows down the performance but improves the spam detection rate. Spam filtering level Specify the spam filtering level. Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam. Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam. For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam will pass undetected, but a smaller number of regular mails will be falsely identified as spam. The allowed values are from 1 to 9. The spam levels are determined by calculating points for each e-mail. The spam scanning involves a large number of different rules, which give each e-mail different points depending on the mail content and header information. These points are then calculated to a number between 1 and 9, which defines the likelihood of the message being spam. Action on spam message Specify the action to take with a message considered spam. Let message pass through - The product allows the message to pass through. Quarantine message - The product places the message into the quarantine folder.
339
Drop message - The message is deleted. Add X-Header with Spam flag Specifies if the spam flag will be added to the mail as a X-Spam-Flag header in the following format: X-Spam-Flag: <flag> where <flag> is either "YES" or "NO". YES - the mail is considered spam. NO - the mail is not considered spam. Example: X-Spam-Flag: YES Add X-Header with summary Specify if the summary of triggered hits will be added to the mail as X-Spam-Status header in the following format: X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests> where <flag> is Yes or No,
<scr> is the spam confidence rating returned by the spam scanner, <sfl> is the current spam filtering level, <tests> is the comma-separated list of tests run against the mail.

340
Example: X-Spam-Status: Yes, hits=8 required=5 tests=DATE_IN_FUTURE_03_06, DATE_SPAMWARE_Y2K,FORGED_MUA_THEBAT_BOUN, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME Add this text to spam Specify the text that will be added in the message subject beginning of the subject of an e-mail considered spam. Maximum message size to process for spam Specify the maximum size of mail messages to be scanned for spam. If the size of a mail message exceeds the specified maximum size, spam filtering for this mail will be omitted. Since all spam messages are relatively small in size, it is recommended to use the default value.
341
8.4
Realtime Blackhole List Configuration

This section describes how to enable and disable Realtime Blackhole Lists, how to optimize F-Secure Spam Control performance, and how to specify blocked and safe recipients and senders by using black- and whitelisting.
8.4.1
Enabling Realtime Blackhole Lists

The product supports DNS Blackhole List (DNSBL), also known as Realtime Blackhole List (RBL), functionality in spam filtering. The functionality is disabled by default. To enable DNSBL/RBL: 1. Make sure you have a working DNS server configured in Windows Server networking. The primary DNS server should be configured to allow recursive DNS queries. DNS protocol is used to make the DNSBL/RBL queries.
2. Make sure you do not have a firewall preventing DNS access from
the host where F-Secure Spam Control is running.
3. Test the DNS functionality by running the nslookup command at

Microsoft Windows command prompt on the host running F-Secure Spam Control. An example: C:\>nslookup 2.0.0.127.sbl-xbl.spamhaus.org. Server: <your primary DNS server's name should appear here> Address: <your primary DNS server's IP address should appear here> Non-authoritative answer: Name: 2.0.0.127.sbl-xbl.spamhaus.org Addresses: 127.0.0.2, 127.0.0.4, 127.0.0.6
4. If the test is successful, continue with these instructions. If the test is

not successful, you should double-check your DNS and firewall configuration.
342
5. Find the sample configuration file fssc_example.cfg in F-Secure

Spam Control installation directory: <F-Secure Installation Directory>\Spam Control\fssc_example.cfg
6. Copy the file to the same directory with the name fssc.cfg 7. Open fssc.cfg in a text editor (like Windows Notepad). 8. The configuration file has instructions inside. For typical use, you can
leave the settings like they are. However, it is recommended to configure at least the trusted_networks setting to identify the public IP address(es) of your network. For more information, see the instructions in fssc_example.cfg.
9. When the configuration file is ready, restart F-Secure Content

Scanner Server through F-Secure Anti-Virus for Microsoft Exchange Web Console. To verify that DNSBL/RBL is working correctly: 1. If DNSBL/RBL is operating correctly, you should see this kind of headers in messages classified as spam: X-Spam-Status: YES, database-version=2005-04-06_1 hits=9 required=5 tests=RCVD_IN_DSBL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL Tests like RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_SORBS, RCVD_IN_BL_SPAMCOP_NET , RCVD_IN_DSBL, RCVD_IN_XBL indicate that DNSBL/RBL was successfully used to classify the mail.
2. If DNS functionality is not operating correctly, you may see a

significant decrease in the product throughput. In that case, disable the DNSBL/RBL functionality by changing the dns_available setting in fssc.cfg to: dns_available no and restarting F-Secure Content Scanner Server through F-Secure Anti-Virus for Microsoft Exchange Web Console. You can force F-Secure Spam Control to use a specific DNS server (not necessarily configured in Microsoft Windows networking) by adding a new system environment variable as described in the instructions below. However, this should be needed only in troubleshooting situations. Normally it is best to use the Windows networking settings.
CHAPTER 8 Administering F-Secure Spam Control To force F-Secure Spam Control to use a specific DNS server, do the following: 1. Right-click the My Computer icon and select Properties.
343
2. Select Advanced and click the Environment Variables.. button. 3. In the System variables panel click New... 4. In the New System Variable dialog specify the new variable as
follows: Variable Name: RES_NAMESERVERS Variable Value: <the IP address of the desired DNS server>
5. Click OK. 6. Restart the computer to take the new system environment variable
into use.
8.4.2
Optimizing F-Secure Spam Control Performance

Due to the nature of DNSBL/RBL, processing time for each mail increases when DNS queries are made. If needed, the performance can be improved by increasing the number of mails being processed concurrently by F-Secure Spam Control. By default, the product processes a maximum of three e-mails at the same time, because there can be three Spam Scanner engine instances running simultaneously. The number of Spam Scanner instances can be controlled by using a command-line switch for F-Secure Content Scanner Server. To change the value to 5, so that a maximum five mails can be processed at the same time, type: fsavsd.exe --spam-scanner-instances=x (x is the value you want to take into use), for example: C:\Program Files\F-Secure\Content Scanner Server> fsavsd.exe --spam-scanner-instances=5 F-Secure Content Scanner Server Daemon, 6.42.162 Copyright (c) 1998-2005 F-Secure Corporation
344
'spam-scanner-instances' (oid=1.3.6.1.4.1.2213.18.1.35.500) has been set to 5. To take the new setting into use, restart F-Secure Content Scanner Server. IMPORTANT: Each additional instance of the Spam Scanner takes approximately 25Mb of memory (process fsavsd.exe). Typically you should not need more than 5 instances.
UPDATING VIRUS AND SPAM DEFINITION DATABASES

Overview................................................................................... 346 Automatic Updates with F-Secure Automatic Update Agent .... 346 Configuring Automatic Updates................................................ 347 Manual Updates ....................................................................... 347
345
CHAPTER 9 Updating Virus and Spam Definition Databases
346
9.1
Overview
It is of the utmost importance that virus definition databases are kept up-to-date. F-Secure Anti-Virus for Microsoft Exchange takes care of this task automatically. This section describes how the automatic updates work, how you can configure them and how you can update the virus definitions manually. Information about the latest virus database update can be found at: http://www.F-Secure.com/download-purchase/updates.shtml
9.2
Automatic Updates with F-Secure Automatic Update Agent

With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published. When a new virus is found, F-Secure provides a new virus definition database update. F-Secure Automatic Update Agent uses HTTP protocol to fetch this update. Virus and spam definition updates are digitally signed for maximum security. In order to update the spam definition databases F-Secure Automatic Update Agent must be installed on the same computer as F-Secure Spam Control. You may install and use F-Secure Automatic Update Agent in conjunction with licensed F-Secure's antivirus and security products. F-Secure Automatic Update Agent shall be used only for receiving updates and related information on F-Secure's antivirus and security products. F-Secure Automatic Update Agent may not be used for any other purpose or service.
347
9.3
Configuring Automatic Updates

F-Secure Automatic Update Agent user interface provides information about downloaded virus and spam definition updates. To access the F-Secure Automatic Update Agent user interface, open the F-Secure Anti-Virus for Microsoft Exchange Web Console, and select the F-Secure Automatic Update Agent tab. For more information, see F-Secure Automatic Update Agent Settings, 301. In centrally managed installations, you can use the F-Secure Anti-Virus for Microsoft Exchange Web Console for monitoring the F-Secure Automatic Update Agent settings. To change these settings, use F-Secure Policy Manager Console. For more information, see F-Secure Automatic Update Agent Settings, 214.
9.4
Manual Updates
If you do not want to use F-Secure Automatic Update Agent to automatically update your virus definition database, you can do it manually with a program called FSUPDATE or by downloading the LATEST.ZIP file.
9.4.1
Using FSUPDATE
FSUPDATE is a program that automatically updates the virus definition database. FSUPDATE can be downloaded from:
http://www.f-secure.com/download-purchase/updates.shtml
Run FSUPDATE.exe on the computer where you installed F-Secure Content Scanner Server. The update process takes approximately one minute.
348
9.4.2
Updating the Virus Definition Database Remotely Using LATEST.ZIP

You can update the virus definition database remotely by using F-Secure Policy Manager and downloading the LATEST.ZIP archive as follows: 1. Download the LATEST.ZIP archive from:
http://www.f-secure.com/download-purchase/updates.shtml
2. Run F-Secure Policy Manager console. 3. Open the Tools menu and select Update Virus Definitions on the
Server....
4. Browse to the location where you saved the LATEST.ZIP file and click
Open.
APPENDIX: Deploying the Product on a Cluster
System and Network Recommendations ................................. 350 Installation Overview ................................................................ 352 Creating Quarantine Storage.................................................... 353 Installing the Product................................................................ 361 Administering the Cluster Installation with F-Secure Policy Manager ................................................................................... 365 Using the Quarantine in the Cluster Installation ....................... 368 Troubleshooting........................................................................ 368
349
350
A.1
System and Network Recommendations

F-Secure Policy Manager When F-Secure Anti-Virus for Microsoft Exchange is installed on a cluster, you have to use F-Secure Policy Manager to administer it. F-Secure Policy Manager must be installed on a separate server, it cannot be installed on the cluster. It is recommended to use F-Secure Policy Manager version 6.01 or later.
Microsoft SQL Server Microsoft SQL Server is required for the quarantine database. Microsoft SQL Server must be installed on a separate computer. It is recommended to use Microsoft SQL Server 2000 or 2005 (Standard or Enterprise Edition). Microsoft SQL Server 2005 Express Edition can be used, but is not recommended if your organization sends and receives a large amount of e-mail messages. Microsoft SQL Server 2000 Desktop Edition (MSDE) cannot be used with the product installed on a cluster.
Server for the quarantine storage if you plan to deploy the product on an active-active cluster, the quarantine storage requires a dedicated server. The server must belong in the same domain with Microsoft Exchange Servers. If you plan to install the product on an active-passive cluster, you can have the quarantine storage on the cluster or on a dedicated server. The quarantine storage can be created on the same server running Microsoft SQL Server or F-Secure Policy Manager Server as long as it belongs to the same domain as your Microsoft Exchange Servers and it has sufficient disk space.
Sample Active-Passive Cluster Deployment

The following diagram displays how the product can be deployed and used on the active-passive cluster environment.
APPENDIX A Deploying the Product on a Cluster
351
Sample Active-Active Cluster Deployment

The following diagram displays how the product can be deployed and used on the active-active cluster environment.
352
A.2
Installation Overview
Follow these steps to deploy and use F-Secure Anti-Virus for Microsoft Exchange on a cluster. 1. Install F-Secure Policy Manager on a dedicated server. If you already have F-Secure Policy Manager installed in the network, you can use it to administer F-Secure Anti-Virus for Microsoft Exchange. For more information, see F-Secure Policy Manager Administrators Guide. 2. Install Microsoft SQL Server 2000 or 2005 on a dedicated server. Microsoft SQL Server must be installed with the mixed authentication mode (Windows Authentication and SQL Server Authentication). After the installation, make sure that Named Pipes and TCP/IP protocols are enabled in SQL Server network configuration. 3. Create the quarantine storage for quarantined e-mail messages and attachments. If you plan to install the product on an active-passive cluster, see Quarantine Storage in Active-Passive Cluster, 353. If you plan to install the product on an active-active cluster, see Quarantine Storage in Active-Active Cluster, 358. 4. Install the product on each node. If you plan to install the product on an active-passive cluster, see Installing on Active-Passive Cluster, 361. If you plan to install the product on an active-active cluster, see Installing on Active-Passive Cluster, 361. IMPORTANT: Install the product completely on one node before you install it on another node. 5. Create a policy domain for the cluster in F-Secure Policy Manager and import cluster nodes there. For more information, see Administering the Cluster Installation with F-Secure Policy Manager, 365. 6. Log on each node and configure the F-Secure Anti-Virus for Microsoft Exchange Web Console to accept connections from authorized hosts.
353
A.3
A.3.1
Creating Quarantine Storage

Follow instructions in this section to create the Quarantine Storage.
Quarantine Storage in Active-Passive Cluster

1. Log on to the active node of the cluster with thedomain administrator account. 2. Create a directory for the quarantine storage on the physical disk shared by the cluster nodes. You can create it on the same disk with MIcrosoft Exchange Server storage and log files. For example, create Quarantine directory on disk D:. 3. Go to Windows Start menu > All Programs > Administrative Tools and select Cluster Administrator. 4. Under Groups, right-click Exchange Virtual Server and select New > Resource.
354
Enter the following information:

Name: F-Secure Quarantine Storage Resource Type: File Share Group: make sure that your Exchange Virtual Server is selected.
Click Next. 5. Possible Owners dialog opens.
6. Verify that all nodes that are running Exchange Server are listed under Possible owners and click Next. 7. Dependencies dialog opens.
355
In Available resources, select the Exchange Server Network Name and the disk with the quarantine storage directory and click Add to add them to Resource dependencies. Click Next. 8. File Share Parameters dialog opens.
356
Type FSAVMSEQS$ as Share name. (Note: the dollar ($) character at the end of the share name makes the share hidden when you view network resources of the cluster with Windows Explorer.) E Enter the directory name you created on step 2 as Path (for example, D:\Quarantine). In the Comment box, type F-Secure Quarantine Storage. Make sure that User limit is set to Maximum allowed.

Click Permissions 9. Permissions dialog opens.
357
Add Administrator, Exchange Domain Servers and SYSTEM to the Group or user names. Remove Everyone account. Grant Change and Read permissions for Exchange Domain Servers and SYSTEM, and Full Control, Change and Read permissions for Administrator account. Click OK. 10. In File Share Parameters dialog, click Advanced.
Make sure that Normal share is selected in Advanced File Share Properties. Click OK. 11. In File Share Parameters dialog, click Finish to create F-Secure Quarantine Storage resource.
358
12. Right-click the F-Secure Quarantine Storage resource and click Bring Online.
A.3.2
Quarantine Storage in Active-Active Cluster

For an active-active cluster installation, the quarantine storage must be set on a dedicated computer. This computer should be the member of the same domain as your Exchange Servers. 1. Log on to the server where you plan to create the quarantine storage (for example, APPSERVER) with a domain administrator account. 2. Create a directory (for example, C:\Quarantine) for the quarantine storage on the local hard disk. 3. Right-click the directory in the Windows Explorer and select Sharing and Security. 4. The Sharing tab opens.
APPENDIX A Deploying the Product on a Cluster Type FSAVMSEQS$ as Share name and make sure that User limit is set to Maximum Allowed. Click Permissions 5. Permissions dialog opens.
359
Add Administrator, Exchange Domain Servers and SYSTEM to the Group or user names. Remove Everyone account. Grant Change and Read permissions for Exchange Domain Servers and SYSTEM, and Full Control, Change and Read permissions for Administrator account. Click OK. 6. In the directory properties dialog, go to the Security tab.
360
Remove all existing groups and users and add Administrator, Exchange Domain Servers and SYSTEM to the Group or user names. Grant all except Full Control permissions for Exchange Domain Servers and SYSTEM. Grant all permissions for Administrator. Click OK. 7. To verify that the quarantine storage is accessible, log on as the domain administrator to any node in the cluster and try to open \\<Server>\FSAVMSEQS$\ with Windows Explorer, where <Server> is the name of the server where you created the quarantine storage share.
361
A.4
Installing the Product

Follow the instructions in this section to install the product on a cluster installation.
A.4.1
Installing on Active-Passive Cluster

This section describes how to install the product on an active-passive cluster. 1. Log on to the active node of the cluster using a domain administrator account. 2. Run F-Secure Anti-Virus for Microsoft Exchange setup wizard. Install the product in the centralized management mode. Specify the IP address of F-Secure Policy Manager Server and admin.pub that you created during the F-Secure Policy Manager installation. For more information, see Installation, 32. 3. The setup wizard asks for the location of the quarantine directory.
Specify the UNC path to the Quarantine Storage share that you created before the installation as the Quarantine Directory. For example, \\<EVSName>\FSAVMSEQS$, where <EVSName> is the network name of your Exchange Virtual Server.
362
4. The setup program asks to specify the SQL Server to use for the quarantine database.
Select the server running Microsoft SQL Server. 5. Complete the installation on the active node. 6. Log on to the passive node of the cluster using a domain administrator account. Repeat steps 2-4. 7. After you specify the SQL Server to use, the setup wizard asks you to specify the quarantine database.
363
Select Use the existing database. 8. Complete the installation on the passive node.
A.4.2
Installing on Active-Active Cluster

This section describes how to install the product on an active-active cluster. 1. Log on to the first node of the cluster using a domain administrator account. 2. Run F-Secure Anti-Virus for Microsoft Exchange setup wizard. Install the product in the centralized management mode. Specify the IP address of F-Secure Policy Manager Server and admin.pub that you created during the F-Secure Policy Manager installation. For more information, see Installation, 32. 3. The setup wizard asks for the location of the quarantine directory.
364
Specify the UNC path to the Quarantine Storage share that you created before the installation as the Quarantine Directory. For example, \\<Server>\FSAVMSEQS$, where <Server> is the name of the server where you created the quarantine storage share. 4. The setup program asks to specify the SQL Server to use for the quarantine database.
Select the server running Microsoft SQL Server.
APPENDIX A Deploying the Product on a Cluster 5. Complete the installation on the first active node. 6. Log on to the second node of the cluster using a domain administrator account and repeat steps 2-4. 7. After you specify the SQL Server to use, the setup wizard asks you to specify the quarantine database.
365
Select Use the existing database. 8. Complete the installation on the second node.
A.5
Administering the Cluster Installation with F-Secure Policy Manager

To administer the product installed on a cluster, create a new subdomain under your organization or network domain. Import all cluster nodes to this subdomain.
366
To change product configuration on all cluster nodes, follow these instructions: 1. Select the cluster subdomain in the Policy Domains tree.
2. Change required settings. 3. Distribute the policy. 4. All nodes receive new settings next time they poll the F-Secure Policy Manager Server.
APPENDIX A Deploying the Product on a Cluster If you need to change settings on a particular node, follow these instructions: 1. Select the corresponding host in the Policy Domains.
367
2. Change required settings. 3. Distribute the policy. 4. The host receives new settings next time it polls the F-Secure Policy Manager Server.
368
A.6
Using the Quarantine in the Cluster Installation

Configure the F-Secure Anti-Virus for Microsoft Exchange Web Console to accept connections from authorized hosts. By default, the Web Console accepts connections from the local host only. You can manage all quarantined items by connecting to any node of the cluster. You can release, reprocess or download quarantined messages and attachments when at least one node of the cluster is online. Use the IP address of the Exchange Virtual Server(s) when you connect to F-Secure Anti-Virus for Microsoft Exchange Web Console.
A.7
Troubleshooting
If the product fails to quarantine a file or reports that the quarantine storage is not accessible, make sure that directory sharing and security permissions are set as follows: change, write and read operations are allowed for SYSTEM and Exchange Domain Servers, and full control is allowed for Administrator. To change the location of the quarantine storage from F-Secure Policy Manager Console, use the Final flag to override the setting set during product installation on the host.
APPENDIX: Variables in Warning Messages
List of Variables ........................................................................ 370 Outbreak Management Alert Variables..................................... 372
369
370
List of Variables
The following table lists the variables that can be included in the warning and informational messages sent by the product if an infection is found or content is blocked. If both stripping and scanning are allowed and the Agent found both types of disallowed content (infected and to be stripped) in an e-mail message, a warning message will be sent to the end-user instead of an informational one, if it is required. These variables will be dynamically replaced by their actual names. If an actual name is not present, the corresponding variable will be replaced with [Unknown]. Variable Description
$ANTI-VIRUS-SERVER The DNS/WINS name or IP address of F-Secure Anti-Virus for Microsoft Exchange. $CSS-NAME $NAME-OF-SENDER The DNS/WINS name or IP address of F-Secure Content Scanner Server. The e-mail address where the original content comes from.
$NAME-OF-RECIPIENT The e-mail addresses where the original content is sent. $SUBJECT $REPORT-BEGIN The original e-mail message subject. Marks the beginning of the scan report. This variable does not appear in the warning message. Marks the end of the scan report. This variable does not appear in the warning message.
$REPORT-END
When using Microsoft Outlook Web Access and Microsoft Internet Explorer, the $NAME-OF-RECIPIENT variable may contain an incorrect value when posting messages to protected public folders.
APPENDIX B Variables in Warning Messages The following table lists variables that can be included in the scan report, in other words the variables that can be used in the warning message between $REPORT-BEGIN and $REPORT-END. Variable Description
371
$AFFECTED-FILENAM The name of the original file or attachment. E $AFFECTED-FILESIZE The size of the original file or attachment. $THREAT The name of the threat that was found in the content. For example, it can contain the name of the found infection, etc. The action that was taken to remove the threat. These include the following: dropped, disinfected, etc. The identification number of the quarantined attachment or file.
$TAKEN-ACTION
$QUARANTINE-ID
372
Outbreak Management Alert Variables

$INTERVAL-TIME $INTERVAL-MINUTES $INFECTIONS-LIMIT Detection interval in minutes. Outbreak limit of infections within detection interval. Actual number of infections found within the detection interval.
$INFECTIONS-FOUND Detection interval in minutes.
APPENDIX: Services and Processes
F-Secure Anti-Virus for Microsoft Exchange ............................ 374 F-Secure Content Scanner Server ........................................... 375 F-Secure Anti-Virus for Microsoft Exchange Web Console...... 375 F-Secure Management Agent (FSMA) ..................................... 376 F-Secure Automatic Updates Agent......................................... 378
373
374
The following tables list the services and processes that are running on the system after the installation.

Service F-Secure Anti-Virus for Microsoft Exchange Process fshkmngr.exe Description The F-Secure Hook Manager is a central component of F-Secure Anti-Virus for Microsoft Exchange and it is used to get the whole system up and running. The F-Secure Web Storage Hook processes mail in mailboxes and public folders, as well as composes and sends warning and notification messages to end users. The F-Secure Web Storage On-Demand Scanner performs manual and scheduled operations under mailboxes and public folders. The Outbreak Manager reacts on a virus outbreak by sending an alert, a notification e-mail message and running a specified program or a script.
fswbsthk.exe
fsstrods.exe
F-Secure Outbreak Manager
fsobmngr.exe
APPENDIX C Services and Processes
375
F-Secure Content Scanner Server

Service F-Secure Content Scanner Server Daemon Process fsavsd.exe Description The back-end component that provides anti-virus scanning and spam filtering services for Simple Content Inspection Protocol (SCIP) compliant clients. F-Secure Management Agent starts and controls the service automatically. fsdbuh.exe The Database Update Handler process verifies and checks the integrity of virus definition and spam control database updates.
F-Secure Anti-Virus for Microsoft Exchange Web Console

Service F-Secure Web UI Daemon Process fswebuid.exe Descriptions HTTP server that hosts F-Secure Anti-Virus for Microsoft Exchange Web Console. Supports HTTP/1.0, HTTP/1.1 and HTTPS. F-Secure Management Agent starts and controls the service automatically.
376
F-Secure Management Agent (FSMA)

Service F-Secure Management Agent F-Secure Network Request Broker Process fsma32.exe Description F-Secure Management Agent is an FSMA service responsible for starting other services and monitoring them. The service handles the communication with F-Secure Policy Manager via the network shared directory or HTTP interface. F-Secure Management Agent starts and controls the service automatically. F-Secure Message Broker provides the inter-process communication interface for integrated services and applications. F-Secure Configuration Handler that works with F-Secure Policy Manager driver and enables other components to read base policy settings and to update incremental policy settings and statistics.
fnrb32.exe
fsmb32.exe
fch32.exe
APPENDIX C Services and Processes
377
Service
Process fameh32.exe
Description Alert and Management Extensions Handler is used to send alerts and reports to F-Secure Policy Manager Console, LogFile.log, Windows event log and SMTP server. F-Secure Installation Handler enables the remote installation and updating of integrated F-Secure products. The F-Secure Settings and Statistics User Interface. The process is not running unless the user is logged in to the system.
fih32.exe
fsm32.exe
378
F-Secure Automatic Updates Agent

Service F-Secure Automatic Updates Agent Process servic~1.exe Description The service starts and controls the F-secure Automatic Update Agent client process. F-Secure Automatic Update.exe. This is the client process that polls and automatically downloads virus and spam definition database updates from F-Secure. It also handles F-Secure Automatic Updates Agent settings and provides the local user interface for a logged-on user. The Automatic Update Agent process provides automatic updates of virus definition databases for F-Secure Content Scanner Server. THe process receives virus definition database updates from F-Secure Automatic Updates Agent Server via the HTTP or UDP-based protocol.
f-secu~1.exe
FSBWSYS.exe
TROUBLESHOOTING
Overview................................................................................... 380 Starting and Stopping........................................................... 380 Viewing the Log File ................................................................. 380 Common Problems and Solutions ............................................ 381 Frequently Asked Questions .................................................... 386 F-Secure Automatic Update Agent Troubleshooting ................ 391
379
CHAPTER D Troubleshooting
380
D.1
Overview
If you have a problem that is not covered in here, see Technical Support, 397.
D.2
Starting and Stopping

If you ever need to start or stop F-Secure Anti-Virus for Microsoft Exchange, you can do it in the following ways:
Open the Services applet from the Administrative tools folder in the Windows Control Panel and select F-Secure Anti-Virus for Microsoft Exchange. To stop F-Secure Anti-Virus for Microsoft Exchange, click Stop. To start the service, click Start. Open the F-Secure Anti-Virus for Microsoft Exchange Web Console and select the F-Secure Anti-Virus for Microsoft Exchange tab. Select the Summary page and click Start to activate F-Secure Anti-Virus for Microsoft Exchange. Click Stop to stop it. From the command line - enter NET STOP FSAVAG4MSE to the command line to stop the service, and NET START FSAVAG4MSE to start the service.
D.3
Viewing the Log File

F-Secure Anti-Virus for Microsoft Exchange uses the log file Logfile.log that is maintained by F-Secure Management Agent and contains all alerts generated by F-Secure components installed on the host. Logfile.log can be found on all hosts running F-Secure Management Agent. You can view the Logfile.log with any text editor, for example Windows Notepad. Open the logfile.log from F-Secure Settings and Statistics / F-Secure Management Agent properties / Show log file, or from the Home page of F-Secure Anti-Virus for Microsoft Exchange Web Console by clicking Show F-Secure Log.
CHAPTER D Troubleshooting F-Secure Management Agent uses Logfile.log (in F-Secure / Common directory) for logging of all the alerts on the host. Logfile.log contains all the alerts generated by the host, regardless of the severity. Logfile.log file size can be configured in F-Secure Management Agent / Settings / Alerting / Alert Agents / Logfile / Maximum File Size.
381
D.4
Common Problems and Solutions

If you think that you have some problem with F-Secure Anti-Virus for Microsoft Exchange, check that both F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server are up and running.
Checking F-Secure Anti-Virus for Microsoft Exchange

1. Make sure that F-Secure Anti-Virus for Microsoft Exchange service and all its processes have started. Open Services in the Windows Control Panel and check that the F-Secure Anti-Virus for Microsoft Exchange service has started. Open the Windows Task Manager and check that the following processes are running: fshkmngr.exe fswbsthk.exe fsobmngr.exe fsma32.exe fnrb32.exe fsmb32.exe fameh32.exe fch32.exe fsm32.exe
2. To make sure that F-Secure Content Scanner Server accepts

connections, start a telnet session to the F-Secure Content Scanner Server machine to the port 18971. If you have specified a different SCIP port, use that port instead.
CHAPTER D Troubleshooting If you get the cursor blinking in the upper left corner, it means that the connection has been established and F-Secure Content Scanner Server can accept incoming connections. If you get "Connection to the host lost" or other error message or if the cursor does not go to the upper left corner, it means that the connection attempt was unsuccessful. If your connection attempt was unsuccessful, (1) make sure that F-Secure Content Scanner Server is up and running, and (2) check the physical connection between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server. The connection must be direct (without firewalls or scanners in between) and at least 100 Mbps fast. If the computer running F-Secure Anti-Virus for Microsoft Exchange has two or more network interfaces (including dial-up modem connection), make sure that all files forwarded to F-Secure Content Scanner Server use the right network interface. Edit the routing table if needed.
382
Checking F-Secure Content Scanner Server

Problem:
When the F-Secure Anti-Virus for Microsoft Exchange tries to send an attachment to F-Secure Content Scanner Server, the attachment is not scanned and the e-mail does not reach the recipient.
Solution:
The problem is that F-Secure Anti-Virus for Microsoft Exchange is unable to contact F-Secure Content Scanner Server(s). There are several possible causes for this: 1. Incorrect keycode might have been used when installing F-Secure Content Scanner Server. When installing F-Secure Content Scanner Server you should use the keycode for F-Secure Anti-Virus for Microsoft Exchange, and not the keycode for F-Secure Content
CHAPTER D Troubleshooting Scanner Server. If you have entered a wrong keycode, the installation did not install all the components required for F-Secure Anti-Virus for Microsoft Exchange.
383
2. A service or process may not be running on F-Secure Content

Scanner Server. Make sure that all processes and services of F-Secure Content Scanner Server have started. Check the Services in Windows Control Panel. The following services should be started:

F-Secure Content Scanner Server F-Secure Management Agent F-Secure Network Request Broker
Check the Task Manager. The following processes should be running: fsmb32.exe fsavsd.exe fsdbuh.exe fnrb32.exe fsma32.exe fih32.exe fch32.exe fameh32.exe
If any of these processes are not started, uninstall and reinstall the F-Secure Anti-Virus Content Scanner Server.
Checking F-Secure Anti-Virus for Microsoft Exchange Web Console

Problem:
I cannot open or access F-Secure Anti-Virus for Microsoft Exchange Web Console.
Solution:
1. Make sure that F-Secure Web Console daemon has started and is running. Check the Services in Windows Control Panel. The following service should be started:
F-Secure Web Console Daemon
CHAPTER D Troubleshooting Check the Task Manager. The following process should be running:
384
fswebuid.exe
2. If you try to connect to the F-Secure Anti-Virus for Microsoft

Exchange Web Console from a remote host, make sure that the connection is not blocked by a firewall or proxy server.
D.4.1 Installing Service Packs

If you wish to install a Microsoft Exchange Server Service Pack and F-Secure Anti-Virus for Microsoft Exchange is already installed, stop F-Secure Anti-Virus for Microsoft Exchange before installing the Service Pack and restart it after the Service Pack installation.
D.4.2 Securing the Quarantine

Problem:
I have installed F-Secure Anti-Virus for Microsoft Exchange and I'm worried about security of the local Quarantine storage where stripped attachments are quarantined. What do you recommend me?
385
Solution:
F -Secure Anti-Virus for Microsoft Exchange creates and adjusts access rights to the local Quarantine storage during the installation. Keep in mind the following when setting up the local Quarantine storage:
Do not place the Quarantine storage on a FAT drive. FAT file system does not support access rights on directories and files for different users. If you place the Quarantine storage on a FAT drive everyone who has access to that drive will be able to get access to the quarantined content. Create and adjust access rights to the Quarantine storage manually if you use one on a network drive. Create and adjust access rights to the Quarantine storage manually when you change its path from F-Secure Policy Manager Console or F-Secure Anti-Virus for Microsoft Exchange Web Console.
D.4.3 Administration Issues

Some settings are initially configured during the installation of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server. They can be viewed on the Status tab of F-Secure Policy Manager Console. When changing such settings in F-Secure Policy Manager Console for the first time, you must enforce the change by selecting the Final check box. This applies to the Primary and Backup Content Scanner Servers, Port, and Quarantine storage settings of F-Secure Anti-Virus for Microsoft Exchange and to the Working directory and Quarantine storage settings of F-Secure Content Scanner Server.
386
D.5
Frequently Asked Questions

Performance
Q. Why does the time to open a message in mailboxes and Public Folders increase after installation of F-Secure Anti-Virus for Microsoft Exchange? A. F-Secure Anti-Virus for Microsoft Exchange scans each message for viruses, hence the delay with opening the message. A message scanned once is marked as scanned and will be opened quickly next time. Of course, if a message has been changed, it will be scanned for viruses again. Q. Microsoft Outlook displays an error message stating something like Cannot open message or Cannot open message in preview pane. What should be done? A. Check that F-Secure Content Scanner Server is up and running. If a mail cannot be scanned, access to it is not allowed. Q. Why does e-mail stay in the Outbox for a while after being sent? A. F-Secure Anti-Virus for Microsoft Exchange scans each message for viruses, hence the delay with sending the message. Q. F-Secure Anti-Virus for Microsoft Exchange complains about connection timeout to F-Secure Content Scanner Server. What should be done? A. Make sure that F-Secure Content Scanner Server is running, that it has been installed with the correct keycode for F-Secure Anti-Virus for Microsoft Exchange, and that the connection to F-Secure Content Scanner Server is direct and at least 100 Mbps fast. If the computer running F-Secure Anti-Virus for Microsoft Exchange has multiple network interfaces (including dial-up connections), make sure that all files forwarded to F-Secure Content Scanner Server(s) use the right network interface.
CHAPTER D Troubleshooting Q. Every time when the server shuts down I get error reports that F-Secure SMTP and Real-Time Scanners cannot connect to the server. What is the problem? A. When you shut down the computer with F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange components, F-Secure Content Scanner Server may shut down before F-Secure Anti-Virus for Microsoft Exchange components, which may cause them to report that they have lost the connection to F-Secure Content Scanner Server.
387
Settings
Q. Is it possible to strip attachments with size greater than or equal to a given value? A. No, this is not possible at the moment. Use the Exchange Manager to limit the size of attached files. Q. Are the newly created mailboxes and Public Folders automatically covered by F-Secure Anti-Virus? A. Yes. The default polling interval for newly created mailboxes and Public Folders is 1 hour. For more information, see Advanced, 184. For more information on how to set the polling interval in stand-alone mode, see Advanced, 270.
CHAPTER D Troubleshooting Q. I am trying to change Primary and Backup Content Scanner Servers settings through F-Secure Policy Manager Console, but the changes did not affect F-Secure Anti-Virus for Microsoft Exchange. Why? A. Primary and Backup Content Scanner Servers settings are initially configured during the installation of F-Secure Anti-Virus for Microsoft Exchange and can thus be viewed on the Status tab of F-Secure Policy Manager Console. To override the settings made by the setup program, select the Final check box when changing this setting in F-Secure Policy Manager Console for the first time. This also applies to the Port and Quarantine storage settings of F-Secure Anti-Virus for Microsoft Exchange and to the Working directory and Quarantine storage settings of F-Secure Content Scanner Server. Q. A message has an attachment with a file extension that should be stripped. Why the attachment was not stripped? A. F-Secure Anti-Virus for Microsoft Exchange does not strip attachments with a size of 0 Kb, as they cannot contain any malicious code. Q. I have a Public Folder that is excluded from the virus scan, but some messages are scanned and disinfected before they arrive to the excluded Public Folder. Why? A. If you send a message from a MAPI client, the message goes to the Outbox folder before it is sent to the Public Folder. The message is scanned when it is in the Outbox folder according to the processing settings for this mailbox. When the message arrives in the Public Folder, it is scanned according to the Public Folder processing settings. Thus, messages sent with SMTP are not scanned in excluded Public Folders.
388
CHAPTER D Troubleshooting Q. A message is not scanned if it comes from a trusted mailbox. Why? A. If an infected attachment arrives to a mailbox, it passes the virus scanner but it is not disinfected or stopped. The real-time scanner scans messages in the message store only once, so when the infected message is sent from the trusted mailbox to another mailbox inside the same message store, the real-time scanner does not scan it again. If you use trusted mailboxes, store those messages in a different message store. When a message moves between message stores, it is scanned and infected attachments can be disinfected. You can also run the manual scan periodically to remove infected attachments. Q. When I release an e-mail from the Quarantine, sometimes two warning messages are sent to the recipient. Why? A. When you release an e-mail that has an infected attachment from the Quarantine and the user uses POP3 to retrieve mail from the server, the user may receive two warning messages while the infected attachment remains in the Quarantine.
389
Local Protection with F-Secure Anti-Virus for Windows Servers

Q. Can all files on a Microsoft Exchange computer be scanned for viruses, or are some files and folders excluded from scanning automatically? A. The working and quarantine directories of F-Secure Anti-Virus for Microsoft Exchange are added to the OAS excluded list during the installation. Microsoft Knowledgebase article #245822 Recommendations for troubleshooting an Exchange computer with antivirus software installed describes what files and folders should never be scanned with file-based antivirus software: http://support.microsoft.com/ default.aspx?scid=kb;en-us;245822.
390
Quarantined and Disinfected Files

Q. When examining a raw message that has been disinfected, there seems to be some data that should be stripped. Is the message still infected? A. Disinfected messages do not contain any malicious code. The Microsoft Exchange server keeps the original message header in the message, so MIME-part headers may appear in the raw message data. Q. A message has an Attachment_Information.txt file as an embedded OLE object. What is this file and why do I get a warning message when I try to open the file? A. The original message had an infection which F-Secure Anti-Virus for Microsoft Exchange removed and replaced with the Attachment_Information.txt file. As embedded OLE objects have to be replaced with text attachments to avoid corrupting OLE objects, the Attachment_Information.txt is an embedded OLE object that causes the warning message. The VirusInfo text file contains information about the infection that has been removed. The Attachment_Information.txt file may appear also in Public Folder messages for the same reason. Q. During the installation, I get a notification that an application is requesting access to a protected system. What causes this? A. You are using Windows 2000 Certificate Service and this behavior is normal with it. Q. What happens to e-mails saved in the Drafts folder during the real-time scanning? A. Messages saved temporarily into the Drafts folder are considered to be inbound and they are scanned and stripped accordingly.
CHAPTER D Troubleshooting Q. Why users cannot attach some attachments to e-mail messages when using Microsoft Outlook Web Access and Microsoft Internet Explorer? A. When using Microsoft Outlook Web Access and Microsoft Internet Explorer, you cannot send a message that has an attachment that cannot be disinfected or an attachment that is set to be stripped. When users try to attach the attachment, they receive an error message and the sending will fail.
391
D.6
F-Secure Automatic Update Agent Troubleshooting

The F-Secure Automatic Update Agent log file may be useful when solving problems when virus and/or spam definition databases do not update properly. Open the F-Secure Automatic Update Agent from F-Secure Settings and Statistics and click Show log file to view a detailed log of actions of the F- Secure Automatic Update Agent.
CHAPTER D Troubleshooting Q. How can I verify that updating the virus and spam definition databases really works? A. First, open the F-Secure Automatic Update Agent window from F-Secure Settings and Statistics and select the Received Packages tab. If a virus definitions database update has been downloaded, you should see something like F-Secure Anti-Virus Update 2004-06-09 under Title. Check the Last Result column. If the update has been successfully placed into the destination directory, the Latest Result displays Installed. If the Latest Result is Not installed, the update has been downloaded but the F-Secure Automatic Update Agent could not copy it into the destination directory. The F-Secure Automatic Update Agent tries to copy it there again in one minute intervals. Click Package Properties to see the error message. If the Last Result value is Installed, check the date and time in the First Installed column at the bottom of the Received Packages page. Then, open Windows Explorer and select the F-Secure Anti-Virus folder, select Details from the View menu, and click the Modified column title above the file list to display the files sorted by date and time. The F-Secure Anti-Virus folder should have files (with filename extensions .def, .avc, .set or .dat) which have the same date and time as the First Installed column.
392
CHAPTER D Troubleshooting Q. The Received Packages page states that a virus definition database update is Not installed. What should I do? A. Click on the package title and then Package Properties to view the error message. Unable to locate anti-virus database update directory The directory does not exist, the communication directory is corrupted, or your client is in Standard mode and the update directory is in a network drive. Open the Settings page in the F-Secure Automatic Update Agent window and click Change to select the destination directory again. The drive of the destination directory is full. Free some disk space. Check that the current user has appropriate access rights to the destination directory. Note that if the destination is a communication directory, the same rights are also required for its subdirectories. If the destination is the Other subdirectory, the same rights are required for its parent directory. Another application has a file open in the destination directory, so it cannot be deleted. This can occasionally happen if multiple hosts are retrieving the update at the same time. The client will retry in one minute intervals, so wait and see if the result changes to Installed. If the update is still uninstalled, close all applications on the computer where the destination directory is, or reboot it. If the client is in NT application mode, see the explanation above for Could not create temporary directory.
393
Not enough free disk space Could not create temporary directory
Could not switch database update directory to a new one
CHAPTER D Troubleshooting Q. The Received Packages page states that a virus definition database update is Installed, but there are no new files in the Anti-Virus directory. Why? A. After downloading the update and placing it into a communication directory, F-Secure Content Scanner Server does not immediately retrieve the files from there. The delay depends on the polling interval of F-Secure Management Agent, with a default interval of 10 minutes the delay can be up to 20-30 minutes. In a stand-alone installation, make sure F-Secure Automatic Update Agent is installed in Stand-alone mode. Open the Settings page in F-Secure Automatic Update Agent window. The Change button should be disabled. With centrally managed installations, check that you have enabled Poll Automatically for Virus Definitions Updates in F-Secure Policy Manager Server. Open the Settings page in the F-Secure Automatic Update Agent window and check that you have selected the correct communication directory as the destination for the updates. If you are not sure, try downloading Latest.zip from http://www.F-Secure.com/download-purchase/updates.shtml, and import it to F-Secure Policy Manager Console. If the update succeeds this way, but not with F-Secure Automatic Update Agent, and the Received Packages page states that an update is Installed, the F-Secure Automatic Update Agent is most probably configured to place the updates in a wrong directory. Q. The Installed Packages page states that a virus definition database update fas Failed after I upgraded the product. What should I do? A. During the upgrade, F-Secure Automatic Update Agent retrieves the latest virus definition update. If the previous version of the product had the same version of the database installed already, F-Secure Automatic Update Agent does not overwrite files and marks the update as failed. The message disappears automatically during the next virus database update.
394
CHAPTER D Troubleshooting Q. I installed the F-Secure Automatic Update Agent, but it has not downloaded any virus definition updates. Whats wrong? A. Select the Received Packages tab in the F-Secure Automatic Update Agent window and check that no virus definitions update packages are listed in there. Select the Channel Status page in the F-Secure Automatic Update Agent. If the Channel Name and Channel Address fields are empty, the client has not yet connected to F-Secure Automatic Update server. Make sure that your Internet connection is working, and if the Current Status is Ready, click Connect Now to force the client to connect to the server immediately. Downloading the virus definitions database update for the first time can take a while if you have a lot of other Internet traffic open at the same time. If the client cannot connect to the server, make sure that your browser can access the Internet. Open your browser and connect to http://fsbwserver.f-secure.com/. If you cannot connect to the web page, check your network settings. If the connection was successful, open the Settings page. If Polite Agent is selected in the Communication section, change it to HTTP. If you change the protocol from Polite Agent to HTTP or vice versa, you have to restart the F-Secure Automatic Update Agent. If changing to HTTP communication did not help, open the Internet options in your browser to determine if you are connected through an HTTP proxy server. A few examples:
395
Internet Explorer 6.0: Under the Tools menu, select Internet Options. Select the Connection tab and click LAN Settings.... Check the settings in the Proxy server section. If you have the Use a proxy server for your LAN option selected and there is an address and port defined, you are using an HTTP proxy server. If the Use a proxy server for your LAN option is not selected and
CHAPTER D Troubleshooting you see a proxy server setting in the Address section but it is grayed out, click Advanced, remove the address and specify port 0.
396
Mozilla Firefox 1.0: Under the Tools menu, select Options. Select the General category, and click Connection Settings.... If the Manual proxy configuration option is selected, you can see the address and port number of the HTTP proxy server in the Connection Settings window.
If you have determined that you are connecting through an HTTP proxy server, enable the Use HTTP proxy checkbox on the F-Secure Automatic Update Agent windows Settings page and type in the field the proxy server address and port number that you retrieved from your browser (i.e. myproxy.mydomain.com:80). If you are not connected through a proxy server ensure that the Use HTTP proxy option is not selected. After these operations, your Automatic Update Agent client should be able to connect and receive content. If you are not able to receive content and your client is configured correctly you will have to contact your network administrator and have them verify your firewall is configured to accept outgoing HTTP requests and incoming responses to these requests.
Technical Support
F-Secure Online Support Resources........................................ 398 Web Club.................................................................................. 400 Virus Descriptions on the Web ................................................. 400
397
Technical Support
398
F-Secure Online Support Resources

F-Secure Technical Support is available through F-Secure support web pages, e-mail and by phone. Support requests can be submitted through a form on F-Secure support web pages directly to F-Secure support. F-Secure support web pages for any F-Secure product can be accessed at http://support.f-secure.com/. All support issues, frequently asked questions and hotfixes can be found under the support pages. If you have questions about F-Secure Anti-Virus for Microsoft Exchange not covered in this manual or on the F-Secure support web pages, you can contact your local F-Secure distributor or F-Secure Corporation directly. For technical assistance, please contact your local F-Secure Business Partner. Send your e-mail to: Anti-Virus-<country>@f-secure.com Example: Anti-Virus-Norway@f-secure.com If there is no authorized F-Secure Anti-Virus Business Partner in your country, you can submit a support request directly to F-Secure. There is an online "Web submit form" accessible through F-Secure support web pages under the "Contact Support" page. Fill in all the fields and describe the problem as accurately as possible. Please include the FSDiag report taken from the problematic server with the support request. Before contacting support, please run the F-Secure Diagnostic utility FSDiag.exe on each of the hosts running F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server. This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software. You can run the F-Secure Diagnostics tool from the F-Secure Anti-Virus for Microsoft Exchange Web Console as follows:
1. Log in to the Web Console. 2. Type https://127.0.0.1:25023/fsdiag/ in the browsers address field. 3. The F-Secure Diagnostics tool starts and the dialog window displays
the progress of the data collection.
Technical Support
399
4. When the tool has finished collecting the data, click Get Report to
download and save the collected data. You can also find and run the FSDiag.exe utility under the F-Secure\Common folder, if you prefer not to do it through the F-Secure Anti-Virus for Microsoft Exchange Web Console. The tool generates a file called FSDiag.tar.gz. Please include the following information with your support request:
Version number of F-Secure Management Agent, F-Secure Anti-Virus for Microsoft Exchange, F-Secure Policy Manager Server, and F-Secure Policy Manager Console. Include the build number if available. Description how F-Secure components are configured. The name and the version number of the operating system on which F-Secure products and protected systems are running. For Windows, include the build number and Service Pack number. The version number and the configuration of your Microsoft Exchange Server. If possible, describe your network configuration and topology. A detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem. Logfile.log from the machines running F-Secure products. This file can be found under Program Files\F-Secure\Common. If you are sending the FSDiag report you do not need to send the Logfile.log separately, because it is already included in the FSDiag report. If the whole product or a component crashed, include the drwtsn32.log file from the Windows NT directory and the latest records from the Windows Application Log.

Technical Support
400
Web Club
The F-Secure Web Club provides assistance and updated versions of the F-Secure products. To connect to the Web Club on our Web site, open the F-Secure Anti-Virus for Microsoft Exchange Web Console, and click the Web Club link in the banner. Alternatively, right-click on the F-Secure icon in the Window taskbar, and choose the Web Club command. To connect to the Web Club directly from within your Web browser, go to: http://www.f-secure.com/anti-virus/webclub/corporate/
Virus Descriptions on the Web

F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site. To view the Virus Information Database, connect to: http://www.f-secure.com/virus-info/.
About F-Secure Corporation

F-Secure Corporation is the fastest growing publicly listed company in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. Founded in 1988, F-Secure has been listed on the Helsinki Stock Exchange since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and Japan. F-Secure is supported by service partners, value added resellers and distributors in over 50 countries. F-Secure protection is also available through mobile handset manufacturers such as Nokia and as a service through major Internet Service Providers, such as Deutsche Telekom, France Telecom and Charter Communications. The latest real-time virus threat scenario news are available at the F-Secure Antivirus Research Team weblog at http://www.f-secure.com/weblog/.
Services for Individuals and Businesses

F-Secure services and software protect individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions. Our key strength is our proven speed of response to new threats. For businesses our solutions feature a centrally-managed and well-integrated suite of solutions for workstations and servers alike. Focused partners offer security as a service for companies that do not wish to build in-house security expertise. Visit our website at http://www.f-secure.com/products/ to learn more about our products and services.

F Secure Anti Virus Msexchange

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

F Secure Anti Virus Msexchange

Uploaded by

Copyright:

Available Formats

F-Secure Anti-Virus for Microsoft Exchange

3.1.3 3.2 3.3 3.4 3.5 3.6

Web Browser Software Requirements ........................................................... 37

3.7 3.8 3.9

Using F-Secure Anti-Virus for Microsoft Exchange

Centrally Managed Administration

Administration with Web Console

7.10 Quarantine Logging..................................................................................................327

Administering F-Secure Spam Control

Updating Virus and Spam Definition Databases

Appendix A Deploying the Product on a Cluster

A.5 A.6 A.7

Appendix B Variables in Warning Messages

List of Variables................................................................................................................ 370

Outbreak Management Alert Variables ............................................................................ 372

Appendix C Services and Processes Chapter D Troubleshooting

ABOUT THIS GUIDE

How This Guide Is Organized.................................................... 10 Conventions Used in F-Secure Guides ..................................... 13

About This Guide

How This Guide Is Organized

Chapter 1. Introduction. General information about F-Secure Anti-Virus

About This Guide

Chapter D. Troubleshooting. Solutions to some common problems.

Conventions Used in F-Secure Guides

An arrow indicates a one-step procedure.

is used for a key or key combination on your

For More Information

How F-Secure Anti-Virus for Microsoft Exchange Works

Scanning Attachments and Message Bodies

Flexible and Scalable Anti-Virus Protection

Powerful and Always Up-to-date

Virus and Spam Outbreak Detection

Stand-alone and Centralized Administration Modes Scalability and Reliability

Virus Outbreak Detection

Transparency and Scalability

Protection against Spam

F-Secure Anti-Virus Mail Server and Gateway Products

Service F-Secure Content Scanner Server

Process %ProgramFiles%\F-Secure\ Content Scanner Server\ fsavsd.exe

%ProgramFiles%\F-Secure\ Web User Interface\ bin\fswebuid.exe F-Secure Automatic Update.exe

371 (UDP), only if BackWeb Polite Protocol is used

Process %ProgramFiles%\F-Secure\ Common\fnrb32.exe %ProgramFiles%\F-Secure\ Common\fameh32.exe %ProgramFiles%\F-Secure\ Quarantine Manager\fqm.exe

F-Secure Quarantine Manager

Figure 2-1 F-Secure Anti-Virus for Microsoft Exchange minimum installation

Medium to Large Installation

Microsoft Exchange Cluster Environment

A Note about Installing on Active-Passive Cluster

Minimum System Requirements

Microsoft Windows 2000 Advanced Server with Service Pack 3 or later

Microsoft Exchange Server:

Microsoft Exchange 2003 Enterprise Server with latest service pack

Processor: Memory: Disk space to install: Disk space for processing:

SQL server (for quarantine database):

Which SQL Server to Use for the Quarantine Database?

Microsoft SQL Server 2000/2005

Web Browser Software Requirements

Improving Reliability and Performance

Centrally Administered or Stand-alone Installation?

2. Install F-Secure Anti-Virus for Microsoft Exchange. For more

3. Import the product MIB files to F-Secure Policy Manager, if they

Installing F-Secure Anti-Virus for Microsoft Exchange

1. Insert the F-Secure CD in your CD-ROM drive.

2. Select F-Secure Anti-Virus for Microsoft Exchange from the Install