Professional Documents
Culture Documents
Information in this document is subject to change without notice, The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2003 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Niche Associates, Inc. Released: October 2003 v01
Table of Contents
InterScan Messaging Security Suite .................................................................5
Course Objectives................................................................................................... 5 Prerequisites ........................................................................................................... 6
Appendix B: Adding Entries to DNS and Excluding Files From Scanning ..........................................................................................................233
Adding Entries to DNS ........................................................................................ 233 Excluding Certain Types of Text Files from Scanning ......................................... 234
Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite ..................................................................................................235 Appendix D: Example Logs............................................................................237 Appendix E: Interpreting Header Information...............................................243 Appendix F: Answers to Review Questions .................................................245
Knowledge
Describe the main features of InterScan Messaging Security Suite (InterScan MSS) Explain how InterScan MSS protects your email system from viruses and other malware Describe the main features of eManager Explain how eManager controls the content entering your email system Describe how heuristic scan engine works and how Spam Prevention Service (SPS) uses it to filter spam.
Skills
Install InterScan MSS Use the Management Console to configure InterScan MSS for varying network conditions and preferences Test the capabilities of InterScan MSS Monitor the performance of InterScan MSS Update the virus pattern, scan-engine, and program files of InterScan MSS
Chapters
Each chapter focuses on one aspect of using InterScan MSS to protect your network from viruses in the wild. In addition to defining important concepts and terms, each chapter outlines the various administration tasks you need to perform. For example, you will learn how to install, configure, and troubleshoot InterScan MSS. The PowerPoint slides your instructor uses to teach the course appear at the beginning of each chapter. The rest of the chapter contains detailed information that you can read or refer to after class.
Chapter Objectives
Each chapter starts with a list of objectives so you can see how the chapter fits into the overall course goal. After reading the chapter, you should be able to fulfill the chapter objectives.
Summary
Each chapter ends with a summary, listing the important information explained in the chapter. The summary mirrors the chapter objectives.
Review Questions
To help you fulfill the chapter objectives, each chapter includes review questions that test your understanding of the chapter material. After reading the chapter, you should be able to answer the questions easily and quickly. If you cannot answer a question, you should review the chapter material. The answers to the review questions are provided in Appendix F: Answers to Review Questions.
Prerequisites
This course is designed for end users and resellers who need to install and set up InterScan MSS and for those who seek Trend Micro antivirus suite certification. The following professionals benefit most from this course: System administrators Network engineers
Before you take this course, Trend Micro recommends that you have the following knowledgebase: A general knowledge of TCP/IP A working knowledge of Microsoft Windows 2000 and Windows 2000 Advanced Server A working knowledge of Simple Mail Transfer Protocol (SMTP) A working knowledge of Microsoft Internet Information Server (IIS) A working knowledge of Microsoft Exchange and Microsoft Outlook Express Familiarity with the physical aspects of networking (such as network interface boards, cables, jacks, hubs, routers and so on)
Notes
Notes
Notes
10
Notes
11
Notes
12
Notes
13
Product Features
InterScan MSS is a high-performance, policy-based antivirus and content-security Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) server. InterScan MSS performs the following functions: Protects enterprise messaging systems from Internet-borne malware Blocks the transmission and receipt of spam and other non-business-related content
InterScan MSS can be deployed into an existing SMTP messaging environment and protects networks from virus infection through the SMTP gateway. In addition to SMTP traffic, InterScan MSS can scan Post Office Protocol 3 (POP3) messages. POP3 scanning is performed using the InterScan MSS POP3 proxy that runs on the same server as the SMTP scanning function (using a different port). InterScan MSS eManager filters messages for spam and non-business-related content such as profanity, sexually offensive content, and racially offensive content. eManager includes filters that you can configure to block any type of content from your email system. You can also configure the Spam Prevention Service (SPS) filters to block unwanted content from your network.
AMON Support
InterScan MSS 5.5 supports Application Monitoring (AMON) from Check Point Software Technologies, LTD. InterScan MSS uses AMON to report scanning statistics to Check Point System Status Viewer.
Best-Match Algorithm
The best-match algorithm is the method that InterScan MSS uses to determine which policy to apply to an email. InterScan MSS applies the policy with the route that most closely matches the addresses of the incoming email.
Cluster Servers
InterScan MSS supports cluster servers for increased performance. When you install multiple instances of InterScan MSS on clustered servers, you can save your customized settings, which are stored in INI, DAT files, and registry entries. You can then apply these settings to each instance of InterScan MSS running on the cluster servers.
14
Content Management
You can use InterScan MSS to inspect email messages and attachments and stop unwanted content at the gateway. Email is an indispensable business tool, but it must be managed properly to ensure it is used productively. You can create filters that use keyword expressions to eliminate anything from violent, sexually offensive, or racially offensive content to personal communications.
Enhanced Performance
InterScan MSS includes an enhanced built-in email transfer agent (MTA), email delivery agent (MDA), and virus/content scanner to ensure that your messaging system runs efficiently. In addition, InterScan MSS has a multithreaded design that takes full advantage of multiprocessor systems.
15
Policy-Based Management
InterScan MSS provides policy-based management, which makes it easier to regulate content and filter for viruses. To enforce email usage guidelines, you can create multiple virus and content-filtering policies on a single InterScan MSS server. You can also set up different policies for individuals or groups, based on sender and recipient addresses. A policy consists of the following three attributes:
Who What
To whose messages the policy applies What message or attachment characteristics, such as addresses, keyword expressions, file types and sizes are to be filtered The action to take with email that triggers the filters
Action
Quarantine Manager
You can use the Quarantine Manager to manage messages in the quarantine area. The Quarantine Manager is part of the InterScan MSS Web console. You can view the messages in the quarantine area and decide what action you want to take with them. The Quarantine Manager has a query feature that you can use to retrieve information about the messages in the quarantine area, including the reason the message was quarantined.
16
SMTP
IMSS
SMTP
Internet
6 3 SMTP
Figure 1-1: InterScan MSS uses a round-robin method to forward email to downstream SMTP servers.
System Monitor
InterScan MSS includes a built-in agent, called the System Monitor, which monitors the status of the InterScan MSS server. The System Monitor can notify you by email or Simple Network Management Protocol (SNMP) trap when fault conditions, such as a virus, threaten to disrupt the email flow. Detailed logging helps you take a proactive approach to these issues and eliminate them before they become a problem. Event monitoring helps you identify potential trouble spots and provides notifications so that you can correct problems and keep the system running smoothly.
17
Some events are handled automatically. For example, if the InterScan MSS service stops, it restarts automatically to ensure email flow is not interrupted.
InterScan Messaging Security Suite InterScan Web Manager ScanMail for Microsoft Exchange
SMTP
18
Platform OpenMail on HP-UX Windows, NetWare, Network Appliance Filers, EMC Celerra, and Linux Microsoft SharePoint Portal Server on Windows Client: Windows Server: Windows
PortalProtect
File system
Cleaning templates that repair damage to device, including changes made to registry, files, and open ports File system, network shares, POP3 File system, TCP/IP, Outlook client, PDAs, and wireless devices
PC-cillin
Windows
Table 1-1: Trend Micro products that you can use to protect the different entry points on your network.
aNote: To help you protect your network against the latest malware
threats, Trend Micro is constantly updating its products. For up-todate information, visit http://www.trendmicro.com.
Protecting individual devices and systems is only the first layer of defense. To prevent malware from damaging your network and causing downtime, you need an integrated solution that coordinates all virus-protection products, mitigates damage caused by malware attacks, and cleans damaged systems. The Trend Micro Enterprise Protection Strategy (EPS) combines products, services, and support to protect network entry points. To rebuff a malware attack, the Enterprise Protection Strategy delivers a coordinated defense that begins when a new virus is discovered and ends when the threat is eliminated.
19
Relying on a broad offering of specific products and resources, the Trend Micro EPS includes these basic components (see Figure 1-1): Trend Micro Control Manager Outbreak Prevention Services Virus Response Services Damage Cleanup Services
CENTRALIZED MANAGEMENT
STAGES
Threat Information
Attack Prevention
Pattern File
Figure 1-1: Using Trend Micro Enterprise Protection Strategy to manage the outbreak lifecycle
20
The virus pattern file provided with Virus Response Services includes threat-based scanning. This feature increases the efficiency of virus scanning by focusing the search in areas where the threat is most likely to be found.
21
Review Questions
1. Which feature allows you to control the level of antivirus and content management that is applied to members of your organization? a. Domain-based message routing b. Quarantine manager c. Policy-based management d. Single-server, multiple policy support 2. Which feature can you use to filter unwanted email, such as sexually or racially insensitive material? a. Domain-based message routing b. Content management c. Policy-based management d. Single-server, multiple policy support 3. Which feature notifies you when a fault condition threatens to disrupt email flow? a. Content management b. Enhanced server access control c. Quarantine manager d. System Monitor
22
23
Notes
24
Notes
25
Notes
26
Notes
27
Notes
28
Notes
29
Notes
30
Notes
31
Notes
32
Notes
33
Notes
34
Notes
35
Notes
36
IMSS
SMTP Server
Internet Firewall
domain2.com
37
In the DMZ
You can install InterScan MSS in a DMZ, which further protects your companys network from Internet-based attacks. A DMZ isolates traffic that is coming from the Internet, preventing this traffic from directly accessing your network. You can create a DMZ by installing two firewalls to separate your network from the Internet. The area between the two firewalls is the DMZ, which is where you would place your InterScan MSS server (see Figure 2-2).
DMZ
IMSS
SMTP Server
You can also create a DMZ using just one firewall. In such a configuration, email passes through the firewall when entering the network. After InterScan MSS has scanned the email, it sends it back through the firewall and to the receiving client. (see Figure 2-3).
Firewall
Email passes through the firewall on the way to the InterScan MSS server.
After InterScan MSS completes the scanning, it routes the email back through the firewall and to the SMTP server.
IMSS
38
IMSS
Existing SMTP Gateway
Client
Internet Firewall
If you install InterScan MSS on your email server, you must configure the InterScan MSS server exactly as your existing SMTP server is configured. Matching the configuration ensures that the email server and InterScan MSS both process the all email. When you install InterScan MSS on the same computer as the email server, ensure that the SMTP and InterScan MSS ports do not conflict. InterScan MSS binds to port 25 by default, so the port on the existing SMTP server must be changed prior to installing InterScan MSS. If you are using POP3, the POP3 port numbers should also be changed because InterScan MSS tries to bind to port 110. After you reassign these ports, you can run the InterScan MSS setup program.
39
InterScan MSS should be the first server through which incoming email passes and the last server through which outgoing email passes.
IMSS
Internet Firewall
Intel Pentium III processor 1 GHz or above 1 GB RAM Minimum 2 GB of free hard disk space for email storage (InterScan MSS uses a store and forward mechanism, so a large HDD is recommended.)
Software Requirements
Windows 2000 Server/Advanced Server (recommended), Windows 2003 server, or Windows NT 4 Server
Service Pack 6A. The Windows 2000 installation has been tested with Service Pack 4).
Microsoft Internet Information Server (IIS) 4.0 or above and the latest security patches to host the InterScan MSS Web console Microsoft Internet Explorer 5.5 or above
Once you have migrated previous InterScan MSS settings, you must activate InterScan MSS. When you activate InterScan MSS, all previously created eManager filters that you migrated will be inactive. You must use the Policy Manager to reactivate them.
aNote: If you choose not to migrate your old InterScan MSS settings,
Trend Micro recommends that you completely uninstall InterScan MSS and perform a clean install.
If the target server has a copy of InterScan MSS 5.x, then the following files are automatically backed up during migration: isntsmtp.ini domaintable.ini tmlogflag.ini localdomain.dat conn_restrict.dat relay_restrict.dat vsapi32.dll
These files are migrated to your new software installation, and backup copies are created in the \IMSS_RILOG directory on the root drive.
41
aNote: Trend Micro recommends that you do NOT use the InterScan
MSS server as your notification server. Using the InterScan MSS server as your notification server can cause message looping, and, if the InterScan MSS server stops working, you cannot receive notification messages from the system Monitor.
Administrators email address for receiving notifications The email domain name(s) of the server that processes messages for your network (as shown in the MX record on your DNS server The name of the Windows NT or Windows 2000 server where you want to install InterScan MSS An administrator credential (user name and password) with local administrative rights or domain administrator credentials
If you have downloaded the InterScan MSS package from the Internet as a single compressed file, decompress the package to a folder. Preserve the folder structure that existed within the compressed file. Close all programs on the target server. If either the Microsoft Internet Explorer or the Microsoft Management Console (MMC) is open, installation will fail. Other MMC-related programs may interfere with the InterScan MSS installation console. Close these programs on both the target server and the computer from which you run the remote installation.
(DCOM). InterScan MSS will not function properly if this service is disabled.
You can use Secure Socket Layer (SSL) to protect the communication between the Web console and InterScan MSS. If you choose to use SSL protection, you must generate and apply an SSL certificate to the Microsoft Internet Information Server (IIS) before installing InterScan MSS. If you do not apply the certificate prior to installation, you will have to uninstall InterScan MSS, apply the certificate, and reinstall InterScan MSS.
aNote: The InterScan MSS installation program uses the Netlogon aNote: The Remote Registry Service should be activated.
port (which is port 445). If you have locked down this port, you will need to open it before you run the installation program.
42
Figure 2-6: The Welcome screen for the InterScan MSS Web console.
The InterScan MSS installation program creates a shortcut that takes you directly to the Welcome screen of the InterScan MSS Web console. The shortcut is located in the C:\Program Files\Trend\IMSS\UI folder (see Figure 2-7). You can copy this shortcut, paste it on the desktop, and use it for easy access to the InterScan MSS Web console.
43
If you are using SSL communication, you must change the shortcut to point to an HTTPS URL instead of an HTTP URL. To change this setting, right click on the shortcut and select Properties. The intscan Properties menu appears (see Figure 2-8). Click the Web Document tab and make the necessary modifications to the URL.
Figure 2-7: The InterScan MSS installation program creates a shortcut to the Web console that you can copy to your desktop.
44
Proxy Settings
If you use a proxy server to connect to the Internet, you must configure your server and authentication settings before attempting an update. As a security precaution, the proxy password is sent only once from the InterScan MSS Web console to the InterScan MSS server. When you return to the Proxy Settings screen, the Password field appears blank. Displaying the password, even as a series of asterisks, would necessitate sending the proxy user name and password between the server and browser. To enter your Activation Code and configure your proxy server (if applicable), click Configuration | Product License from the left-hand column of the InterScan MSS management console. The Product License screen appears, showing which products are activated. Click the Activate link next to the product you want to activate, and another Product License screen appears (see Figure 2-9). Enter the requested information to activate your product.
45
46
Figure 2-10: The Enter a New Code screen used when upgrading from the InterScan MSS trial version to the full version.
aNote: You cannot use another evaluation code if you are already
using the evaluation version of the product. You must enter a full version activation code. To obtain a valid activation code, contact the Trend Micro sales department. Contact information is available at http://www.trendmicro.com
Benefits
Registering your product is important because it entitles you to the following benefits: One year of program and pattern file updates Important product information
Update Settings
To maintain the highest level of protection against the latest virus and content threats, you must update your virus-pattern file and spam database regularly. Trend Micro updates the virus-pattern file several times per week in response to newly released viruses. In addition, Trend Micro periodically updates the scanning engine, which is the component that compares a files binary structure with the virus-pattern file, detects suspicious virus-like behavior, and cleans viruses. The heuristic spam rules are also updated periodically in order to improve the accuracy with which SPS identifies spam. Updates to the heuristic spam rules are included in virus pattern file updates.
47
When you install InterScan MSS, you should immediately update both the scan engine and the virus pattern file to ensure that you are using the most recent versions of both components. Outdated pattern files and scan engines cannot protect against newly developed viruses. You should normally update the components from the Trend Micro ActiveUpdate server and use the default URL for which the product is configured. However, because the source of the update files is configurable, you can specify another Internet location. For example, you may need to change the update path if a technical support engineer has directed you to install a special build of the virus pattern file or scanning engine or if you set up your own update server locally on your intranet. You can use the one of the following update methods when updating InterScan MSS components: On-Demand Update (Update Now) Scheduled Update
48
Figure 2-11: Components that should be updated are denoted with a red Update Now! Message.
The Update Now screen shows the version of each component that you are using as well as the most up-to-date version available for each component. Newer components, when available, are denoted with a red Update Now! Message, as shown in Figure 2-11. In this example, both the scan engine and the spam database are current, but the virus pattern file needs to be updated.
Scheduled Update
InterScan MSS can automatically download updates hourly, daily, or weekly. If your network has limited Internet bandwidth, you can configure InterScan MSS to update the virus pattern file and scan engine after business hours or at other times when network traffic is low. Trend Micro recommends that you schedule regular updates of all InterScan MSS components. To configure a scheduled update, click Configuration | Update | Scheduled Update from the left-hand column of the InterScan MSS Web console. The Scheduled Update screen appears (see Figure 2-12). Select the components that you want to update and configure an update schedule in the fields provided.
49
50
When rolling back to a previous virus pattern file, you need to ensure that an older pattern file is located in the C:\Program Files\Trend\IMSS\ISNTSmtp folder. If only the current pattern file is located in the folder, you cannot roll back the update. If an older pattern file is available, you can remove the new pattern file from the directory and then restart the InterScan MSS service (see Figure 2-13).
aNote: InterScan MSS will store old virus pattern files indefinitely.
You must manually delete old virus pattern files. There is no reason to keep more than one or two out-of-date virus pattern files.
Figure 2-13: Ensure that an older version of the virus pattern file is available before rolling back the update.
Lab Exercise 1: Installing InterScan MSS Lab Exercise 2: Updating the InterScan MSS Components
51
Review Questions
1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ
52
2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing email server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the email server? (Choose two.) a. Additional servers are not required b. Overhead on the email server does not increase c. Requires less network bandwidth d. Greater efficiency 4. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter
53
54
55
Notes
56
Notes
57
Notes
58
Notes
59
SMTP Routing
Before InterScan Messaging Security Suite (InterScan MSS) can scan messages sent to and from your network, you must configure its built-in SMTP server. InterScan MSS includes its own SMTP server. You can configure its IP address, SMTP greeting, and connection time-out settings. You can also control from which servers InterScan MSS receives messages and which servers are allowed to relay messages through it.
60
aNote: If the server on which you installed IMSS for SMTP has
multiple network interface cards, InterScan MSS will bind to all available IP addresses. If you want InterScan MSS to bind to a specific IP address, you must select a specific IP address from the pull-down menu.
aNote: To apply the new settings to your current session, click Apply
Connections
Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
The InterScan MSS built-in SMTP server accepts email from other SMTP servers and passes the email on after processing is completed. You can configure how these connections are handled.
Timeout
Idle SMTP servers that stay connected to the InterScan MSS server can consume network bandwidth and other resources, placing a strain on your network. To prevent servers from connecting to the InterScan MSS server indefinitely, you can set a timeout value. For example, if you set the timeout value at 10 minutes, InterScan MSS will break its connection with servers that sit idle for more than 10 minutes.
Simultaneous Connections
Simultaneous connections can also place a heavy strain on your network. You can limit the number of servers that connect to the InterScan MSS server and reduce the amount of resources used at once. If you set the simultaneous connections limit to five, then InterScan MSS will only allow five servers to connect at the same time. Additional servers must wait for an available connection.
Reverse-Lookups
A reverse-lookup confirms the identity of the connecting host. After receiving a TCP connection request, InterScan MSS can get the source IP address of the remote computer. When a TCP connection is established, the remote computer sends a HELO(EHLO) domain-name SMTP command to InterScan MSS. InterScan MSS uses the domain-name to query the DNS server(s) in order to get the IP address of that domain. If the IP address matches the remote computers IP address, the reverse lookup is successful.
61
To configure connection settings for InterScan MSS, click Configuration | SMTP Routing | Receiver | Connections. The Connections screen appears (see Figure 3-2). Enter your desired values in the fields provided.
Connection Control
You can limit which SMTP hosts are permitted to connect to the InterScan MSS server. For example, you can block the IP address of an organization that has previously sent spam messages to you. Or, you can block an IP address if you suspect the host is an open relay used by spam senders. You can configure which servers can connect to InterScan MSS server in one of two ways: You explicitly state which servers cannot connect (deny access list) and allow all others. You explicitly state which servers can connect (allow access list) and block all others.
To set connection privileges, click Configuration | SMTP Routing | Receiver | Connection Control. The Connection Control screen appears (see Figure 3-3). Click the Edit button next to the list that you want to configure and enter the information requested on the resulting screen (see Figure 3-4).
62
Figure 3-4: The Connection Control screen used to configure lists of servers that cannot connect to the InterScan MSS server.
session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
63
Relay Control
You can deny or allow other computers to relay messages through your InterScan MSS server. Unauthorized users who attempt to relay messages through SMTP servers are a common problem for email administrators. Spammers send spam through company email servers to hide their own identity and to use the companys identity. For example, a spammer might relay spam through ABC Company. When users receive the spam, the source appears to be ABC Company, rather than the spammer. In addition to stealing the companys identity, spammers use the companys bandwidth resources. InterScan MSS handles relay control in the following manner:
Restrict Relay to specific Local Domains Allow Exceptions Based on Host IP or IP Range
All hosts are allowed to relay email messages to a specific list of destinations (Allowed Relay Destinations). Normally, you enter the domain names of email hosts used by your organization. Only hosts that you specify (Permitted Senders of Relayed Email) are allowed to relay messages to hosts not in the Allowed Relay Destinations list. Hosts in the Permitted Senders of Relayed Email list can relay messages through the InterScan MSS server to any domain or use InterScan MSS as an open relay. Enter only email hosts that you trust to use the relay according to your companys guidelines. In most cases, you enter only your own email servers.
To permit a host to relay messages, click Configuration | SMTP Routing | Receiver | Relay Control. The Relay Control screen appears (see Figure 3-5). Type the domain of the host in the field provided and click the plus (+) button to add it to the Allowed Relay Destinations list.
aNote: When configuring relay control, you can use a wildcard (*).
64
click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
Delivery Settings
As an SMTP gateway, InterScan MSS passes email to another SMTP server or Message Transfer Agent (MTA) that resolves the final destination. You can configure the routing methodeither DNS or smarthostbased on the recipients domain name.
Domain-Based Delivery
You can use the domain-based delivery settings to specify a delivery method for email that is addressed to specific domains. For example, if your company has two separate domain names, you might want to use smarthost to route email between the two domains.
65
To specify the routing method, click Configuration | SMTP Routing | Delivery | Domain-Based Delivery. The Domain-Based Delivery screen appears (see Figure 3-6). The screen displays configurations for processing email destined for specified domains. To edit the settings, click the view link in the Details column. To add another domain to the list, click Add and enter the requested information in the fields provided (see Figure 3-7).
66
aNote: If you do not enter the IP address of the DNS server here,
InterScan MSS uses the DNS server that is listed in the TCP/IP configuration settings.
current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied when you restart the InterScan MSS service.
Advanced Delivery
InterScan MSS includes optional delivery settings that you can use to customize how the built-in SMTP server processes messages. You can configure how often InterScan MSS tries to deliver a message, the number of times a message can be sent from server to server, and whether you want people to know you are using InterScan MSS.
67
Deferrals
When InterScan MSS cannot deliver an email, it temporarily stores the email in the retry queue and tries sending it again later. To prevent InterScan MSS from continually attempting to deliver an undeliverable email, you can configure the Retry interval. The retry interval is the frequency with which InterScan MSS attempts to deliver email in the retry queue. You can also configure the Maximum retry period, or the time frame during which InterScan MSS can attempt to deliver the email. If InterScan MSS cannot deliver the email during the retry period, it deletes the email and sends a non-delivery receipt (NDR) to the sender.
Email Server A
Internet Firewall
Email Server B
Receiving Client
Figure 3-9: A hop count prevents messages from looping indefinitely, as shown in this figure.
Configuring a masquerade domain changes the domain name listed in the Email From lines in the SMTP protocol. For example, if your company has two unique domain names and you want all messages to use the same domain name, you can configure a masquerade domain.
68
MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
Message Settings
You can use the InterScan MSS Message set limits on the following items: Message size Data size per session Number of messages per connection Number of recipients per message
The limitations that you set are the first rules that InterScan MSS applies when it receives and email. Email is not accepted if it exceeds these limits, which provides extra security against Denial of Service attacks.
69
To set message limits, click Configuration | SMTP Routing | Message. The Message screen appears (see Figure 3-11). Select the check box next to each restriction that you want to enable and type a size or quantity in the fields provided.
aNote: If you do not want to set a limit, leave the items option
button unselected. Entering 0 into any of the fields on the Message screen is equivalent to not selecting the option button.
aNote: To apply the new message settings, click Apply Now in the
Retry Queue Viewer
You can view messages in the retry queue and view the first 1 KB of data in a message. InterScan MSS automatically tries to deliver messages in the retry queue. However, depending on the values you entered in the SMTP Routing settings, InterScan MSS might not try to deliver messages in the retry queue for several hours. If needed, you can forcedeliver messages in the retry queue without waiting for the retry interval to elapse.
top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
To manage your delivery queue, click Configuration | System Monitor | Retry Queue Viewer. The Retry Queue Viewer screen appears, displaying the email in the retry queue (see Figure 3-12). Select the email(s) that you want to force-deliver and click Deliver Now.
70
aNote: For more information about a message, click the View link
next to the message.
71
72
Review Questions
1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an email can be forwarded b. The number of times InterScan MSS can retry delivering an email c. The number of times an email is scanned d. The number of times an email can loop between the InterScan MSS and email servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all email from specified domains c. To change the domain name in the From: field d. All of the above
73
74
75
Notes
76
Notes
77
Notes
78
How It Works
The InterScan MSS POP3 scanner acts as a proxy, sitting between email clients and POP3 servers (see Figure 4-1).
POP3 Server A
POP3 Client
POP3 Client
POP3 Client
To scan POP3 traffic, configure your email clients to connect to the InterScan MSS server POP3 proxy. You can set up the following connection types: GenericAccess different POP3 servers using the default port for POP3 traffic (typically 110). DedicatedAccess the POP3 server using a specified port, when the POP3 server requires authentication using the Advanced Post Office Protocol (APOP) command or requires a port other than 110.
Requirements
For InterScan MSS to scan POP3 traffic, a firewall must be installed on the network and configured to block POP3 requests from all computers except the InterScan MSS server. In addition, configuration changes must be made to every email client so that messages are retrieved only through the InterScan MSS server. InterScan MSS includes the POP3 Client Tool to help users make configuration changes on the Eudora, Microsoft Outlook/Outlook Express, Netscape Messenger, and Pegasus email clients. The POP3
2003 Trend Micro Incorporated
79
Client Tool is packaged as an ActiveX control so that users can run it from the following Web page: http://<InterScanMSS_server> /InterScanPOP3ClientTool.html Replace InterScanMSS_server with the name of your InterScan MSS server.
aNote: The POP3 Client Tool only works using Internet Explorer on a
Windows platform.
If users need to connect to a POP3 server that requires an APOP or a Windows NT LAN Manager (NTLM) authentication, or if you need to manually configure a email client that is not supported by the POP3 Client Tool ActiveX control, see the Manually Configuring Email Clients section in this chapter.
Settings
If you enable POP3 scanning, you can customize the following settings:
Inbound POP3 IP address Simultaneous User Connections
Select the IP address over which InterScan MSS will receive POP3 traffic. Specify the number of simultaneous connections that you want InterScan MSS to allow. The number of connections can affect the performance of your InterScan MSS server. The default value is five. If you installed InterScan MSS on a server with multiple CPUs, you can increase this number to take advantage of the increased processing power. Type the message that you want InterScan MSS to send to users when email addressed to them triggers a filter. If InterScan MSS deletes an email because of content that violated the companys email policies, the message sent to the recipient might be similar to the following example: InterScan Messaging Security Suite cannot retrieve this message due to the administrators policy.
To enable POP3 message scanning, click Configuration | POP3 | Settings. The Settings screen appears (see Figure 4-2). Select the Enable POP3 Scanning check box and enter the requested information in the fields provided and click Save.
80
InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
You must run the POP3 Client Tool to reconfigure your email clients to retrieve email through the InterScan MSS POP3 proxy with the updated settings. To use the POP3 Client Tool without running the ActiveX control, unzip the tmp3proa.cab file from the C:\Program Files\Trend\IMSS\UI\xhtml\en\ folder and send tmp3cmd.exe and pop3.ini files to your client users. The pop3.ini file is located in the C:\Program Files \Trend\IMSS\ folder.
Connections
You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. However, if your users need to access a POP3 server through an authenticated connection (using the APOP command or NTLM), you may also set up a dedicated connection with a customized port assignment.
81
82
InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
aNote: You must run the POP3 Client Tool to reconfigure your email
The POP3 Client Tool
The POP3 Client Tool modifies Eudora, Microsoft Outlook/Outlook Express, Netscape Messenger, and Pegasus email clients to enable POP3-email access through the InterScan MSS POP3 proxy. The POP3 Client Tool Configures any available POP3 accounts when executed Replaces the client POP3 server address with the InterScan MSS proxy IP address Appends the client pre-existing POP3 server address to the account name, separating them by a # delimiter
clients to retrieve email through the InterScan MSS POP3 proxy with the updated settings.
aNote: The POP3 Client Tool uses settings that you enter in the
InterScan MSS Management Console. If you change these settings, you must run the POP3 Client Tool to reconfigure your email clients with the new settings.
83
For generic connections that support most POP3 servers, assume the following account information is provided as the current client POP3 configuration: Incoming email (POP3) server: pop.domain.com Account name: John_Smith
In addition, assume the inbound POP3 IP address used by InterScan MSS is 123.123.123.12. To enable POP3 email retrieval and scanning, change the client settings to the following: Incoming email (POP3) server: 123.123.123.12 Account name: John_Smith#pop.domain.com
aNote: When accessing a POP3 server that uses a port other than
that specified in the InterScan MSS generic connection port setting, append an extra # separator and add the port. For example, if the POP3 server uses port 120 when InterScan MSS is set to use 110, the account name is John_Smith#pop.domain.com#120.
Dedicated Connections
To use a dedicated connection, modify your email client in the following ways: Change the POP3 server port in your email-client settings to the port used by InterScan MSS as the Inbound POP3 Port. Modify the incoming email POP3 server to use the InterScan MSS proxy IP address. The account name does not change because the actual POP3 server is referenced in the dedicated-connection settings of InterScan MSS.
Include the # separator and port number only if the client requires the InterScan MSS proxy to retrieve email using a port that differs from the one specified in the POP3 Server settings.
84
Review Questions
1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager 2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure a email client that is not supported by the POP3 Client Tool ActiveX control.
85
86
87
Notes
88
Notes
89
Notes
90
Notes
91
Notes
92
Notes
93
General Settings
The InterScan MSS Web console password, notifications, and queue directories can all be configured in the General Settings.
aNote: When setting the password for the first time, the Current
password field will be blank.
94
Notification Settings
You and other network administrators can be notified by email or SNMP Trap when any of the following events occur: A virus is detected. A policy is updated. The system requires attention.
Email Notifications
When configuring email notifications, you must supply the following information:
SMTP server
This setting is configured during installation. If you want InterScan MSS to use an SMTP server, you must supply the IP address of the server that InterScan MSS should use. The default setting for the SMTP port is 25. If you need to use a different port number to send notification messages, you must change this setting. This setting determines to whom notifications are sent. You can enter a single email address, or you can enter multiple email addresses and use a semi-colon (;) to separate each address. When InterScan MSS sends a notification to a user, the address that you enter for this setting appears in the From: field. You can make it appear as though the message is coming from the administrator and not from InterScan MSS. If you want non-English characters to appear in email notification messages, you should change this setting to the appropriate option from the Preferred charset dropdown menu. The message header is a user-defined message that appears at the front of the Non Delivery Receipt. For example, you might create a message to show that InterScan MSS sent the notification. The message footer is another user-defined message that that appears at the end of the Non Delivery Receipt. By default, InterScan MSS will not send out more than 1,500 notifications in one hour. You can raise or lower this limit by entering a different value in the field provided. If you enter a zero, InterScan MSS can send an unlimited amount of messages.
SMTP port
Administrator email
From address
Preferred charset
Message header
Message footer
95
When configuring SNMP Trap notifications, you must supply the following information:
Server name (IP or FQDN)
InterScan MSS uses the IP address or Fully Qualified Domain Name in this setting to determine which server to use when sending SMTP notifications InterScan MSS uses the community name that you enter in this field to determine to whom notifications should be sent. If the community name that you enter is not listed in the SNMP management console, or it is entered incorrectly, the notifications InterScan MSS sends are not received.
Community
To configure the settings for both email and SNMP Trap notifications, click Configuration | General | Notification Settings from left-hand column of the InterScan MSS management console. The Notification Settings screen appears (see Figure 5-2 and Figure 5-3). Enter the requested information in the fields provided and then click Save. You only have to configure the settings for the notification method(s) that you want to use.
96
Figure 5-3: The SNMP Trap section of the Notification Settings screen.
Queue Locations
InterScan MSS uses several queues to process messages, store log files, and quarantine messages. If you change the location of the queue to a folder that does not exist, InterScan MSS will create a new folder in the specified location.
Log Queue
Many modules within InterScan MSS write log information for troubleshooting purposes. The logs record information such as the number of times the virus-pattern file was updated, when it was updated, how many viruses were found (if any), and which viruses were found.
97
The following directory path shows the default location of the queue in which these logs are stored: C:\Program Files\Trend\IMSS\ISNTSMTP\logs\
Quarantine Queue
After InterScan MSS is installed, one default quarantine area is created. However, you can define multiple quarantine directories in different locations. The following directory path shows the default location of the quarantine area created during installation: C:\Program Files\Trend\IMSS\IsntSmtp\quarantine
Badmail Folder
You can configure InterScan MSS to save undeliverable messages in the badmail folder after the retry period has elapsed. When a message is delivered to the badmail folder, a non-delivery receipt (NDR) is forwarded to the sender. The location of this folder is not configurable. The following directory path shows the default location of the badmail folder: C:\Program Files\Trend\IMSS\isntsmtp\badmail
Temporary Folder
All application-generated temporary files are stored in the temporary folder. This location of this folder is not configurable. The following directory path shows the location of the temporary folder: C:\Program Files\Trend\IMSS\isntsmtp\temp\
Delivery Pickup
The quarantine manager and the retry queue viewer include a feature called Deliver Now. Messages selected for Deliver Now are moved to the Delivery Pickup folder. The InterScan MSS service has dedicated threads that deliver messages in this folder immediately. The location of this folder is not configurable. The following directory path shows the location of the Delivery Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_deliver When the quarantine manager selects an email to be reprocessed, it puts the email in the Pickup Scan folder. The InterScan MSS service has dedicated threads that pick up messages in this folder and put them into the scan queue. The location of this folder is not configurable. The following directory path shows the location of the Pickup Scan folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_scan
98
All notification messages are put in the Notification Pickup folder. InterScan MSS has dedicated threads to pick up and deliver messages in this folder to a specified SMTP notification server. You can configure this server on the Configuration | General| Notification screen, but location is not configurable. The following directory path shows the location of the Notification Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_notify
When changing directory paths, you should remember the following guidelines: The path must be to a local folder (such as d:\foldername) or a mapped drive. You must save the new settings and click Apply Now, which restarts the service. Messages in the previous processing, postpone, and retry queues are not processed automatically.
Before defining a new queue location, you should make a note of the old location. You should also use Windows Explorer to manually copy all of the old queues contents to the new queue. To change the directory path of the Processing, Retry, or Postpone queues, click General | Directories from the left-hand column of the InterScan MSS Web console. The Directories screen appears (see Figure 5-4). Find the name of the queue that you want to modify, change the directory path accordingly, click Save, and then click Apply Now.
99
Security
InterScan MSS has several security settings that control the maximum size of messages and their attachments. These security settings also determine how messages are processed upon program failure.
Security Settings
All security settings run as part of the virus filter in Policy Manager. If any of these values are met or exceeded, IMSS will take the filter action specified in the Virus Scanning Aborted message may contain viruses section of the virus filter. You can configure the following security settings to prevent email messages from consuming excessive storage space or CPU time: Compressed file-scanning limits Attachment and message virus-scanning limits Multiple virus-infected message limits eManager filter size limit Exception handling
100
You can also use these security settings to block DoS attacks that result from malicious people sending large or multiple attachments.
This option controls the maximum size of an email message and its attachments. This option controls the maximum number of attachments that an email message can have.
attachments. Being overly protective against DoS attacks might disrupt necessary information flow.
101
This option controls the number of times InterScan MSS tries to clean the email message. This option controls the number of notification messages you receive per email.
102
Exception Handling
When InterScan MSS cannot process an email, the event is known as a processing failure. Processing failures might be caused by insufficient system memory or invalid IP addresses or domain names. Encrypted email can cause processing failures because the Antivirus filter and the eManager filters cannot scan them. If InterScan MSS fails to process a message, you can choose one of the following default actions:
Deliver Delete Delete and Notify Deliver and Notify
Delivers the message normally Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator
103
Postpones delivery of the message until after midnight and notifies the administrator Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator
You can create your own filter actions that you can use in addition to the default filter actions (for more information on creating filter actions, see the Creating New Filter Actions section in Chapter 6: Understanding and Creating Policies). To choose an action for email that cannot be processed, click Configuration | Security | Exception Handling from the left-hand frame of the InterScan MSS Web console. The Exception Handling screen appears (see Figure 5-6). Use the pulldown menus to select the filter action for both types of processing failures and then click Save.
104
Review Questions
1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively-compressed layers c. Reject all compressed files such as ZIP and LZH files e. Block all large attachments
105
106
107
Notes
108
Notes
109
Notes
110
Notes
111
Notes
112
Notes
113
Notes
114
Notes
115
Notes
116
Policy Overview
A policy is a set of rules. An email policy is a set of rules that a business creates to govern email use. For example, in order to reduce the amount of offensive material circulating in the office, a business might decide that employees cannot use the company email for personal use. This rule is policy. InterScan MSS has policies of its own that you can configure and use to enforce your companys email rules. You can use these policies to determine which file types are scanned for viruses and the action InterScan MSS takes if a virus is detected. You can also use the policies to determine how InterScan MSS filters content and what action it takes if an email contains forbidden content. For example, your company may establish the following email rules: Users cannot exchange email that contain sexual or racial terms. Users cannot forward chain email. Users cannot send attachments that are larger than 4 MB.
To enforce these rules, you might create a policy that Blocks email containing sexual or racial content Blocks chain email Postpones the delivery of email with large attachments until after business hours
There are three parts to every InterScan MSS policy and sub-policy: Route Filter Filter Action
Route
A route is a set of sender and recipient email addresses to which a policy is applied. To define a route, you must decide to whom you are directing your policy. Address groups and wildcard expressions are normally used to simplify the route configuration.
Filter
To create a filter, you must know what you are trying to find. Filters are used to check email both for viruses and for prohibited content. Policies can contain more than one filter. InterScan MSS contains predefined filters that you can use to combat common virus and content threats. You can also create your own filters.
117
Filter Action
The filter action that you specify determines how InterScan MSS deals with email that triggers the filters. For example, if you set the filter action on your virus filter to Delete, then InterScan MSS will delete all files in which it detects a viruses. The filter action determines how the email is finally processed.
clicking Apply Now in the upper left-corner of the console. Changes do not take effect until you click Apply Now.
When InterScan MSS receives an email, it evaluates the email against sub-policies and then against the global policy. If there is a filter in the global policy that matches, it takes precedence over a sub-policy filter.
118
compares all email and attachments against the virus-pattern file compares email content with common spam characteristics to detect spam compares email content with a database of expressions commonly found in spam scans email for obscenities scans email for racial slurs scans email for sexually offensive language scans email for expressions found in common hoaxes that circulate through Internet email scans email for chain messages that encourage users to forward the email to everyone they know scans email for expressions that appear in email messages that harbor the auto-spamming ILOVEYOU virus scans for HTML email with embedded scripts (such as JavaScript or VBScript)
Chain Email
Love Bug
By default, only the Virus filter and Heuristic Spam filter are active after installation. You can enable the other filters, and you can create additional filters in the global policy.
aNote: The Heuristic Spam filter will not be active after installation if
you do not enter a valid activation code. The Spam Prevention Service (SPS) must be activated separately from InterScan MSS.
119
Sub-policies
When you create a sub-policy, it inherits the active filters contained in the parent policy. For example, if you create a sub-policy directly under the global policy, that sub-policy inherits the active filters contained in the global policy. Filters that are inactive in the parent policy will remain inactive in the sub-policy. If you do not want the sub-policy to use a filter that is inherited from the global policy, you can disable that filter at the sub-policy level. You can also add filters to the sub-policy as needed. You can create a maximum of 10 sub-policies within a single policy. However, each subpolicy can have an unlimited number of filters. By default, the InterScan MSS installation program creates the following sub-policies, based on the domain name that you entered in the installation wizard:
120
In order for a sub-policy to take precedence over the global policy, you must enable the Allow filter to be overwritten by a sub-site feature before creating the sub-policy. To prevent a policy from applying to a specified sub-policy, you must make that policy available in the global policy. Once the policy is available in the global policy, it will be active in all sub-policies too. To disable the policy, change the status to Inactive in both the global policy and the sub-policies in which you want to enable it.
The incoming policy also contains some content-management filters, such as a filter that restricts message size. These filters are disabled, but you can enable and customize them. The outgoing policy contains an inactive message size filter that you can enable and customize.
POP3 Policy
The route for the POP3 policy is configured as follows in the isntsmtp.ini file: POP3From=POP3FromLabel POP3To=POP3ToLabel
To define the route information with the default setting, enter POP3FromLabel@* in the From field and POP3ToLabel@* in the To field.
aNote: The domain must be the asterisk (*) wildcard for the To and
From fields.
121
If you modify the route information of the POP3 policy, you must make the same modifications to the isntsmtp.ini file. If the modifications do not match, POP3 email will not be detected by the POP3 policy, and they will be subject to the global policy only. You can modify only the name part of the route (before the @) in the InterScan MSS Management Console. If these conditions are not met, the policy will not work. InterScan MSS matches all POP3 messages to the POP3 messages policy. If you delete this POP3-only policy, POP3 messages are matched to the global policy.
InterScan MSS searches the policy tree level-by-level, starting with the global policy. InterScan MSS first chooses the best match on the top level and then continues searching its child level (if any) until no route is matched or until another match is found. Once InterScan MSS finds an exact match, it stops searching the policies. If the addresses of an email match more than one route, InterScan MSS uses the weight of the routes to determine which policy to apply to the message. The route with the greatest weight is applied. If two routes have the same weight, InterScan MSS uses the route that appears first in the policy order.
First Match Method
When InterScan MSS uses the first match method, it matches the email address with the first route on the list that does not have a weight of 0. If there is a route further down on the policy list that matches better, it will not be applied. You can change the matching method from best match to first match. Open the registry editor and change the HKEY\Local Machine\Software\Trend Micro\ISNT5\registry\config\MatchMethod key value from 1 to 0.
Priority Rules (Best Match Method)
InterScan MSS uses the following rules to analyze routes: 1. A fully qualified address has the highest priority, and an address that consists only of wildcards has the lowest priority. 2. The number of qualified terms that an address contains increases the priority. In addition, InterScan MSS evaluates the route as follows: 1.1. The domain in an email address is more significant than the name. 1.2. Both sender and receiver addresses are of equal importance. 1.3. When InterScan MSS analyzes messages, it assigns every email address a weight. InterScan MSS also adds the weights of the sender and receiver addresses and assigns the pair a weight. The overall possible priority could be anywhere between 0 and 10,000 (see Table 6-1).
122
Weight
1000 2000 + #Q: The number of terms in the domain part 3000 + #Q
Qualified
Only Wildcards
5 6
4000 5000
Table 6-1: The six types of email addresses and their corresponding weights
A message with more than one recipient may be split and have different filters applied to it based on the different recipient addresses listed. For example, if Tyra sends the same message to Bob, Maria, Shayla, Jose, and Carl, each message might be evaluated against a different filter, depending on how you have configured your sub-policies. Consider the following examples: 1. The route (From: *@trendmicro.com, To: *@*) has precedence over (From: joy@*.com, To: *@*). When the recipient is the same, the weight of *@trendmicro.com is higher than joy@*.com because the domain is more significant than the name. 2. The incoming route (From: *@*, To: *@trendmicro.com) has the same precedence as outgoing route (From: *@trendmicro.com, To: *@*) because the sender and receiver addresses are of equal importance. 3. The route (From: *@trendmicro.com, To: *@*.com) has precedence over (From: joy@trendmicro.com, To: joy@*). This is because the weight of the sender and receiver pair of the former route is (4000, 2001), but the latter is (5000, 1000). 4. The route (From: *@*.co.uk, To: *@*.co.uk) has precedence over (From: *@*.domain.co.uk, To: *@*). This is because the weight of the sender and receiver pair of the former route is (2002, 2002), but the latters is (2003, 0). To specify the order of sub-policies, select Policy Manager | Global Policy | Manage Sub Policies from the left-hand frame of the InterScan MSS Management Console. You can adjust the order of execution in the Manage Sub Policy page.
123
aNote: In general, you should have InterScan MSS execute the most
specific sub-policies first.
Figure 6-2: Using the three edit buttons available on the Global Policy screen.
Filter Type
The edit button in the Filter Type column can be used to change a filters properties. You can select or enter specific words, phrases, and expressions for which InterScan MSS searches. You can determine whether InterScan MSS applies the filters to the email header, body, or attachment. The Filter Type edit button can also be used to specify what size the messages need to be in order to scan them. The filter will not be applied to messages that exceed the size restrictions.
aNote: The configurable options for the Filter Type vary with each
filter.
~Warning: When you click the Filter Type Edit button for the
profanity, racial discrimination, and sexual discrimination filters, the resulting screen displays the words against which InterScan MSS filters. Most people find these keywords offensive. These words are shown so that you know the content of the filter.
124
aNote: For a sub-policy to inherit filters from a parent policy, the filter
availability in the parent policy must be Available. If you do not want the filter to apply to the parent policy, you can set the filter status to Inactive.
When you create a sub-policy, if you want one of the filters in that sub-policy to override the settings in the parent policy, you must enable the override feature. For example, in an attempt to eliminate spam from your network, you activate the Heuristic Spam Filter (SPS) in the global policy. However, you know that the sales department travels a lot and might benefit from receiving special offers on airfare and hotel rates. You create a sub-policy targeted at email addressed to anyone in the sales department. This time, however, you configure the Heuristic Spam Filter to allow commercial offers about airfare and hotel rates. In order for this sub-policy to take precedence, you must set the override property in the global policy to Allow filter to be overwritten by a sub-site.
When the global policy and a sub-policy both contain an antivirus filter, the filter in the sub-policy is always the one executed. In other words, enabling Do not allow filter to be overwritten for the global policys antivirus filter has no effect.
Filter Action
The filter action is the action that InterScan MSS takes against email that triggers policy filters. When configuring the filter action, you can create a new filter action (see the Creating New Filter Actions section in this chapter), or you can choose from the following default actions (see Figure 6-3):
Delete Delete and Notify Deliver and Notify Postpone and Notify
Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator Postpones delivery of the message until after midnight and notifies the administrator
125
Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator
You may want to quarantine messages for any of the following reasons:
To review messages that trigger content filters and determine the severity of policy infractions To keep a record of oversized messages in case they contain important information that the recipient needs To reduce the chance of deleting important messages, in case they are mistakenly detected by the Antivirus or eManager filters To collect evidence, for disciplinary purposes, of an employees misuse of your organizations messaging system
You configure filter actions for each possible filter result. For filters that use the antivirus filter, the following results are possible: No virus detected Virus(es) detected and successfully cleaned Virus(es) detected but some/all were not cleaned Mass emailing virus detected Virus scanning abortedmessage may contain viruses
126
For filters the use the eManager filters, only two results are possible: Triggered Not triggered
aNote: For filter actions that notify the administrator, the notification
is sent to the email address that was entered during installation.
Filter Order
The order of filter execution within a sub-policy is significant. For example, if the first filter triggers a delete action, execution stops after the first filter. If a filter triggers other filter actions, processing continues. Filter actions are executed as outlined below. The following actions are taken immediately, and the next filter is not processed: Quarantine
The following actions are taken after the policy has processed all the filters: Postpone
Forward modified message Notification Archive Quarantine Forward original message Delete
The following actions are taken after the corresponding filter runs:
The message is delivered if the user has not selected one of the following actions:
The Quarantine, Forward original message, and Delete actions are given priority over Postpone and Forward modified message actions. If your sub-policy contains an antivirus filter, Trend Micro recommends that you place the antivirus filter at the top of the Filter Order list so it will be executed first. Executing the antivirus filter first ensures that all messages are checked for virus infection. If another filter executes first, a virus-infected message could be quarantined and later delivered without being scanned for viruses. To order the filters in a sub-policy, click Policy Manager | Global Policy from the lefthand frame of the InterScan MSS Web Console. The Global Policy screen appears. Click the Order filters link near the top of the screen. The Filter Order screen appears (see Figure 6-4). Highlight the filter that you want to move and click the up or down arrow to change its location on the list. When you finish reordering the filters, click Save.
127
Creating a Sub-Policy
Before you create a sub-policy, you must define the following policy components:
Filter action
Decide what you want InterScan MSS to do with messages that trigger the filters. If you do not want to use one of the default filter actions, you must first create a new filter action. All filters must have a filter action. Decide to whom the sub-policy will apply. Use email addresses and domain names to specify the routes. You can use an address book to create the route, but you must create the address book before you create the sub-policy. Determine the type of filter that is best suited for finding the items you want to filter. For example, if you want to filter for sexual content, you would choose the Sexual Discrimination filter.
Route
Type of filter
128
To create a sub-policy, complete the following steps: 1. In the left-hand column of the InterScan MSS Web console, click Policy Manager | Global Policy. The Global Policy screen appears. 2. Click the Sub-policies link near the top of the Global Policy screen. The Manage Sub Policy screen appears. 3. Click the Create new sub-policy link near the top of the screen. The Create Sub Policy screen appears (see Figure 6-5). Type a name for the new sub-policy in the Name: field, and type a brief description of the policy in the Description: field.
129
Figure 6-6: The Create Sub Policy screen used to create the route of the sub-policy.
aNote: Click the Select link if you want to add an entire address list
to the sub-policy.
Spam messages sometimes have an empty From field because the sender does not want to disclose his or her identity. The behavior of the asterisk wildcard depends on whether it appears before or after the @ in an email address. Text that comes before the @ is treated as the name. Text that comes after the @ is treated as the domain. If no @ exists, the entire string is considered invalid. To match the name part of an email address, you can use a single wildcard asterisk or the exact name. Partial matches are not allowed. The asterisk wildcard matches everything except no entry in the field, as illustrated below: *@trendmicro.com matches stanley_edwards@trendmicro.com. *@trendmicro.com does not match @trendmicro.com.jp. Stanley*@trendmicro.com or *edwards@trendmicro.com is invalid.
130
To match the domain part of an email address, you can use the asterisk wildcard only at the beginning of the domain. The asterisk wildcard can match one or more subdomains, as illustrated below: *@*.solar.com matches *@earth.solar.com. *@*.solar.com matches *@europe.earth.solar.com. *@*.solar.com does not match *@solar.com.
Partial matching of subdomains is not allowed. For example, *@trend*.com is an invalid format. Other invalid patterns are listed below: *@trend.*.jpWildcard occurs in the middle of domain name. *@trend.com.*Wildcard occurs at the end of domain name. *@*.*.comSecond wildcard occurs in the middle of domain name.
After you create a sub-policy, it appears in the left-hand column of the InterScan MSS Web console, directly the Global Policy branch of the directory tree. The filters that the subpolicy inherits from its parent policy, along with the status of those filters, appear in the main screen.
Address Groups
Address groups allow you to organize email addresses into groups. You can define address groups for people to whom you want to apply the same email policy. Frequently, members of the same address group belong to the same department. For example, suppose that you have identified three types of content that you want to block from being transmitted through your companys email system. You want to define three policies (which are shown in parentheses below) to detect that content: Sensitive company financial data (FINANCIAL) Job search messages (JOBSEARCH) VBScripts (VBSCRIPT)
Now consider the following address groups within your company: All executives All Human Resources (HR) department All IT development staff
131
When you define the route for the policies, you would use the address books as shown below:
Address Groups all executives all HR department all IT development staff FINANCIAL not included in route included in route included in route JOBSEARCH included in route not included in route included in route VBSCRIPT included in route included in route not included in route
Executives, HR staff, and IT developers have legitimate business reasons for sending financial information, job search-related correspondence, and VBS files, respectively. Because those legitimate reasons exist, you exclude these groups from the policies. To create an address group, click Policy Manager | Address Group from the left-hand frame of the InterScan MSS Management Console. The Address Group screen appears (see Figure 6-7). Enter the requested information in the fields provided on the screen and use the prompts to complete the process.
132
in the right-hand column, this address group is currently being used within a route and cannot be deleted while the route exists. To delete the address group, you must deactivate the route.
InterScan MSS supports address imports from Comma Separated Value (CSV) files. The file must reside on a drive that is local to the InterScan MSS server. You can then type the directory path to the file that contains the address information. If you are using a browser to view the InterScan MSS Web console from a remote computer, you should copy the text file into a shared directory on the InterScan MSS server.
computer, either by an HTTP upload or by typing a Universal Naming Convention (UNC) path. The file must be either on a drive that is local to the InterScan MSS server, or on a mapped drive.
When you import an address group from a text file, make sure that each line contains only one email address. For the file to work correctly, each address must have its own line. An example text file is shown below: Andy@trendmicro.com Raymond@trendmicro.com SomeDude@yahoo.com
aNote: A policy can contain only one antivirus filter. If both a parent
To create a sub-policy filter, click the Create new filter link near the top of the Manage Filters screen. The New Filter screen appears.
policy and a sub-policy contain an antivirus filter, only the one in the sub-policy is executed.
1. Enter a name for the filter you are creating, specify whether it can be overwritten by another filter in a sub-policy, and choose the type of filter that you want to use. Click Next after you finish configuring the options. The screen that appears varies depending on the filter type that you chose.
133
2. Configure the options on the screen and click Next. Another screen appears, confirming the settings you made (see Figure 6-8).
Figure 6-8: The New Filter Settings verification screen that appears when creating a content filter.
If you need to change some of the settings, click Back. If the settings are correct, click Next. The New Filter screen appears.
aNote: If you click Next, you cannot go back and alter the settings.
Any modifications to the settings must be made before continuing on from this screen. However, once you have created the filter, you can edit it.
3. Choose the filter action that InterScan MSS should take when an email triggers the filter (see Figure 6-9). Click Save. Your new filter appears in the filters list on the Manager Filters screen.
134
Processing Action
The processing action is the action that you configure InterScan MSS to take with an email that triggers a filter. You can quarantine, delete, or forward the message, or you can postpone and deliver. A filter can have just one processing action.
Archive
InterScan MSS can archive messages either in a local directory or in an email account. You can either archive the message in its original form, or you can archive the message with the filter changes, such as viruses cleaned from the attachment or a disclaimer appended to the message body. While a filter can have only one processing action, it can have an unlimited amount of archive and notification actions.
2003 Trend Micro Incorporated
135
Notification
InterScan MSS can send email or Simple Network Management Protocol (SNMP) Trap notifications when an email triggers a filter. These notifications can be sent to the original sender, recipient, administrator, or any other email address that you choose. You cannot use address groups to send notifications, but you can use exchange distribution lists. InterScan MSS can either attach the message in its original form or send the message that was modified by the filter.
Configuring Notification Messages
When you configure notifications, you can use the following tokens to provide more information about the event that triggered the filter: %SENDER% %RCPTS% %SUBJECT% %DATE&TIME% %EMAILID% %RULENAME% %FILTERNAME% %TASKNAME% %GLOBALACTION% %DETECTED% %QUARANTINE_PATH% %QUARANTINE_NAME% %QUARANTINE_AREA% %ADDINFO% %CLSNAME% %DEF_CHARSET% Message sender Message recipients Message subject Date and time of incident Email ID Name of the policy that contained the triggered filter Type of filtersuch as antivirus filter, Advanced Content Filter, Message Size Filter, and so on Name of the filter that user entered during filter creation Current action to be taken What triggered the filter, which filter was triggered, and details from the filter Quarantine path (if quarantine action is performed) Quarantine name (if quarantine action is performed) Quarantine area (if quarantine action is performed) Additional information from filter (currently used when the result of the antivirus filter is uncertain) Name of current filter action Default character set of the notification message
For example, you might want the notification message that InterScan MSS sends to include the following information: Name of the filter that took action against the email Name of the policy that contained the filter Identification number of the email User who sent the message User (s) who received the message Subject of the message Time and date the incident occurred Current location of message
The notification that you configure might look similar to the following example: The %FILTERNAME% filter defined in InterScan MSS has detected the following message using its %RULENAME% rule. The messages ID is %EMAILID%. The following information describes the message that may breach your companys policy: Message sender: %SENDER% Message recipients: %RCPTS% Message subject: %SUBJECT% Incident time: %DATE&TIME% Per the configuration of your filters action, this message can be reviewed in the %QUARANTINE_AREA% quarantine folder. The notification message that InterScan MSS would send in response to virus event would look like the following example: The Detect Script Viruses filter defined in InterScan MSS has detected the following message using its Catch LOVELETTER rule. The messages ID is 12345-12345-12345-12345. The following information describes the message that may breach your companys policy: Message sender: Joe@yahoo.com Message recipients: Rahul@company.com Message subject: Check out the attached Loveletter coming from me Incident time: 10-30-2001, 6:15 PM Per the configuration of your filters action, this message can be reviewed in the VirusArea1 quarantine folder.
137
aNote: If you want a filter action to have more than one option for
the Archive or Notification features, you must click New Item in the Filter Action screen to add each one separately.
To create a new filter action, click Policy Manager | Filter Action from the left-hand frame of the InterScan MSS Management Console. The Filter Action screen appears. Click the New Filter Action link. The New Filter Action screen appears (see Figure 6-10). In the Name: field, enter a name for the new filter and then click New Item. Follow the prompts to finish creating the filter action.
138
To delete a filter action, access the Filter Action screen again, click the option button next to the filter that you want to remove, and then click Delete.
139
Review Questions
1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which eManager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which eManager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter
140
4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last
141
142
143
Notes
144
Notes
145
Notes
146
Notes
147
Notes
148
Notes
149
Notes
150
Notes
151
Notes
152
Notes
153
Notes
154
Notes
155
Notes
156
Notes
157
Notes
158
Filters
InterScan MSS includes seven types of filters. These filters are divided into two groups the Antivirus filter group and the eManager filter group. The Antivirus filter group consists of only the antivirus filter. The antivirus filter uses pattern-matching technology to scan messages and their attachments for viruses. You can configure the file types the filter scans, compressed file-scanning behavior, the filter action, and notifications that InterScan MSS inserts into the email body. The eManager filter group manages spam, message content, and email delivery. eManager filters compare message content to keyword expressions and other criteria that you configure. Messages are processed filter actions that you configure. eManager also compares email to a spam signature file to identify spam and stop it at the gateway. There are six types of eManager filters: Advanced Content Message Attachment General Content Message Size Disclaimer Manager Anti-Spam filter
In addition to the Antivirus and eManager filter groups, InterScan MSS has a heuristic spam filter called Spam Prevention Service (SPS). The heuristic scanning technology is used to detect first-time spam, or spam that the eManager signature file might not detect. When used with the eManager filter group, this heuristic spam filter provides an additional layer of protection against unwanted junk email.
159
The Scan all file types option is the safest setting because InterScan MSS scan every file for viruses. However, this option is also the most resource intensive. If you have a network with limited resources, scanning all file types might put too much strain on your network.
160
When you use the IntelliScan option, InterScan MSS uses a Trend Micro method of determining the true type of a file. Virus writers can rename file extensions to make an executable file look like a different file type. IntelliScan performs an internal analysis of the file rather than relying on a files extension to determine the true file type. InterScan MSS scans only the files that exhibit a true file type that has been known to harbor viruses. The IntelliScan option is a compromise between maximum security and maximum efficiency. It is better suited for networks with limited resources because not all files are scanned. When you choose the Scan specified file types by extension option, you can either create your own list of file types to scan, or you can use a list of file types that Trend Micro recommends scanning. This scan option scans files based on the file extension and does not consider the true file type.
.do? .e*
Table 7-1: Depending on how they are used, wildcards can tell InterScan MSS to scan any combination of file types.
When configuring file types to exclude from scanning, the wildcards can be used in the same way. However, if you use a standalone asterisks, only files without extensions are scanned.
You can also specify whether you want InterScan MSS to delete uncleanable files or pass them to the next filter.
161
You can also configure InterScan MSS to attach safe stamps to email messages that are clean. The safe stamps can be sent as an attachment or entered directly into the email body. The Antivirus filter inserts only one safe stamp per email message. You can use the following tokens to create messages that are inserted into the body of infected email messages: %FILENAME% %VIRUSNAME% %ACTION% %MAXENTITYCOUNT% Filename of the attached file (noname when file name cannot be determined) List that shows all viruses found Either pass or clean or remove, or else defined by the process String that shows the maximum number of entities that can be scanned, such as 20, for example. This string is configurable on the Security Settings page.
For example, suppose you configured the following message to insert inside an infected message: A file that was attached to this message, %FILENAME%, was found to be infected with the %VIRUSNAME% computer virus. InterScan MSS has taken the following action against the message: %ACTION%. If InterScan MSS detected the W97M-MARKER virus in a file called resume.doc, it would insert the following text into the body of the email message: A file that was attached to this message, resume.doc, was found to be infected with the W97M_MARKER computer virus. InterScan MSS has taken the following action against the message: CLEAN
162
To prevent messages from appearing in the recipients email, edit the following registry key: HKEY\Local Machine\Software\TrendMicro\ISNTS\Registry\Config\FilterManager\0001\0001 1. Find the following line: Add a DWORD key: 2. Type the following text and then restart InterScan MSS: AddAlert = 0
Figure 7-2: The Virus screen used to configure the filter action for the Antivirus filter.
163
From the virus screen, you can also configure the following seven antivirus filter actions: Mass emailing virus detected Virus(es) detected but some/all were not cleaned Joke program attachment detected Virus scanning aborted message may contain viruses Password protected file detected (not scanned) Virus(es) detected and successfully cleaned No virus detected
For each filter result, you can select one of the pre-defined filter actions or a filter action that you configured. The default filter actions for each of these possible results are shown in Figure 7-2.
aNote: Before editing the registry, ensure that you understand how
to restore it if a problem occurs. For more information, view the Restoring the Registry Help topic in Regedit.exe or the Restoring 4a Registry Key Help topic in Regedt32.exe.
Features
The Profanity, Racial Discrimination, and Sexual Discrimination filters are examples of an advanced content filter. The advanced content filter provides the following functionality: Contains a configurable severity index, which you can use to configure a filters sensitivity to keyword matches Supports case sensitivity for keyword matches Supports complex expressions that use the eManager built-in operators Evaluates keyword frequency and proximity to other terms when deciding to trigger the filter
Writing Expressions
InterScan MSS uses the advanced content filter to search for keyword expressions that you define. For example, if you wanted to block email messages that contain the words you are a jerk, you might create the following expression. you .NEAR. jerk
164
You can also specify the proximity of the words so that the filter catches the following phrases: You are a big jerk. You are a big fat jerk.
Expressions consist of operands and operators. Operands are words for which you want to search. Operators define the relationship between the operands in the expression. Consider the expression in the previous example. The words you and jerk are operands. The word .NEAR. is an operator.
significant to how the expression is parsed. For example, the expression High .AND. Low is parsed as two operands (High, Low) and one operator (.AND.). The expression High.AND.Low is parsed as one operand (High.AND.Low).
Operators
The eManager operators can be divided into five groups: Grouping operators Decorating operators Logical operators Limiting operators Relational operators
Grouping Operators
The grouping operators are used to change the order in which operators are evaluated. The operators between the grouping operators are evaluated first. For example, the following two expressions are evaluated differently because the second expression contains grouping operators: better .AND. faster .OR. cheaper better .AND. .(. faster .OR. cheaper .). The first expression matches content that contains both keywords better and faster. It also matches content that contains the keyword cheaper (see Table 7-2). The second expression matches content that contains better and either faster or cheaper (see Table 7-3).
165
Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper than living in the peninsula communities broadband Internet access can be up to 50 times faster than dial-up connections, and rates are expected to Table 7-2: Matching the first expression with email content. Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper and offers a better quality of life broadband Internet access can be up to 50 times faster than dial-up connections, and cheaper rates Table 7-3: Matching the second expression with email content. Decorating Operator
Result Match
Match
No Match
Result Match
Match
No Match
The decorating operator is .WILD. When you use the .WILD. operator, content is evaluated against the operand. The asterisk (*) wildcard character is often used with the .WILD. operator, as shown in the following example: .WILD. This * message This expression matches content when the word message follows the word This. The word This and the word message can be separated by any number of words (see Table 7-4). The .WILD. operator can also be used in place of letters in a word, as shown in the following example: .WILD. *ed This expression matches any content that ends with ed (see Table 7-5).
166
Content This message is being sent to you because you signed up for our free email newsletter This is to inform you that I will be on holidays until 10/12. You can leave a message at 408-555-1212 This is arguably the most exciting software that I have Table 7-4: Matching expressions using the .WILD. operator. Content that movie has been edited for TV broadcast this program is followed by an infomercial The editor sent the manuscript for final proofreading Table 7-5: Using the .WILD. operator in place of partial words. Logical Operators
Result Match
Match
No Match
The logical operators are used to perform logical operations on operands. You can use the following three operators when creating expressions: .AND. .OR. .NOT.
The following expression contains a logical operator: High .AND. Low This expression matches content when both the word High and the word Low are present (see Table 7-6). Now evaluate a similar expression, this time using the logical operator .OR.: High .OR. Low This expression matches content when either the word High or the word Low is present. This expression also matches content when both words are present (see Table 7-7).
167
Content High today in the interior is 87. Low tonight will be 53 near the coast His favorite movies are High Noon an Eject at Low Level and Live she plans to attend Central High next fall Table 7-6: Using the logical operator .AND. to write expressions. Content High tide will be at 9:00 PM. Low tide will be at 7:00 AM the box was too High for her to reach please turn the heater to lowIm sweating Table 7-7: Using the logical operator .OR. to write expressions.
Result Match
Match
No Match
The .NOT. logical operator functions a little differently than the other two logical operators. Expressions that use the .AND. and .OR. operators are used to search for combinations of operands. Expressions that use the .NOT. operator are used to search for one operand and not another. For example, if you wanted to create a filter that finds email about pets, but you want to allow content about dogs, you might create the following expression (see Table 7-8): Pets .NOT. Dog
Content the sign at the beach said that pets are not allowed I do not like visiting people who own 100 pets pets are an enormous pain to care for, but my dog is worth it Table 7-8: Using the logical operator .NOT. to write expressions. Limiting Operator Result Match Match No Match
You can use the limiting operator .OCCUR. to create an expression that a filter can use to search for multiple occurrences of a word or phrase used in an email. If the appearances of the word or phrase exceed the Frequency setting, the email will trigger the filter.
168
you should configure the Frequency setting under Advanced Settings (see the Advanced Settings section in this chapter).
You can use the relational operator .NEAR. to create an expression that a filter can use to search for words that are close to each other. If the words appear close enough together, the email triggers the filter.
you should configure the Proximity setting under Advanced Settings (see the Advanced Settings section in this chapter).
InterScan MSS supports the use of regular expressions. Regular expressions are not as limited as the expressions you create using Boolean terms. When using only Boolean terms to create expressions, the search is limited to the words or phrases specified, and variants within the words themselves are not found. However, when you use regular expressions, the filter you create can catch variants of the word(s) for which you are searching. For example, evaluate the following expression that uses only Boolean terms: sex .OR. sexual Filters that use the expression in this example catch email that contain the words sex or sexual. However, variants of these words, such as s3x and sExual are not caught. Now evaluate the following expression that uses a regular expression: .REG. s[eE3]x Filters that use the expression in this example catch the word sex, as well as any variants of the word, such as s3x and sEx.
Table 7-10 contains descriptions of the characters that you can use when creating regular expressions. Each description is accompanied by an example of how the expression is used.
Characters . Descriptions This character matches any single character. This character matches any number and combination of letters between the characters specified in the expression (0 Examples The expression r.t catches rat, rut, rot, and r t, but not root. The expression b.*t catches the words breast and butt, but also catches the word best.
169
Characters
Examples
This character matches 0 or 1 occurrence of the preceding character, forcing minimal matching when an expression might match several strings within a search string. This character matches one or more of the preceding characters.
The expression suc?k catches the word suck and the variant suk.
The expression Ri+ch catches the word Rich and variants such as Riich, Riiich, and so on. The expression off$ catches the string tell him to back off, but not the string Get off my back. The expression s[eE3]x catches the word sex and variants such as sEx and s3x. The expression p[0-9]rn catches p0rn, p1rn, p2rn, p3rn, and so on. The expression sh[^ou]t catches every four-letter word beginning with sh and ending with t, except shut and shot. The expression x\{3,\} catches xxx, xxxx, and xxxxx, but does not catch x or xx. The expression \<out catches the string out to the ballpark, but does not catch strikeout. The expression \>out catches strikeout, but does not catch outfield.
[abc]
This syntax matches any one of the characters between the brackets.
[a-c]
This syntax specifies a range of characters. The characters can only be letters or numbers. This syntax matches all characters except those between the brackets.
[^a-b]
{n, m}
This syntax matches a specific number of instances or instances within a range of the preceding character. This syntax matches the beginning of a word.
\<
\>
170
Priority of Operators
When expressions are evaluated, certain operators are given priority over others (see Table 7-11).
Operator .(. .). .WILD. .OCCUR. .NOT. .NEAR. .AND. .OR. Priority * * 1 2 2 3 4 5
Advanced Settings
Each eManager filter has advanced settings that you can configure to compliment some of the keyword expressions that you write (see Figure 7-4). InterScan MSS uses the Proximity setting to determine how far apart keywords can be when using the relational operator (.NEAR.). The Frequency setting defines how many times a keyword can appear in an email when using the limiting operator (.OCCUR.).
171
Proximity
When configuring expressions, you can create intelligent filters, or filters that allow you to take the proximity of keywords into consideration. For example, use the expression punch .NEAR. face to evaluate the following message from an upset colleague: ...be forewarned: if your bill collectors persist in calling me, I will come down to your office and punch your face into oblivion... If the proximity value is set at two, the expression punch .NEAR. face causes the filter to trigger on the colleagues message. When InterScan MSS detects the first word, it assigns that word the number 1, and then it counts each word until it detects the second word (see Table 7-12).
punch 1 your 2 face 3
After detecting the second word, InterScan MSS subtracts the number assigned to the first word from the number assigned to the second word. If the value is equal to or less than the proximity setting, the filter triggers.
172
Now use the same expression to evaluate the following message taken from a newsletter: ...The party was a tremendous success. The children had fruit punch and cookies. A clown showed up after snack time to distribute presents, and the children laughed at his painted face and colorful clothes... The expression will not cause the filter to trigger on the newsletter because the word punch is not close enough to the word face.
Frequency Setting
When you write a keyword expression using the limiting operator, you may want your filter to trigger only when that expression appears several times. Being lenient with the frequency setting gives your users a few chances when using prohibited keywords. The filter is triggered, however, when the keywords are used excessively. For example, suppose you wanted to search for email messages that contain more than five occurrences of the word free. You would create the following expression: .OCCUR. free After creating the expression, you can set the frequency value five. Select Policy Manager | Global Policy from the left-hand column of the InterScan MSS Web console. Click Filter Type Edit button for the filter you want to configure, and then click the Advanced Setting link on the screen that appears (see Figure 7-5). Set the value of the Frequency: field to five.
Separating Characters
By default, the eManager filter divides message content into words when it encounters the space, tab, line feed, and carriage return characters. If you want to use other characters to divide keywords, enter them in the Separators: field.
173
Figure 7-5: The eManager filters all have advanced settings that you can configure by clicking the Advanced Settings link shown here. This link is available only after the filter has been created. These settings cannot be modified while creating the filter.
surpasses a threshold, you can automatically delete the attachment before sending the message to the recipient.
174
Combinations of words can cause the total to exceed the threshold as well. For example, you give the word jerk a severity rating of three, the word punk a severity rating of five, and you set your threshold at seven. If an email contains two instances of the word jerk, the filter will not trigger. However, if the email contains the words jerk and punk, then the filters will trigger because the total value (eight) exceeds the threshold. Severity values can only be positive. If, however, you want to ignore a keyword when it occurs in conjunction with another term, you can configure this kind of filter behavior by using the .AND., .OR., and .NOT. operators.
Calculating Severity
When calculating severity, the eManager filters consider each message component separately, such as the header, body, and attachment. For example, suppose you set the severity threshold at 10 and give keywords jerk and punk a severity value of five. A message with a subject containing jerk and email body containing punk will not trigger the filter, even though the words matched. Because the words are found in different entities, the message is permissible.
175
You can create several expressions that will block messages with sexual usage of the word buns, but permit legitimate email about hamburger and hotdog buns. The following four examples show how to write such an expression. Requirement 1: buns .AND. .NOT. hamburger buns Requirement 2: buns .AND. .NOT. hotdog buns
expressions because the .NOT. operator is evaluated before the .AND. operator.
You can combine the expressions for both requirements by using the .OR. operator. The final expression is as follows: .(.buns .AND. .NOT. hamburger buns.). .OR. .(.buns .AND. .NOT. hotdog buns.).
aNote: The
.(. and .). operators are required in the final expression because the .OR. operator has the lowest priority of operation. The evaluation order would not be correct if the .(. or .). operators were omitted.
Evaluation Rules
The way an expression is written is vital to the functionality of the expression. To ensure that the expression filters the correct material, you should remember the following guidelines when creating expressions: The expression must be valid. Contents within parentheses are evaluated first. Contents are evaluated from left to right. Contents are evaluated according to the priority of the operators.
Type 1 is an operand-only expression, or an expression that does not have an operator. An example is shown below: keyword
176
Type 2
aNote: Due to performance issues, the first token and the last token
following the operator .WILD. cannot consist of a single asterisk. For example, .WILD. *, .WILD. * Birthday and .WILD. Happy * are all invalid expressions.
Type 3
<Any Type (1 to 7)> .AND. <Any Type (1 to 7)> <Any Type (1 to 7)> .OR. <Any Type (1 to 7)>
Type 6
aNote: Expressions that do not comply with one of the above seven
forms are treated as invalid (see Table 7-13). Validity Invalid Expression .OCCUR. .(. High .AND. LOW .). Explanation .OCCUR. cannot appear before Type 7 expression. .NEAR. can apply only to Type 1 and Type 2. .NOT. is Type 3. Complies with Type 3.
Invalid
Valid
177
Explanation Complies with Type 6. The first token that follows .WILD. is the asterisk. The last token, which follows .WILD. is all asterisks.
Invalid
Table 7-13: Examples of valid and invalid expressions. Using Reserved Words as Operators
If you want to match some reserved keywords, or text that resembles an operator within an operand, you have to add an escape character (\) to it. For example, if you want to match keywords cats and dogs you might write the following expression: cats \.AND. dogs. However, if you want to match the escape character as part of the keywords cats\dogs and pets, you have to use two escape characters when writing the expression, as shown in the following example: cats\dogs \\.AND. pets.
178
Features
The message-attachment filter checks messages according to the following criteria: Attachment name (supports wildcards) Attachment types from MIME content-type field in the message header Attachment file type from a binary analysis of the attachment
179
180
Table 7-14 shows how the eManager filter blocks certain MIME content-type attachments. You can use this table to determine which MIME content type is blocked (right column) by enabling the corresponding item (left column) in the programs user interface.
eManager Options Image File Formats JPEG GIF TIF/TIFF BMP Audio File Formats WAV MP3 MIDI audio/x-WAV, audio/WAV, audio/Microsoft-WAV audio/x-MPEG, audio/MPEG x-music/x-MIDI, audio/MID image/JPEG, image/PJPEG image/GIF image/TIFF image/x-ms-bmp, image/bmp MIME Content Type(s)
181
Application File Formats PDF ZIP msword/RTF mspowerpoint application/PDF application/ZIP, application/x-ZIP-compressed application/msword, application/RTF, text/richtext application/vnd.ms-powerpoint, application/mspowerpoint application/vnd.ms-excel, application/x-msexcel, application/ms-excel
msexcel
aNote: Email clients may list MIME content type differently. The exact
wording in the messages Content-Type field may vary slightly depending on which email client was used to send the message.
In addition, you can filter compressed files with the following extensions: ZIP, RAR, ARJ, TAR, and G.Z: If you check the Others option, you can also filter the LZW, CAB, LHA, ARC, AR, PKLITE, DIET, LZH, and LZ compressed file formats.
182
The eManager filter does not rely on a files extension to determine the file type. Instead, the eManager filter performs an internal analysis of the file. The following list shows the file types that are most likely to be attacked by viruses. If you want to filter for any of these filter types, you can enter them in the Other field. Use a semi-colon (;) to separate multiple entries.
BAS
Microsoft Visual Basic class module batch file compiled HTML help file Microsoft Windows NT command script Microsoft MS-DOS program control panel extension security certificate program help file HTML program setup information Internet naming service Internet communication settings JScript file JScript Encoded Script file shortcut Microsoft Access add-in program Microsoft Access program
MSC
Microsoft Common Console document Microsoft Windows installer program Windows installer patch Visual Test source files photo CD image or Microsoft Visual Test compiled script shortcut to MS-DOS program registration entries screen saver Windows script component shell scrap object Internet shortcut VBScript file VBScript encoded script file VBScript file Windows script component Windows script file Windows script host settings file
BAT
MSI
CHM CMD
MSP MST
COM
PCD
MDB
183
Features
The general content filter provides the following functionality: Filters content in the following:
Message subject field (permits multiple subjects) Keywords in message body Message size Attachment file name (supports wildcard)
that include the built-in operators .NOT., .OCCUR., and so on. When these terms are entered, they are treated as part of the keyword expression and not as operators.
You can search for keywords, such as ILOVEYOU, in the subject line. This option supports the asterisk (*) wildcard within an expression, but the asterisk must be accompanied by at least one character. The asterisk cannot stand alone. You can search for keywords in the email body. This option supports the asterisk (*) wildcard within an expression. You can filter attachments that match the parameters you specify. For example, you can filter attachments that are larger than 2 MB. You can enter the file names to detect. This option supports the asterisk (*) wildcard within an expression.
Email body
Message size
If you select multiple filtering criteria for the same general content filter, all the criteria must be found in an email in order to trigger the filter. For example, if you specify that the email must contain ILOVEYOU in the subject line, and the document attachment must have a DOC extension, then both attributes must be found in the email in order to trigger the filter. An email with ILOVEYOU in the subject line and no attachment will not trigger such a filter.
184
To create a general content filter, click Policy Manager | Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-attachment filter. To modify a general content filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-10):
Features
The message-size filter provides the following functionality: Supports message filtering based on message size (body + attachments), an attachments size, and/or the number of attachments Enforces message-size restrictions during time periods selected from a weekly calendar
185
To create message-size filter, click Policy Manager | Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-size filter. To modify a message-size filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-11):
186
Features
The disclaimer manager filter provides the following functionality: Appends user-configurable disclaimer text at the beginning or end of messages Supports complex expressions using the eManager filters Alternatively appends disclaimer to all messages
187
If you receive a suspected spam message that the Trend Micro spam database fails to detect, forward it (including all email headers) to spam@trendmicro.com. If Trend Micro confirms that it is a spam message, it will be added to the spam database. To create a spam filter, click Policy Manager | Global Policy from the left-hand column of the InterScan MSS Web console. On the Global Policy screen that appears, click the Create new filter link and follow the instructions provided on the screens. When creating a spam filter, you must choose one of the following scanning options:
Enable for Message Subject Enable for Both Message Subject and Body
Scans the email headers and compares them with the Trend Micro spam database Scans both the email subject line and the body (higher spam detection rate and strain on the email processing system)
188
If the sender appears on the Blocked Senders list, the message is considered to be spam, regardless of the score. If text in the message triggers a Text exemption filter, the message is not considered spam.
SPS compares heuristic expressions in a message to known heuristic expressions (rules) of spam.
IMSS
Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Rule 6 Rule 7
X Match
Match
X Match X Match
Match
Internet
Rule 8 Rule 9
Client
Infer. Engine
The Inference Engine computes the statistical probability that the message is spam.
Firewall
Figure 7-17: The SPS filter uses heuristic scanning technology to calculate the probability that an email is spam.
Detecting first-time spam is the primary advantage to heuristic scanning. Most spam scan engines compare incoming email to a database of known spam, or spam that has been circulating for weeks, months, or even years. Because the heuristic scan engine does not rely on a database of known spam, it can detect first-time spam, or spam that no one has ever seen before.
Features
The heuristic scan engine provides the following features that you can use to control the flow of spam entering your network: Text exemption rules Approved senders and blocked senders lists A baseline detection rate applied to all email Additional sensitivity settings by category
To view and configure the heuristic scan engine features, select Policy Manager | Global Policy and click the Heuristic Spam Filter (SPS) Edit button in the Filter Type column. The Heuristics Spam Filter (SPS) screen appears (see Figure 7-13).
189
Figure 7-13: The SPS Baseline Detection Rate has six settings.
190
When you add a domain to either list, you must add it to either the modifiable or the unmodifiable section of the list. If you add the domain to the modifiable section, you can add a subset of the domain to the other list. However, if you add the domain to the unmodifiable section, you cannot add a subset of the domain to the other list. For example, if you add *@trendmicro.com to the modifiable section of the Approved Senders list, then you can add tom@trendmicro.com to the Blocked Senders list.
Using the Asterisks Wildcard
You can use the asterisks wildcard (*) to compose entries on the Approved Senders and Blocked Senders lists. The asterisks can be used in place of either the name or the address in the domain. For example, if you want to accept all email from Trend Micro, you might enter the following address in the window (see Figure 7-16): *@trendmicro.com
Figure 7-15: Using the asterisks wildcard when configuring the Approved and Blocked senders list.
To match the name portion of an email address, you can only use a single wildcard * or the exact name. Partial matches, like the one in the following example, are not allowed: bobby*@trendmicro.com
191
When using wildcards for the domain part of an email address, the asterisks must appear at the beginning of the pattern. The wildcard can match one or more subdomains, and you can use multiple wildcards to match subdomains (see Table 7-15):
Wildcard Entry Possible Matches Non-Matches
*@*.solar.com
reggie@earth.solar.com lucy@europe.earth.solar.com
*kim@solar.com
*@*.*.com
maria@earth.solar.com
chang@solar.com
Table 7-15: Wildcards must appear at the beginning of the domain in an email address.
Partial matching of subdomains is not allowed. You must enter wildcards from the most significant portion of the address to the least significant. For example, *@trend.*.com is an invalid format, but *@*.trend.com is valid. All address that you enter must contain the @ symbol. If no @ exists, then the entire string is considered invalid. Valid addresses are approved as they are entered. A dialog box appears when you enter an invalid address (see Figure 7-16).
Figure 7-16: InterScan MSS will not accept invalid email addresses.
To modify the Approved Senders or Blocked Senders list, click the appropriate Edit link under Filter Settings section of the screen (see Figure 7-11). On the screen that appears, enter the information requested.
Most conservative Conservative Moderately conservative Moderately aggressive Aggressive Most aggressive
2003 Trend Micro Incorporated
When you use conservative setting, SPS allows some spam to enter your network. However, if you choose the most aggressive setting, SPS might falsely identify legitimate messages as spam. Trend Micro recommends that you select a setting in the middle and then gradually adjust the setting as needed.
If you want to adjust the level of aggression with which SPS analyzes all email, you should change the baseline detection rate. However, if you only want to adjust the level of aggression for a specific category of spam, you should use the additional sensitivity settings. By adjusting individual sensitivity settings, you can configure SPS to be more aggressive as it searches for some types of spam and less aggressive when it searches for other types. For example, if your company has a legitimate use for email with commercial content, you might set the Commercial offer setting at Lowest. If your company has no tolerance for sexual and racist content, you might set the Sexual content and Racial content settings at High. When SPS analyzes email with these settings, most commercial offers are accepted as legitimate email. Anything moderately sexual or racial is blocked at the gateway. SPS uses the baseline detection rate and the additional sensitivity settings to determine whether an email is spam. For more information on how SPS determines if an email is spam, see the Calculating the Spam Probability section in this chapter.
Filter Actions
The filter actions SPS takes on messages that are identified as spam can vary depending on the confidence assigned to the email. When SPS determines that an email is spam, it assigns one of the four confidence levels shown in Table 7-16. You can configure a different filter action for each level of confidence (see Table 7-17). For example, you might choose to delete email if SPS is Most confident that the email is sexually explicit spam. However, you might choose to quarantine email to which SPS assigns a level of Least confident.
Confidence Rating Rough Percentage of Confidence that the Message Is Spam 90 100 percent 80 89 percent 70 79 percent 69 percent and below
Table 7-16: The confidence ratings SPS assigns to spam and the rough percentage of confidence for each rating.
aNote: The percentages shown in Table 7-16 are not exact for every
email. Remember, the definition of spam varies from one company to another. What one person considers spam might be another persons most important email. Trend Micro recommends that you use these percentages as guidelines, but as absolute rules. Description Puts Spam in the subject line and delivers the email Deletes the email Deletes the email and notifies the administrator or user Sends the email to the recipient without a Spam tag in the subject line Delivers the email without a Spam tag in the subject line and notifies the administrator Postpones delivery of the email and notifies the administrator
Deliver
194
Description Quarantines the email Quarantines the email and notifies the administrator
Table 7-17: The default filter actions for the SPS heuristic filter.
To set actions according to specific confidence levels, click Policy Manager | Global Policy. The Global Policy screen appears. Click Edit in the Filter Action column. Click the Advanced link next to the individual category that you want to configure. Use the menu options w to set a specific action for each level of confidence for that type of spam (see Figure 7-17).
Figure 7-17: Configuring SPS sexual content filter actions for various levels of confidence.
195
The following sections describe typical email headers and the how SPS incorporates Xheaders into normal email headers.
Internet
Figure 7-18: Headers are added to the email message 1) when the message is composed, 2) when the email program forwards the email to the senders email server, and 3) when the senders email server forwards the email the recipients email server.
For example, if Joe at mydomain.com sends a message to his friend Amy at herdomain.com, the first header, generated by Joes email program before forwarding the message to Joes mail server, would look like the following example: From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST X-Mailer: Groovymail v2.01 Subject: Lunch today? When Joes email server transmits the message to Amys email server, it adds more information to the header: Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun 20 2003 14:36:17 -0800 (PST) From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST Message-Id: <Joe031897143614-00000298@mail.mydomain.com>
196
X-Mailer: Groovymail v2.01 Subject: Lunch today? Amys mail server adds more information to the header when it receives the message, then stores the message until Amy retrieves it. The final header looks like this: Received: from mail.mydomain.com (mail.mydomain.com [124.211.3.78]) by mailhost. herdomain.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <Amy@herdomain.com>; Fri, 20 Jun 2003 14:39:24 -0800 (PST) Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, June 20 2003 14:36:17 -0800 (PST) From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST Message-Id: <Joe031897143614-00000298@mail.mydomain.com> X-Mailer: Groovymail v2.01 Subject: Lunch today? The table in Appendix E contains explanations of the information shown in the example header.
indicates the version of the SPS scan engine that examined a particular email message indicates which category of spam most describes the email message, the level of confidence SPS has that the email is spam and the action taken as a result of the confidence level indicates the numerical value assigned to the email for each filter category indicates the SPS sensitivity levels that were used to evaluate an email indicates that the sender of the email appears on the Approved Senders list indicates that the sender of the email appears on the Blocked Senders list
X-imss-result
X-imss-scores:
X-imss-settings
X-imss-approveListMatch
X-imss-blockedListMatch
197
X-imss-sender
indicates the email address that triggered the match; added to email messages that also receive the approveListMatch or blockListMatch header indicates that the email contains keywords or combinations of keywords that appear on the exclusion list
X-imss-exclusionListMatch
aNote: X-header tags are not unique to SPS. You may see other tags
in an email header that begin with the letter X. SPS generates only the tags in the above table, all of which contain the imss marker.
198
Letter C M P R
Category of Spam Represented Commercial spam (Sale notices, coupons, special offers) Make Money Fast spam (Get-rich-quick type material) Pornographic spam (Sexually explicit material) Racist spam (Racially insensitive material)
The X-imss-settings: line shows the baseline detection rate when SPS analyzed the email (Clean: 3). In this line, the numbers next to each letter represent the sensitivity setting for each category of spam when SPS analyzed the email. In Figure 7-19, the Commercial and Racist content filters were set at the lowest settings, while the Make Money Fast and Sexual content filters were set at the highest and second highest settings respectfully. SPS uses the baseline score and the sensitivity setting of the filter that best matches the email to calculate whether an email is spam. Both the baseline score and the sensitivity setting have corresponding multipliers. The multipliers are inserted into the following equation, which SPS uses to calculate the probability that an email is spam: BM times SM equals SPAM SCORE In the equation, BM represents the Baseline Multiplier and SM represents the Sensitivity Multiplier (see Table 7-19 and Table 7-20).
Setting Commercial offer Make Money Fast Sexual Content Racist Content
1 2 3 4
1 2 3 4
1 2 3 4
1 25 50 750
1 25 50 750
Table 7-19: The sensitivity multipliers for the four different sensitivity settings for the individual content filters.
199
Setting
Baseline Multiplier
1 2 3 4 5 6
Table 7-20: The baseline multipliers for the six different baseline settings.
For example, the X-imss-result: line in Figure 7-19 shows that SPS was very confident the email was pornography. The baseline detection rate was set at three, so SPS used .0500 as the multiplier for the baseline detection filter. The sensitivity level of the Sexual content filter was also set at three, and SPS used the corresponding multiplier value of 50. The spam score, or the value produced when these two numbers were multiplied together, was 2.500, as shown in the following equation: .0500 times 50 equals 2.500 The spam score is last number shown in the X-imss-settings: line. In this example, the email is spam because the spam score is greater than the baseline score displayed in the X-imssscores: line. If the two scores had been the same, or the spam score had been less than the baseline score, the email would not have been spam.
200
makes it unavailable to the program as a quarantine area. If you want to delete the folder, you must do so manually. All quarantined messages remain in the folder.
If a quarantine area has in use instead of a check box in the right-hand column, this quarantine area is currently being used within a filter action and cannot be deleted.
quarantined after the change. Any messages in the old quarantine directory must be deleted or manually copied to the new directory.
201
When managing the Quarantine area, you have three options that you can apply either to selected messages or to all the messages in the folder.
Reprocess
Reprocess messages to apply the policies configured for the messages route. Sometimes content filters mistakenly quarantine email that do not contain viruses. You can change the content filters properties and reprocess the quarantined email. Reprocessing allows virus-free messages to pass through the content filters. Infected messages are still quarantined by the updated virus-pattern file. Deliver the message without further processing. Delete the message.
Deliver Delete
202
203
Review Questions
1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them.
204
3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats. 5. How does the SPS heuristic scan engine detect spam? a. Compares email to a spam database b. Compares characteristics of the email against predefined rules or common characteristics of spam c. Compares email to the search criteria that you define, based on Trend Micro recommendations d. Compares email to previous spam that you have saved in the SPS SpamBank
205
206
207
Notes
208
Notes
209
Notes
210
Notes
211
System Status
The System Status window in the InterScan MSS Web console provides real-time system-performance data (see Figure 8-1). You can check the volume of messages in the processing and retry queues, the number of messages processed since the service was started (including undeliverable messages), and the number of viruses detected.
To view the system status, select Configuration | System Monitor | System Status from the left-hand frame of the InterScan MSS Management Console. When the System Status screen appears, click Refresh to update the view.
Event Monitoring
InterScan MSS can notify you if a potential fault condition threatens to disrupt email processing or constitutes a security risk. You can be notified of the following conditions: Excessive messages in the delivery queue Results of scheduled update attempts (either successful or unsuccessful) Stopped scanning service Lack of disk space in the processing queue foldera condition that might disrupt email processing
2003 Trend Micro Incorporated
212
To configure the events for which you want to be notified, select Configuration | System Monitor | Event Monitoring from the left-hand frame of the InterScan MSS Management Console. The Event Monitoring screen will appear (see Figure 8-2).
Select the appropriate check boxes for the fault conditions about which you want to be notified and enter values in the required fields. Also select the notification methods you desire. If you wish to configure a customized notification message for different events, click the Edit message link next to the notification method(s) that you want to use.
When email cannot be delivered, the delivery queue becomes larger than usual. When you have excessive messages in the delivery queue, check your network settings and SMTP routing delivery settings to verify that all connections are working. You should also check to see if the messages have something in common, such as an IP address.
213
Viewing Logs
To view logs, select Configuration | Logs and choose from Virus Logs, eManager, or Program Logs. Enter the log parameters for which you want to search and click View Logs (see Figure 8-3):
214
Log Maintenance
You can configure the programs logging behavior, including the level of detail logged, the location of the log database, the maximum size of log files, and the amount of time that log entries are retained. When you set the level of detail logged, you control the amount of information recorded about the processing of email messages, the message transfer agent (MTA), and the email delivery agent (MDA). You can select Normal, Detailed, or Diagnostic.
Normal
When log settings are set to Normal, InterScan MSS records a minimal amount of information in the logs. This setting is optimal when the amount of available disk space is limited. The following information is included in Normal logs: Service start/stops Program module load/unloads Program update status Date/time the message was received Message ID Process ID Action InterScan MSS took with the message
Detailed
When the log settings are set to Detailed, InterScan MSS increases the amount of information recorded in the logs. This setting is optimal when you need more information about system events, and the amount of disk space available is not limited. The following information is included in Detailed logs: All information recorded in Normal logs Filter results for each filter used to evaluate the message
Diagnostic
The Diagnostic setting is typically used to gather information for troubleshooting purposes. InterScan MSS records in-depth information about a system event. This setting should only be used when available disk space is unlimited. The following information is included in Diagnostic logs: All information recorded in Normal logs and Detailed logs Telnet sessions to/from Email MIME type Policy name and the message processed Outcome of each filter in the policy Action taken by each filter Final action taken by InterScan MSS
215
For examples of information displayed in each type of log, see Appendix D: Example Logs.
aNote: You must restart the InterScan MSS service to apply your new
log settings.
216
Review Questions
1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced
g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. d. InterScan MSS sends a notification.
217
218
Chapter 9: Troubleshooting
Chapter 9: Troubleshooting
Chapter Objectives
After completing this chapter, you should be able to Troubleshoot common problems Use SolutionBank to find answers to frequently asked questions
219
Notes
220
Chapter 9: Troubleshooting
Notes
221
Notes
222
Chapter 9: Troubleshooting
Notes
223
Notes
224
Chapter 9: Troubleshooting
Message Looping
If a content-management filter sends an email notification with the original message attached and InterScan Messaging Security Suite (InterScan MSS) is used as the notification server, an infinite loop occurs. This problem occurs because the original message is attached to the notification email message and is tested by all filters when processed by InterScan MSS, which triggers the same filter again. Another notification is sent, attaching the original, and filter is triggered. Trend Micro recommends that you do not use the InterScan MSS server as your notification server.
If you receive an error message that says unable to logon, try using a local administrator account instead of a domain administrator account. If asked to specify on which server InterScan MSS will be installed, manually type in the loopback address (127.0.0.1) and click Add.
225
SolutionBank
Trend Micro provides SolutionBank, an online knowledge database filled with answers to common questions. Use SolutionBank, for example, if you are having trouble receiving program file updates and want to find out what you can do to solve the problem. Or, if you are receiving an error message, search SolutionBank using the text of message to find out what is causing the error and how to fix it. The contents of SolutionBank are continuously updated. New solutions are added daily. If you are unable to find an answer, however, you can describe the problem in an email message and send it directly to a Trend Micro support engineer. The support engineer investigates such issues and responds as soon as possible. To access the Trend Micro support database, open a Web browser and enter the following URL: http://solutionbank.antivirus.com/solutions/solutionSearch.asp The following is an example of an error message and the possible solutions: Can perform neither manual update through the console nor scheduled update.
Description
The manual update through the console fails. The scheduled update also does not work. When a manual update is performed through the console, the checkmarks (update options) disappear after the console page refreshes. Ensure that Scheduler.exe is running and its corresponding window is on the desktop.
Solution
226
Chapter 9: Troubleshooting
[General-Performance] ISNTPerformance=low Specifies the multiplier for the number of threads specified in the [Email-Scan] section of this file. Setting to med will double the number of threads or setting to high will quadruple all threads If the ISNTSMTP process doesn not close down its threads within this number of seconds, the ISNTSysMonitor forces the process to close. This number should be lower than RecycleProcessMaxWaitSeconds Specifies many AF, DF & BF files are checked at start-up for orphan messages files
ISNTServiceMaxShutdownSeconds=60
FileEnumerateLimit=
Table 9-1: General Performance [Receiver-Connection] IdleWaitingMin=10 Specifies how many minutes an idle SMTP connection will be held open for incoming E-mail Enables/disables a limit on incoming connections. The maximum number of connections is specified in the next parameter. The setting can be modified to have no connection limit Specifies how many SMTP connections are permitted at once Corresponds with the setting in the interface. Determines whether InterScan MSS will perform the Reverse DNS validation check on incoming email.
EnableMaxIncomingConnectionLimit=yes
MaxIncomingConnectionLimit=250
PerformReverseDNSLookup=no
227
[Receiver-Connection] NumberOfQueueSizeSteps: Specifies the number of queue size steps where the maximum number of receiving threads will be recalculated. Each QueueSize_ key, has two values. The 1st value determines the queue size, and the 2nd value determines the number of receiving threads. The actual queue size and number of receiving threads are determined by multiplying the values by the number of CPUs (this is the same calculation done to determine the number of scanning threads from the ScanningThread key). The values are separated by a semicolin (;) Specifies the number of steps or QuesSize settings that may be specified Determines that when there are zero messages in the queue, 250 threads are utilized for receiving email (times the number of processors). Determines that when there are 250 messages in the queue, 100 threads are utilized for receiving email (times the number of processors). Determines that when there are 1000 messages in the queue, 20 threads are utilized for receiving email (times the number of processors). Determines that when there are 10,000 messages in the queue, 5 threads are utilized for receiving email (times the number of processors). Determines that when there are 25,000 messages in the queue, one thread is utilized for receiving email (times the number of processors). default: no Specifies that InterScan MSS should reject the SMTP connection if the sender does not supply DNS information when asked Compare domain name in helo domainname with domain given by sender as its domain give 550 SMTP error if no match
NumberOfQueueSizeSteps=5
QueueSize_0=0;250
QueueSize_1=250;100
QueueSize_2=1000;20
QueueSize_3=10000;5
QueueSize_4=25000;1
SupportDSN= RejectRDNSFailedConnection=
RejectRDNSUnverifiedConnection=
228
Chapter 9: Troubleshooting
[Receiver-Connection] CommandCheckingOption= 0 compatible with main-stream SMTP servers, 1=strict RFC 2821, 2=1+block mail from: <> 1=reject if mail from: <>
Specifies how many seconds to cache a RDNS approved connection as good Specifies how many seconds to cache a RDNS failed connection as bad Allows mail from: and rcpt to: to provide domains like ...george@georgesdomain.com, g..e..o..r..g..e@georgesdomain & george.@georgesdomain.com
RDNSFailCacheTimeInSeconds=
AcceptDotInAtom=
Table 9-2: Receiver Connection [EMail-Scan] ScanningThread PickupDeliverThread PickupScanThread Number of threads used to scan e-mails Number of threads used to check the pickup_deliver directory Number of threads used to check the Pickup_scan directory Number of threads used to check the mqueue directory Number of threads used to check the BouncedMailQueue directory Generally used for troubleshooting only; yes=scan inbound email, no=do not scan inbound email Generally used for troubleshooting only; yes=scan outbound email, no=do not scan outbound email Generally used for troubleshooting only; yes=bypass message module completely, no=do not bypass message Number of threads used to deliver the postponed email
MailQueueThread BounceMailQueueThread
InboundMailScan=yes
OutboundMailScan=yes
BypassMessageModule=no
PostponeDeliverThread=
229
[EMail-Scan] BypassMessagePartial= The Yes setting delivers a message that is deemed as being partially formed If the value for this setting is NO, then InterScan MSS will quarantine the message =1 will launch DrWatson if the process crashes
MessagePartialAction=
When the RCPT TO: field contains the percent symbol (%), InterScan Mss accepts the message and relays it from yourdomain.com to spamdomain.com Example: user%spamdomain.com@yourdomain.com Setting this parameter to yes allows you to specify illegal characters in the RCPT TO: field
RestrictInDomainMeta=!#$%
Strange/illegal characters to check for in the domain specification If IMSS cannot connect to any of the MX records queued from DNS server, it tries to connect to the domain after the @ directly. By default (according to RFC standard), it will not.
DNSDirectConnectToDomain=
230
231
1. Open a Web browser and enter the following URL: http://www.antivirus.com. 2. Select Products | Free Tools | HouseCall. After a few seconds, a directory tree of your hard drive is created, and the offer to perform a free scan is presented.
You can access the Trend Micro Security Information Center at the following URL: http://www.antivirus.com/vinfo/
232
233
aNote: You must enter yes and no in lowercase letters. If you want to
skip other types of text files, use the semicolon (;) to separate each extension.
3. Save the TMeMgr.ini file. 4. Restart InterScan MSS from Windows 2000/NT Service Manager. 5. The new setting takes effect after you click Apply Now. When InterScan MSS scans the email header (from, to, and cc) and the body of the email, separators, quotation marks ("), a comma (,), brackets (<>), and a semicolon (;) are added. These separators are not removed when you deselect the filters email header check box.
234
235
236
Normal Log
2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message from: <dburnell@home.local> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\DE6DD418-BACA-4F9F-9F8FF5A876D33AA8.DF>, Subject=<normal logging with attachment policy triggered>, TID=<624> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message to: <rrivero@home.local> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] MTA finish, spend <60> ms, size=(0, 71681) bytes 2003/04/03 21:38:48 GMT-08:00 de6dd418-baca-4f9f-9f8ff5a876d33aa8 [4c4] email has been quarantined 2003/04/03 21:38:48 GMT-08:00 subject [normal logging with attachment policy triggered], sender [dburnell@home.local], recipient[<rrivero@home.local>], entity [NOTEPAD.EXE] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [stri... 2003/04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 Final action is Quarantine. 2003/04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [4c4] Scan finish, spend <381> ms
Detailed Log
2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message from: <dburnell@home.local> 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\83198C17-750D-43C8-A070-
237
DA61B7E4226C.DF>, Subject=<detailed logging with policy triggered>, TID=<520> 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message to: <rrivero@home.local> 2003/04/03 21:44:10 GMT-08:00 83198c17-750d-43c8-a070da61b7e4226c [208] Push email into <scanning queue> OK 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] MTA finish, spend <110> ms, size=(0, 162067) bytes 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C To do action: Quarantine 2003/04/03 21:44:10 GMT-08:00 83198c17-750d-43c8-a070da61b7e4226c [3f8] email has been quarantined 2003/04/03 21:44:10 GMT-08:00 subject [detailed logging with policy triggered], sender [dburnell@home.local], recipient["Raffy Rivero" <rrivero@home.local>], entity [poledit.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action... 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Final action is Quarantine. 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [3f8] Scan finish, spend <70> ms
Diagnostic Log
2003/04/03 21:47:07 GMT-08:00 2003/04/03 21:47:07 GMT-08:00 [192.168.253.252] 2003/04/03 21:47:07 GMT-08:00 <dburnell@home.local> [71c] << HELO gwsvr [71c] >> 250 gw-svr Hello [71c] << EMAIL FROM:
2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 <dburnell@home.local>: Sender Ok 2003/04/03 21:47:07 GMT-08:00 <rrivero@home.local> [71c] << RCPT TO:
2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 <rrivero@home.local>: Recipient Ok 2003/04/03 21:47:07 GMT-08:00 [71c] << DATA
238
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 354 gw-svr: Send data now. Terminate with "." 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] DOT command received 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 250 gw-svr: Message accepted for delivery 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message from: <dburnell@home.local> 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\2565EE87-62E9-4417-AC5C40927E2F4625.DF>, Subject=<Diagnostic Logging policy triggered>, TID=<1820> 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message to: <rrivero@home.local> 2003/04/03 21:47:07 GMT-08:00 2565ee87-62e9-4417-ac5c40927e2f4625 [71c] Push email into <scanning queue> OK 2003/04/03 21:47:07 GMT-08:00 40927E2F4625 [71c] << QUIT 2565EE87-62E9-4417-AC5C-
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 221 gw-svr closing connection. Goodbye! 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] MTA finish, spend <191> ms, size=(0, 334368) bytes 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 parsing message. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: multipart/mixed, encoding: (none)]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: multipart/alternative, encoding: (none)]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: text/plain, encoding: quoted-printable]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: text/html, encoding: quoted-printable].
239
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: application/xmsdownload, encoding: base64]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished parsing message. 2003/04/03 21:47:07 GMT-08:00 Policy\Incoming Policy Matched rule : Global
2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 splitting message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished splitting message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 To do action: Quarantine 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 writing back message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished writing message. 2003/04/03 21:47:08 GMT-08:00 2565ee87-62e9-4417-ac5c40927e2f4625 [320] email has been quarantined 2003/04/03 21:47:08 GMT-08:00 subject [Diagnostic Logging policy triggered], sender [dburnell@home.local], recipient["Raffy Rivero" <rrivero@home.local>], entity [explorer.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [... 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Final action is Quarantine. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Scan email result <16908288>, return code <16908288> 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Scan finish, spend <140> ms 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Delete Message file<c:\program files\trend\imss\ISNTSMTP\mqueue\2565EE87-62E9-4417-AC5C40927E2F4625.DF> success
240
241
242
by mailhost.anotherdomain.com (8.8.5/8.7.2)
The intended recipient of this message The date and time that this mail transfer took place
message originated in the Pacific Standard Time zone, which is 8 hours behind Greenwich Mean Time.
243
Line From Header Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun 20 2003 14:36:17 0800 (PST)
Explanation This line documents that alpha.mydomain.com (Joes workstation) sent the message to mail.mydomain.com at 14:36:17 Pacific Standard Time. The sending machine called itself alpha.mydomain.com. The sending machines true name and IP address are listed inside the parentheses. Mail.mydomains mail server is running SendMail version 8.8.5, and it assigned the ID number 004A21 to this email message for internal processing.
The sender of this message, whose real name is Joe Smith. The intended recipient of this message, as designated by the sender when the message was composed The data and time this message was composed The message ID assigned to this message by the sending mail server.
To: Amy@anotherdomain.com
SMTP and ESMTP ID numbers in the Received: headers above because it is permanently attached to this message; the other IDs are associated with specific mail transactions and are only meaningful to the machine that assigns them. Sometimes (as in this example) the Message-ID includes the sender's email address. More frequently, it has no apparent meaning.
The message was sent using a (fictitious) program called Groovymail, version 2.01. Self-explanatory.
244
245
Chapter 2
1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ 2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing email server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the email server? (Choose two.) a. Additional servers are not required b. Overhead on the email server does not increase c. Requires less network bandwidth d. Greater efficiency 5. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter
246
Chapter 3
1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an email can be forwarded b. The number of times InterScan MSS can retry delivering an email c. The number of times an email is scanned d. The number of times an email can loop between the InterScan MSS and email servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all email from specified domains c. To change the domain name in the From: field d. All of the above
Chapter 4
1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager
247
2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure an email client that is not supported by the POP3 Client Tool ActiveX control.
Chapter 5
1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively compressed layers c. Reject all compressed files such as ZIP and LZH files d. Block all large attachments
248
Chapter 6
1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which eManager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which eManager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter 4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last
249
Chapter 7
1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them. 3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats.
250
5. How does the SPS heuristic scan engine detect spam? a. Compares email to a spam database b. Compares email to the search criteria that you define, based on Trend Micro recommendations c. Compares email to previous spam that you have saved in the SPS SpamBank d. Compares characteristics of the email against predefined rules or common characteristics of spam
Chapter 8
1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced
g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. e. InterScan MSS sends a notification.
251