IMSS 55 Student 01 00

Trend Micro InterScan Messaging Security Suite
Certification Training Course Student Textbook
Information in this document is subject to change without notice, The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2003 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Niche Associates, Inc. Released: October 2003 v01
Table of Contents
InterScan Messaging Security Suite .................................................................5
Course Objectives................................................................................................... 5 Prerequisites ........................................................................................................... 6
Chapter 1: Overview of InterScan Messaging Security Suite..........................7

Product Features................................................................................................... 14 New Feature: Spam Prevention Service................................................................ 18 Enterprise Protection Strategy............................................................................... 18
Chapter 2: Setup, Installation, and Registration ............................................23

Preparing to Install InterScan MSS........................................................................ 37 Upgrading from InterScan MSS 5.15..................................................................... 41 Installing InterScan MSS 5.5 ................................................................................. 41 Registering InterScan MSS ................................................................................... 45 Upgrading From the Evaluation Period.................................................................. 46 Update Settings..................................................................................................... 47
Chapter 3: Configuring SMTP Routing Settings.............................................55

SMTP Routing....................................................................................................... 60 Delivery Settings ................................................................................................... 65 Message Settings.................................................................................................. 69 Testing the InterScan MSS Installation.................................................................. 72
Chapter 4: Configuring POP3 Email Scanning Settings ................................75

POP3 Email Scanning........................................................................................... 79
Chapter 5: Configuring General and Security Settings .................................87

General Settings ................................................................................................... 94 Security............................................................................................................... 100
Chapter 6: Understanding and Configuring Policies ...................................107

Policy Overview................................................................................................... 117 Two Types of Policies ......................................................................................... 118 Editing Global Policy Filters................................................................................. 124 Creating a Sub-Policy ......................................................................................... 128 Creating New Filter Actions................................................................................. 135
Chapter 7: Understanding Filters ..................................................................143

Filters .................................................................................................................. 159 The Antivirus Filter .............................................................................................. 159 Configuring the Advanced Content Filter............................................................. 164 Configuring a Message-Attachment Filter............................................................ 179 Configuring General Content Filter ...................................................................... 184 Configuring Message-Size Filters........................................................................ 185 Configuring Disclaimer Manager Filter ................................................................ 186 Configuring the eManager Anti-Spam Filter......................................................... 188 Spam Prevention Service (SPS) ......................................................................... 188 Managing the Quarantine Area ........................................................................... 200
Chapter 8: Configuring System Monitor and Log Maintenance Settings...207

System Monitor Settings ..................................................................................... 212 Log Maintenance Settings................................................................................... 214
Chapter 9: Troubleshooting ...........................................................................219

Troubleshooting Common Problems ................................................................... 225 Troubleshooting the Installation Process............................................................. 225 Getting Support from Trend Micro ....................................................................... 226 SolutionBank....................................................................................................... 226 Changes to the ISNTSmtp.ini File ....................................................................... 226
Appendix A: Using Trend Micro Online Resources .....................................231

Contacting Trend Micro ....................................................................................... 231 Trend Micro Virus Doctors................................................................................... 231 Client Scans with HouseCall ............................................................................... 231 Trend Micro Security Information Center ............................................................. 232
Appendix B: Adding Entries to DNS and Excluding Files From Scanning ..........................................................................................................233
Adding Entries to DNS ........................................................................................ 233 Excluding Certain Types of Text Files from Scanning ......................................... 234
Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite ..................................................................................................235 Appendix D: Example Logs............................................................................237 Appendix E: Interpreting Header Information...............................................243 Appendix F: Answers to Review Questions .................................................245
InterScan Messaging Security Suite
InterScan Messaging Security Suite

Course Objectives
After studying this course as part of an ATC Training Program, you should be able to:
Knowledge
Describe the main features of InterScan Messaging Security Suite (InterScan MSS) Explain how InterScan MSS protects your email system from viruses and other malware Describe the main features of eManager Explain how eManager controls the content entering your email system Describe how heuristic scan engine works and how Spam Prevention Service (SPS) uses it to filter spam.
Skills
Install InterScan MSS Use the Management Console to configure InterScan MSS for varying network conditions and preferences Test the capabilities of InterScan MSS Monitor the performance of InterScan MSS Update the virus pattern, scan-engine, and program files of InterScan MSS
How to Use This Material

To help you understand how to use InterScan MSS, this course is based on a learning model comprised of the following:
Chapters
Each chapter focuses on one aspect of using InterScan MSS to protect your network from viruses in the wild. In addition to defining important concepts and terms, each chapter outlines the various administration tasks you need to perform. For example, you will learn how to install, configure, and troubleshoot InterScan MSS. The PowerPoint slides your instructor uses to teach the course appear at the beginning of each chapter. The rest of the chapter contains detailed information that you can read or refer to after class.
2003 Trend Micro Incorporated
Trend Micro InterScan Messaging Security Suite Student Textbook
Chapter Objectives
Each chapter starts with a list of objectives so you can see how the chapter fits into the overall course goal. After reading the chapter, you should be able to fulfill the chapter objectives.
Summary
Each chapter ends with a summary, listing the important information explained in the chapter. The summary mirrors the chapter objectives.
Review Questions
To help you fulfill the chapter objectives, each chapter includes review questions that test your understanding of the chapter material. After reading the chapter, you should be able to answer the questions easily and quickly. If you cannot answer a question, you should review the chapter material. The answers to the review questions are provided in Appendix F: Answers to Review Questions.
Prerequisites
This course is designed for end users and resellers who need to install and set up InterScan MSS and for those who seek Trend Micro antivirus suite certification. The following professionals benefit most from this course: System administrators Network engineers
Before you take this course, Trend Micro recommends that you have the following knowledgebase: A general knowledge of TCP/IP A working knowledge of Microsoft Windows 2000 and Windows 2000 Advanced Server A working knowledge of Simple Mail Transfer Protocol (SMTP) A working knowledge of Microsoft Internet Information Server (IIS) A working knowledge of Microsoft Exchange and Microsoft Outlook Express Familiarity with the physical aspects of networking (such as network interface boards, cables, jacks, hubs, routers and so on)
Chapter 1: Overview of InterScan Messaging Security Suite

Chapter Objectives
After completing this chapter, you should be able to Describe the main features of InterScan Messaging Security Suite (InterScan MSS)
Notes
Notes
Notes
10
Notes
11
Notes
12
Notes
13
Product Features
InterScan MSS is a high-performance, policy-based antivirus and content-security Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) server. InterScan MSS performs the following functions: Protects enterprise messaging systems from Internet-borne malware Blocks the transmission and receipt of spam and other non-business-related content
InterScan MSS can be deployed into an existing SMTP messaging environment and protects networks from virus infection through the SMTP gateway. In addition to SMTP traffic, InterScan MSS can scan Post Office Protocol 3 (POP3) messages. POP3 scanning is performed using the InterScan MSS POP3 proxy that runs on the same server as the SMTP scanning function (using a different port). InterScan MSS eManager filters messages for spam and non-business-related content such as profanity, sexually offensive content, and racially offensive content. eManager includes filters that you can configure to block any type of content from your email system. You can also configure the Spam Prevention Service (SPS) filters to block unwanted content from your network.
AMON Support
InterScan MSS 5.5 supports Application Monitoring (AMON) from Check Point Software Technologies, LTD. InterScan MSS uses AMON to report scanning statistics to Check Point System Status Viewer.
Automatic Detection of Multiple Network Interface Card

If you install InterScan MSS on a server that has multiple network interface cards, the setup program automatically detects the IP address of each card. You can then select the IP address that you want the program to use.
Best-Match Algorithm
The best-match algorithm is the method that InterScan MSS uses to determine which policy to apply to an email. InterScan MSS applies the policy with the route that most closely matches the addresses of the incoming email.
Cluster Servers
InterScan MSS supports cluster servers for increased performance. When you install multiple instances of InterScan MSS on clustered servers, you can save your customized settings, which are stored in INI, DAT files, and registry entries. You can then apply these settings to each instance of InterScan MSS running on the cluster servers.
14
Content Management
You can use InterScan MSS to inspect email messages and attachments and stop unwanted content at the gateway. Email is an indispensable business tool, but it must be managed properly to ensure it is used productively. You can create filters that use keyword expressions to eliminate anything from violent, sexually offensive, or racially offensive content to personal communications.
Domain-Based Message Routing

With InterScan MSS, email routing is based on the recipient domain. This domain-based routing capability provides flexible message delivery through multiple smarthosts or specific Domain Name System (DNS) servers.
Early Detection of Mass-Emailing Viruses

InterScan MSS detects mass-emailing viruses such as the Melissa, Loveletter, and AnnaKournikova viruses. These email-aware viruses use the infected computers email client and address book to spread themselves. Trend Micro publishes a list of these auto-spamming viruses in the antispam pattern file, which InterScan MSS updates from the Trend Micro ActiveUpdate server. InterScan MSS also protects your network from new mass-emailing viruses before they are added to the antispam pattern file. InterScan MSS recognizes the symptoms of infected messages and blocks them. For example, the file attachment name or extension and the text that appears in the message body or header typically remain the same as the virus spreads. InterScan MSS can recognize these identifying characteristics and determine that a mass-mailing virus is spreading the file. Because email-aware viruses can be so damaging, InterScan MSS may take different actions when it detects mass-emailing viruses than the actions it takes against other viruses. For example, if InterScan MSS detects a macro virus in a Microsoft Office document, it can quarantine the document, in case it contains important information that has to be retrieved. If InterScan MSS detects a mass-emailing virus, however, the program can automatically delete the infected file. Deleting the file saves resources that would be used to scan, quarantine, or otherwise process a file that has no value. In addition to saving resources, deleting the file can prevent help-desk calls from concerned employees and eliminate post-outbreak cleanup.
Enhanced Performance
InterScan MSS includes an enhanced built-in email transfer agent (MTA), email delivery agent (MDA), and virus/content scanner to ensure that your messaging system runs efficiently. In addition, InterScan MSS has a multithreaded design that takes full advantage of multiprocessor systems.
15
Policy-Based Management
InterScan MSS provides policy-based management, which makes it easier to regulate content and filter for viruses. To enforce email usage guidelines, you can create multiple virus and content-filtering policies on a single InterScan MSS server. You can also set up different policies for individuals or groups, based on sender and recipient addresses. A policy consists of the following three attributes:
Who What
To whose messages the policy applies What message or attachment characteristics, such as addresses, keyword expressions, file types and sizes are to be filtered The action to take with email that triggers the filters
Action
Quarantine Manager
You can use the Quarantine Manager to manage messages in the quarantine area. The Quarantine Manager is part of the InterScan MSS Web console. You can view the messages in the quarantine area and decide what action you want to take with them. The Quarantine Manager has a query feature that you can use to retrieve information about the messages in the quarantine area, including the reason the message was quarantined.
Secure, Web-Based Management Console

InterScan MSS includes a Secure Sockets Layer (SSL)-compatible, Web-based Management Console. Using this Management Console, you can control access to InterScan MSS servers and sessions from any Web-enabled workstation on your network.
Server Access Control

You can set connection and relay restrictions that prevent unauthorized use of your InterScan MSS server. Such restrictions can prevent spammers from using your email servers to relay email messages. To ensure that InterScan MSS processes only messages you deem acceptable, you can also set limits on inbound connections, message sizes, and other parameters.
Single-Server, Multiple-Policy Support

A single InterScan MSS server can enforce company rules on email use. You can set up different policies for individuals or groups based on the sender and recipient addresses. You can create a maximum of 3,000 sub-policies within a single InterScan MSS installation. However, each sub-policy can have an unlimited number of filters.
16
SMTP Load Balancing to Downstream Email Servers

InterScan MSS has an enhanced domain-based delivery mechanism and delivers email to downstream SMTP servers in round-robin fashion. This delivery mechanism balances the email load for all downstream SMTP servers (see Figure 1-1).
InterScan MSS forwards email to the first available server. 4
SMTP
IMSS
SMTP
Internet
6 3 SMTP
Figure 1-1: InterScan MSS uses a round-robin method to forward email to downstream SMTP servers.
Support for POP3 Email

InterScan MSS can scan POP3 email traffic. The POP3 proxy runs on the same server as the SMTP scanning function, but it uses a different port. InterScan MSS also includes a POP3 Client Tool, which is an ActiveX control for configuring email clients. You can use the POP3 Client Tool to automate the configuration of several common email clients.
aNote: The ActiveX configuration tool only works with Outlook

Express. All other clients require manual configuration.
System Monitor
InterScan MSS includes a built-in agent, called the System Monitor, which monitors the status of the InterScan MSS server. The System Monitor can notify you by email or Simple Network Management Protocol (SNMP) trap when fault conditions, such as a virus, threaten to disrupt the email flow. Detailed logging helps you take a proactive approach to these issues and eliminate them before they become a problem. Event monitoring helps you identify potential trouble spots and provides notifications so that you can correct problems and keep the system running smoothly.
17
Some events are handled automatically. For example, if the InterScan MSS service stops, it restarts automatically to ensure email flow is not interrupted.
New Feature: Spam Prevention Service

The addition of Spam Prevention Service (SPS) 2.0 provides InterScan MSS with heuristic spam filtering capabilities. Heuristic technology calculates the probability that a particular message is spam. Unlike other methods used to identify spam, heuristic technology is capable of identifying first-time spam, or spam that has not been previously documented. Because spammers frequently change the techniques they use, heuristic scanning is an important layer of defense against new spam.
Enterprise Protection Strategy

InterScan MSS protects your network at the SMTP gateway, which is one of the main entry points to your network. However, you must also protect the other entry points to your network. For example, when users browse the Internet or download files from Web sites, their workstations might be attacked by malware. When mobile users plug their laptops into public networks, home networks, or networks at other companies, their laptops might be attacked by malware. When these users reconnect to your network, malware on their computers can spread to your network. Once the malware enters your network, it can quickly spread to all vulnerable devices. To help you protect all the entry points to your network, Trend Micro offers variety of products that you can use to protect all the entry points to your network (see Table 1-1).
Product InterScan Web Security Suite InterScan VirusWall Protection HTTP and FTP SMTP, HTTP, and FTP Platform Windows and Solaris Windows, Solaris, HP-UX, Linux, and IBM AIX Windows and UNIX Windows Microsoft Exchange on Windows IBM Lotus Domino on Windows, IBM AIX, IBM S/390, IBM AS/400, Linux, Solaris, and SUSE
InterScan Messaging Security Suite InterScan Web Manager ScanMail for Microsoft Exchange
SMTP and POP3 HTTP SMTP
ScanMail for Lotus Notes
SMTP
18
Product ScanMail for OpenMail ServerProtect
Protection SMTP File system
Platform OpenMail on HP-UX Windows, NetWare, Network Appliance Filers, EMC Celerra, and Linux Microsoft SharePoint Portal Server on Windows Client: Windows Server: Windows
PortalProtect
File system
Damage Cleanup Server
Cleaning templates that repair damage to device, including changes made to registry, files, and open ports File system, network shares, POP3 File system, TCP/IP, Outlook client, PDAs, and wireless devices
PC-cillin
Windows
OfficeScan Corporate Edition
Client: Windows Server: Windows
Table 1-1: Trend Micro products that you can use to protect the different entry points on your network.
aNote: To help you protect your network against the latest malware
threats, Trend Micro is constantly updating its products. For up-todate information, visit http://www.trendmicro.com.
Protecting individual devices and systems is only the first layer of defense. To prevent malware from damaging your network and causing downtime, you need an integrated solution that coordinates all virus-protection products, mitigates damage caused by malware attacks, and cleans damaged systems. The Trend Micro Enterprise Protection Strategy (EPS) combines products, services, and support to protect network entry points. To rebuff a malware attack, the Enterprise Protection Strategy delivers a coordinated defense that begins when a new virus is discovered and ends when the threat is eliminated.
19
Relying on a broad offering of specific products and resources, the Trend Micro EPS includes these basic components (see Figure 1-1): Trend Micro Control Manager Outbreak Prevention Services Virus Response Services Damage Cleanup Services
CENTRALIZED MANAGEMENT
Trend Micro Control Manager

(outbreak lifecycle management, deployment, and reporting)
OUTBREAK LIFECYCLE PHASES
OUTBREAK PREVENTION Notification & Assurance
VIRUS RESPONSE Scan & Eliminate
ASSESSMENT & RESTORATION Assess & Clean up Restore & Post-Mortem
STAGES
Threat Information
Attack Prevention
Pattern File
TREND MICRO SERVICES
OUTBREAK PREVENTION SERVICES
VIRUS RESPONSE SERVICES
DAMAGE CLEANUP SERVICES
Figure 1-1: Using Trend Micro Enterprise Protection Strategy to manage the outbreak lifecycle
Trend Micro Control Manager

Trend Micro Control Manager provides centralized management and enterprise-wide coordination of all Trend Micro antivirus and content-security products and services. Using Trend Micro Control Manager, you can monitor virus activity on your network from a central location. You can ensure that virus pattern files are always updated, and you can deploy and enforce virus-protection policies across the entire network. You can also respond quickly to virus outbreaks.
Outbreak Prevention Services

Outbreak Prevention Services (OPS) provides proactive attack updates, outbreak prevention policies, and system-wide status reports. Coupled with Trend Micro products that reside at critical points across the network, OPS accelerates response times in protecting networks against new malware. By applying information and prevention policies that focus on a specific threat, you can deflect, isolate, and restrict attacks before they spread. These early prevention measures help reduce system damage and prevent costly shutdowns that affect business operations.
Virus Response Services

Virus Response Services includes the Virus Response Service Level Agreement (SLA) and threat-based scanning. The SLA is a penalty-backed guarantee to deliver a virus pattern file within two hours from the time the customer submits a virus case. If Trend Micro fails to meet this promise, it will pay the customer an amount of money agreed to in the SLA.
20
The virus pattern file provided with Virus Response Services includes threat-based scanning. This feature increases the efficiency of virus scanning by focusing the search in areas where the threat is most likely to be found.
Damage Cleanup Services

The Damage Cleanup Services provides cleaning templates that scan the system and assess the damage incurred during the outbreak. The template analyzes changes that were made to the files, system settings, and network protocols. These changes include hidden guest accounts, registry entries, or memory-resident payloads. For more information about the EPS, visit Trend Micros Web site at http://www.trendmicro.com.
21
Chapter 1 Summary and Review Questions

Summary
InterScan MSS analyzes email messages and attachments for content that you want to block from your network. Because InterScan MSS supports both SMTP and POP3 traffic, it can scan all messages entering or leaving your companys email system. With InterScan MSS, you can block viruses at the gateway before they enter your companys messaging system or network. In addition, you can block non-business-related email, including violent, sexually offensive, or racially offensive email. To enforce your companys email usage rules, you can create virus and content-filtering policies. You can also set up different policies for individuals or groups, based on sender and recipient addresses.
Review Questions
1. Which feature allows you to control the level of antivirus and content management that is applied to members of your organization? a. Domain-based message routing b. Quarantine manager c. Policy-based management d. Single-server, multiple policy support 2. Which feature can you use to filter unwanted email, such as sexually or racially insensitive material? a. Domain-based message routing b. Content management c. Policy-based management d. Single-server, multiple policy support 3. Which feature notifies you when a fault condition threatens to disrupt email flow? a. Content management b. Enhanced server access control c. Quarantine manager d. System Monitor
22
Chapter 2: Setup, Installation, and Registration

Chapter Objectives
After completing this chapter, you should be able to: List the options for incorporating InterScan Messaging Security Suite (InterScan MSS) into your current firewall setup Choose an installation server, based on the requirements of your companys network Install InterScan MSS Register InterScan MSS Configure InterScan MSS Upgrade InterScan MSS from trial to full version Update InterScan MSS
23
Notes
24
Notes
25
Notes
26
Notes
27
Notes
28
Notes
29
Notes
30
Notes
31
Notes
32
Notes
33
Notes
34
Notes
35
Notes
36
Preparing to Install InterScan MSS

Before you install InterScan MSS, consider the following: LocationYou must decide how to incorporate InterScan MSS with your firewall. Installation serverYou must decide whether to install InterScan MSS on the Simple Mail Transfer Protocol (SMTP) server or on a dedicated server. Hardware requirementsYou must ensure that the server meets the minimum hardware requirements for running InterScan MSS.
Incorporating InterScan MSS with Your Firewall

Trend Micro recommends the following two options for incorporating InterScan MSS into your current firewall setup: Behind the firewall In the Demilitarized Zone (DMZ)
Behind the Firewall

You should always install InterScan MSS behind a firewall. In this configuration, the firewall can continue to protect your network against intrusion while InterScan MSS provides content scanning and filtering (see Figure 2-1).
aNote: You should never install InterScan MSS in front of your
companys firewall. InterScan MSS is a content-security product, not a firewall.
IMSS
SMTP Server
Internet Firewall
domain2.com
Figure 2-1: Installing InterScan MSS behind the firewall.
37
In the DMZ
You can install InterScan MSS in a DMZ, which further protects your companys network from Internet-based attacks. A DMZ isolates traffic that is coming from the Internet, preventing this traffic from directly accessing your network. You can create a DMZ by installing two firewalls to separate your network from the Internet. The area between the two firewalls is the DMZ, which is where you would place your InterScan MSS server (see Figure 2-2).
DMZ
Incoming (port 25) Outgoing (port 25)
IMSS
SMTP Server
Internet External Firewall Internal Firewall
Figure 2-2: Installing InterScan MSS on a dedicated server in the DMZ.
You can also create a DMZ using just one firewall. In such a configuration, email passes through the firewall when entering the network. After InterScan MSS has scanned the email, it sends it back through the firewall and to the receiving client. (see Figure 2-3).
Firewall
SMTP Server Internet Receiving Client
Email passes through the firewall on the way to the InterScan MSS server.
After InterScan MSS completes the scanning, it routes the email back through the firewall and to the SMTP server.
IMSS
Figure 2-3: Installing InterScan MSS in a one-firewall DMZ.
38
Choosing the InterScan MSS Server

You can either install InterScan MSS on your SMTP server or on a dedicated server. Installing InterScan MSS on a server that runs other applications can decrease efficiency. Trend Micro recommends that you install InterScan MSS on a dedicated server. The decision of where to install InterScan MSS, however, is based primarily on resource availability and SMTP traffic. Installing InterScan MSS on a dedicated server is ideal for networks with heavy email traffic because the overhead on the email server does not increase. If your email server has antivirus products from other vendors, installing InterScan MSS on a dedicated server prevents problems that might arise as a result of conflicting applications. Installing InterScan MSS on your email server does not require any additional servers. This configuration also uses less network bandwidth, and you do not have to make any changes to your networks DNS configuration (see Figure 2-4).
IMSS
Existing SMTP Gateway
Client
Internet Firewall
Figure 2-4: Installing IMSS on the original SMTP server.
If you install InterScan MSS on your email server, you must configure the InterScan MSS server exactly as your existing SMTP server is configured. Matching the configuration ensures that the email server and InterScan MSS both process the all email. When you install InterScan MSS on the same computer as the email server, ensure that the SMTP and InterScan MSS ports do not conflict. InterScan MSS binds to port 25 by default, so the port on the existing SMTP server must be changed prior to installing InterScan MSS. If you are using POP3, the POP3 port numbers should also be changed because InterScan MSS tries to bind to port 110. After you reassign these ports, you can run the InterScan MSS setup program.
Configuring Email Flow Through Your Network

Regardless of where you install InterScan MSS, you must configure your email flow in the same fashion. Incoming email must pass through InterScan MSS first. After InterScan MSS scans email, it passes it to the network email server, which then passes it to the receiving clients. Outgoing email must pass through the network email server first, which then passes it to InterScan MSS (see Figure 2-5).
39
InterScan MSS should be the first server through which incoming email passes and the last server through which outgoing email passes.
IMSS
Email Server Receiving Client
Internet Firewall
Figure 2-5: Proper configuration of email flow.
Checking the System Requirements

Before installing InterScan MSS, you should ensure that your network meets the following hardware and software requirements:
Minimum Hardware Requirements

Intel Pentium III processor 650 MHz CPU 512 MB RAM 500 MB disk space for email storage
aNote: Ensure that the minimum disk space is maintained. If this

Recommended Hardware Requirements

minimum is not maintained, InterScan MSS may experience critical problems.
Intel Pentium III processor 1 GHz or above 1 GB RAM Minimum 2 GB of free hard disk space for email storage (InterScan MSS uses a store and forward mechanism, so a large HDD is recommended.)
Software Requirements
Windows 2000 Server/Advanced Server (recommended), Windows 2003 server, or Windows NT 4 Server
aNote: Installation to Windows NT 4 has only been tested with

Service Pack 6A. The Windows 2000 installation has been tested with Service Pack 4).
Microsoft Internet Information Server (IIS) 4.0 or above and the latest security patches to host the InterScan MSS Web console Microsoft Internet Explorer 5.5 or above
aNote: Netscape Navigator is not supported.

40
Upgrading from InterScan MSS 5.15

The InterScan MSS 5.5 installation program can automatically upgrade from both InterScan MSS 5.1 and InterScan MSS 5.15. If the installation program detects either of these two previous versions, it can: Uninstall the previous version of InterScan MSS Migrate the existing settings Install InterScan MSS
aNote: InterScan VirusWall and versions of InterScan MSS prior to

5.1 cannot be updated. You must completely uninstall these programs before installing InterScan MSS 5.5.
Once you have migrated previous InterScan MSS settings, you must activate InterScan MSS. When you activate InterScan MSS, all previously created eManager filters that you migrated will be inactive. You must use the Policy Manager to reactivate them.
aNote: If you choose not to migrate your old InterScan MSS settings,
Trend Micro recommends that you completely uninstall InterScan MSS and perform a clean install.
If the target server has a copy of InterScan MSS 5.x, then the following files are automatically backed up during migration: isntsmtp.ini domaintable.ini tmlogflag.ini localdomain.dat conn_restrict.dat relay_restrict.dat vsapi32.dll
These files are migrated to your new software installation, and backup copies are created in the \IMSS_RILOG directory on the root drive.
Installing InterScan MSS 5.5

You must have the following information when you run the installation program: InterScan MSS and SPS registration codes and activation codes IP address and port number of the SMTP server that currently handles your email IP address and port number of the SMTP server to send notification email messages (optional)
41
aNote: Trend Micro recommends that you do NOT use the InterScan
MSS server as your notification server. Using the InterScan MSS server as your notification server can cause message looping, and, if the InterScan MSS server stops working, you cannot receive notification messages from the system Monitor.
Administrators email address for receiving notifications The email domain name(s) of the server that processes messages for your network (as shown in the MX record on your DNS server The name of the Windows NT or Windows 2000 server where you want to install InterScan MSS An administrator credential (user name and password) with local administrative rights or domain administrator credentials
If you have downloaded the InterScan MSS package from the Internet as a single compressed file, decompress the package to a folder. Preserve the folder structure that existed within the compressed file. Close all programs on the target server. If either the Microsoft Internet Explorer or the Microsoft Management Console (MMC) is open, installation will fail. Other MMC-related programs may interfere with the InterScan MSS installation console. Close these programs on both the target server and the computer from which you run the remote installation.
aNote: Do not disable the Distributed Component Object Model

SSL Communication
(DCOM). InterScan MSS will not function properly if this service is disabled.
You can use Secure Socket Layer (SSL) to protect the communication between the Web console and InterScan MSS. If you choose to use SSL protection, you must generate and apply an SSL certificate to the Microsoft Internet Information Server (IIS) before installing InterScan MSS. If you do not apply the certificate prior to installation, you will have to uninstall InterScan MSS, apply the certificate, and reinstall InterScan MSS.
Running the Installation Program

Double-click the setup.exe file to start the InterScan MSS installation program. You can run setup.exe from the target server or any other Windows NT or 2000 server or workstation on your network.
aNote: The InterScan MSS installation program uses the Netlogon aNote: The Remote Registry Service should be activated.
port (which is port 445). If you have locked down this port, you will need to open it before you run the installation program.
42
Accessing the Web Console

To open the InterScan MSS Web console, click Start from the Start menu and select All Programs | All Programs | Trend Micro InterScan Messaging Security Suite for SMTP | Trend Micro InterScan Messaging Security Suite for SMTP Web Configuration. The Welcome screen appears (see Figure 2-6). The InterScan WSS Web console does not have a default password. Leave the password field empty and click Enter. You can set a password after you have activated the InterScan MSS services.
aNote: Trend Micro recommends setting a password to restrict

access to InterScan MSS. For more information on setting the password, see the General Settings section of Chapter 5: Configuring General and Security Settings.
Figure 2-6: The Welcome screen for the InterScan MSS Web console.
The InterScan MSS installation program creates a shortcut that takes you directly to the Welcome screen of the InterScan MSS Web console. The shortcut is located in the C:\Program Files\Trend\IMSS\UI folder (see Figure 2-7). You can copy this shortcut, paste it on the desktop, and use it for easy access to the InterScan MSS Web console.
43
If you are using SSL communication, you must change the shortcut to point to an HTTPS URL instead of an HTTP URL. To change this setting, right click on the shortcut and select Properties. The intscan Properties menu appears (see Figure 2-8). Click the Web Document tab and make the necessary modifications to the URL.
Figure 2-7: The InterScan MSS installation program creates a shortcut to the Web console that you can copy to your desktop.
Figure 2-8: The intscan Properties menu.
44
Registering InterScan MSS

When you open the InterScan MSS Web console, it opens directly to the product activation page. In order to activate InterScan MSS or Spam Prevention Service (SPS), you must enter a valid Activation Code. Each product has a separate code. You can obtain an Activation Code in the following ways: As part of the product download Through a reseller Directly from the Trend Micro Web site (http://www.trendmicro.com)
Proxy Settings
If you use a proxy server to connect to the Internet, you must configure your server and authentication settings before attempting an update. As a security precaution, the proxy password is sent only once from the InterScan MSS Web console to the InterScan MSS server. When you return to the Proxy Settings screen, the Password field appears blank. Displaying the password, even as a series of asterisks, would necessitate sending the proxy user name and password between the server and browser. To enter your Activation Code and configure your proxy server (if applicable), click Configuration | Product License from the left-hand column of the InterScan MSS management console. The Product License screen appears, showing which products are activated. Click the Activate link next to the product you want to activate, and another Product License screen appears (see Figure 2-9). Enter the requested information to activate your product.
45
Figure 2-9: The Product License screen.
Upgrading From the Evaluation Period

If you entered an evaluation Activation Code for either InterScan MSS or SPS, you began a 30-day trial period that allows you to test the full functionality of the software. You can upgrade from the evaluation period to the registered version of either product at any time by entering a valid Activation Code in the Web console. To upgrade from the 30-day trial version, click Configuration | Product License from the left-hand column of the InterScan MSS management console. The Product License screen appears. Click the View license details link next to the product that you want to permanently activate. A new Product License screen appears. Click the Enter a new code link and enter the requested information in the fields provided on the resulting screen (see Figure 2-10).
46
Figure 2-10: The Enter a New Code screen used when upgrading from the InterScan MSS trial version to the full version.
aNote: You cannot use another evaluation code if you are already
using the evaluation version of the product. You must enter a full version activation code. To obtain a valid activation code, contact the Trend Micro sales department. Contact information is available at http://www.trendmicro.com
Benefits
Registering your product is important because it entitles you to the following benefits: One year of program and pattern file updates Important product information
Update Settings
To maintain the highest level of protection against the latest virus and content threats, you must update your virus-pattern file and spam database regularly. Trend Micro updates the virus-pattern file several times per week in response to newly released viruses. In addition, Trend Micro periodically updates the scanning engine, which is the component that compares a files binary structure with the virus-pattern file, detects suspicious virus-like behavior, and cleans viruses. The heuristic spam rules are also updated periodically in order to improve the accuracy with which SPS identifies spam. Updates to the heuristic spam rules are included in virus pattern file updates.
47
When you install InterScan MSS, you should immediately update both the scan engine and the virus pattern file to ensure that you are using the most recent versions of both components. Outdated pattern files and scan engines cannot protect against newly developed viruses. You should normally update the components from the Trend Micro ActiveUpdate server and use the default URL for which the product is configured. However, because the source of the update files is configurable, you can specify another Internet location. For example, you may need to change the update path if a technical support engineer has directed you to install a special build of the virus pattern file or scanning engine or if you set up your own update server locally on your intranet. You can use the one of the following update methods when updating InterScan MSS components: On-Demand Update (Update Now) Scheduled Update
On-Demand Update (Update Now)

You can use the Update Now feature to update the InterScan MSS components at any time. For example, if you receive notification from Trend Micro that a new virus has been discovered, you should use the Update Now feature to make sure that you have the latest versions of the virus pattern file, scan engine, spam database, and SPS heuristic scan engine. To ensure that all components are current, Update Now should be used immediately after installing InterScan MSS. To update the InterScan MSS components using the Update Now feature, click Configuration | Update | Update Now from the left-hand frame of the InterScan MSS Management Console. The Update Now screen appears (see Figure 2-11).
48
Figure 2-11: Components that should be updated are denoted with a red Update Now! Message.
The Update Now screen shows the version of each component that you are using as well as the most up-to-date version available for each component. Newer components, when available, are denoted with a red Update Now! Message, as shown in Figure 2-11. In this example, both the scan engine and the spam database are current, but the virus pattern file needs to be updated.
Scheduled Update
InterScan MSS can automatically download updates hourly, daily, or weekly. If your network has limited Internet bandwidth, you can configure InterScan MSS to update the virus pattern file and scan engine after business hours or at other times when network traffic is low. Trend Micro recommends that you schedule regular updates of all InterScan MSS components. To configure a scheduled update, click Configuration | Update | Scheduled Update from the left-hand column of the InterScan MSS Web console. The Scheduled Update screen appears (see Figure 2-12). Select the components that you want to update and configure an update schedule in the fields provided.
49
Figure 2-12: The Scheduled Update screen.
aNote: The new scheduled update settings are immediately applied

to the InterScan MSS scheduler after clicking Save.
Rolling Back an Update

After updating to a new virus pattern file, InterScan MSS keeps the old virus pattern files on the server. You can use the roll back feature to revert to a previous virus pattern file. If you receive a virus pattern file that is corrupt, you can roll back the update and continue to use the previous version of the virus pattern file until Trend Micro releases a new virus pattern file. Each virus pattern file has a file extension, or a three-digit number attached to it. The virus filter always uses the virus pattern file with the highest-numbered file extension. For example, if InterScan MSS has stored virus pattern files lpt$vpn.001, lpt$vpn.002, and lpt$vpn.003, it uses the virus pattern file with the 003 extension.
50
When rolling back to a previous virus pattern file, you need to ensure that an older pattern file is located in the C:\Program Files\Trend\IMSS\ISNTSmtp folder. If only the current pattern file is located in the folder, you cannot roll back the update. If an older pattern file is available, you can remove the new pattern file from the directory and then restart the InterScan MSS service (see Figure 2-13).
aNote: InterScan MSS will store old virus pattern files indefinitely.
You must manually delete old virus pattern files. There is no reason to keep more than one or two out-of-date virus pattern files.
Figure 2-13: Ensure that an older version of the virus pattern file is available before rolling back the update.
Lab Exercise 1: Installing InterScan MSS Lab Exercise 2: Updating the InterScan MSS Components
51

Summary
You can install InterScan MSS behind your existing firewall or in your DMZ. You also have two options for choosing an installation server. You can install InterScan MSS on your existing SMTP server or on a dedicated (separate server). Trend Micro recommends that you install InterScan MSS on a dedicated server. Regardless of where you install InterScan MSS, you must make sure that incoming email passes through the InterScan MSS server first. The InterScan MSS server scans the email and delivers it to the email server, which then passes the email to the receiving clients. All outgoing email should pass through the email server and then through the InterScan MSS server. You use the InterScan MSS installation program to install the software, upgrade previous versions of the software, and uninstall the software. You can run the installation program from the target server or any other Windows NT or 2003 server or workstation on your network. After you install InterScan MSS, you must register your copy of the software before you can configure it and receive updates for the virus pattern file and scan engine. After registering, you receive one year of program and virus-pattern file updates and current product information. Trend Micro regularly updates the virus-pattern file and periodically updates the scanning engine and heuristic spam rules. You can obtain these updates from the Trend Micro ActiveUpdate server.
Review Questions
1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ
52
2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing email server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the email server? (Choose two.) a. Additional servers are not required b. Overhead on the email server does not increase c. Requires less network bandwidth d. Greater efficiency 4. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter
53
54
Chapter 3: Configuring SMTP Routing Settings

Chapter Objective
After completing this chapter, you should be able to Configure Simple Mail Transfer Protocol (SMTP) routing settings
55
Notes
56
Notes
57
Notes
58
Notes
59
SMTP Routing
Before InterScan Messaging Security Suite (InterScan MSS) can scan messages sent to and from your network, you must configure its built-in SMTP server. InterScan MSS includes its own SMTP server. You can configure its IP address, SMTP greeting, and connection time-out settings. You can also control from which servers InterScan MSS receives messages and which servers are allowed to relay messages through it.
Server Identity Settings

InterScan MSS binds to an IP address and port. In addition to configuring these settings, you can configure the greeting message that other SMTP servers receive after connecting to InterScan MSS. To configure the InterScan MSS IP address and SMTP greeting, click Configuration | SMTP Routing | Receiver | Settings. The Settings screen appears (see Figure 3-1). Enter the requested information in the fields provided, click Save, and click Apply Now.
Figure 3-1: The SMTP Routing Receiver Settings screen.
60
aNote: If the server on which you installed IMSS for SMTP has
multiple network interface cards, InterScan MSS will bind to all available IP addresses. If you want InterScan MSS to bind to a specific IP address, you must select a specific IP address from the pull-down menu.
aNote: To apply the new settings to your current session, click Apply
Connections
Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
The InterScan MSS built-in SMTP server accepts email from other SMTP servers and passes the email on after processing is completed. You can configure how these connections are handled.
Timeout
Idle SMTP servers that stay connected to the InterScan MSS server can consume network bandwidth and other resources, placing a strain on your network. To prevent servers from connecting to the InterScan MSS server indefinitely, you can set a timeout value. For example, if you set the timeout value at 10 minutes, InterScan MSS will break its connection with servers that sit idle for more than 10 minutes.
Simultaneous Connections
Simultaneous connections can also place a heavy strain on your network. You can limit the number of servers that connect to the InterScan MSS server and reduce the amount of resources used at once. If you set the simultaneous connections limit to five, then InterScan MSS will only allow five servers to connect at the same time. Additional servers must wait for an available connection.
Reverse-Lookups
A reverse-lookup confirms the identity of the connecting host. After receiving a TCP connection request, InterScan MSS can get the source IP address of the remote computer. When a TCP connection is established, the remote computer sends a HELO(EHLO) domain-name SMTP command to InterScan MSS. InterScan MSS uses the domain-name to query the DNS server(s) in order to get the IP address of that domain. If the IP address matches the remote computers IP address, the reverse lookup is successful.
aNote: Performing reverse-lookup on received messages can prevent

spoofing if you do not have a firewall or mail sever between the Internet and the InterScan MSS server. However, installing InterScan MSS in front of the firewall is NOT recommended.
aNote: Because of the added query, enabling reverse-lookup affects

the performance of InterScan MSS.
61
To configure connection settings for InterScan MSS, click Configuration | SMTP Routing | Receiver | Connections. The Connections screen appears (see Figure 3-2). Enter your desired values in the fields provided.
Figure 3-2: The SMTP routing-receiver connections screen.
aNote: To apply the new connection settings to your current session,

click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
Connection Control
You can limit which SMTP hosts are permitted to connect to the InterScan MSS server. For example, you can block the IP address of an organization that has previously sent spam messages to you. Or, you can block an IP address if you suspect the host is an open relay used by spam senders. You can configure which servers can connect to InterScan MSS server in one of two ways: You explicitly state which servers cannot connect (deny access list) and allow all others. You explicitly state which servers can connect (allow access list) and block all others.
To set connection privileges, click Configuration | SMTP Routing | Receiver | Connection Control. The Connection Control screen appears (see Figure 3-3). Click the Edit button next to the list that you want to configure and enter the information requested on the resulting screen (see Figure 3-4).
62
Figure 3-3: The SMTP Routing Receiver Connection Control screen.
Figure 3-4: The Connection Control screen used to configure lists of servers that cannot connect to the InterScan MSS server.
aNote: To apply the new connection control settings to your current
session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
63
Relay Control
You can deny or allow other computers to relay messages through your InterScan MSS server. Unauthorized users who attempt to relay messages through SMTP servers are a common problem for email administrators. Spammers send spam through company email servers to hide their own identity and to use the companys identity. For example, a spammer might relay spam through ABC Company. When users receive the spam, the source appears to be ABC Company, rather than the spammer. In addition to stealing the companys identity, spammers use the companys bandwidth resources. InterScan MSS handles relay control in the following manner:
Restrict Relay to specific Local Domains Allow Exceptions Based on Host IP or IP Range
All hosts are allowed to relay email messages to a specific list of destinations (Allowed Relay Destinations). Normally, you enter the domain names of email hosts used by your organization. Only hosts that you specify (Permitted Senders of Relayed Email) are allowed to relay messages to hosts not in the Allowed Relay Destinations list. Hosts in the Permitted Senders of Relayed Email list can relay messages through the InterScan MSS server to any domain or use InterScan MSS as an open relay. Enter only email hosts that you trust to use the relay according to your companys guidelines. In most cases, you enter only your own email servers.
aNote: A blank Permitted Senders of Relay Email list means no
servers can relay messages through InterScan MSS to the Internet.
To permit a host to relay messages, click Configuration | SMTP Routing | Receiver | Relay Control. The Relay Control screen appears (see Figure 3-5). Type the domain of the host in the field provided and click the plus (+) button to add it to the Allowed Relay Destinations list.
aNote: When configuring relay control, you can use a wildcard (*).
64
Figure 3-5: The SMTP Routing Receiver Relay Control screen.
aNote: To apply the relay control settings to your current session,
click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
Delivery Settings
As an SMTP gateway, InterScan MSS passes email to another SMTP server or Message Transfer Agent (MTA) that resolves the final destination. You can configure the routing methodeither DNS or smarthostbased on the recipients domain name.
Domain-Based Delivery
You can use the domain-based delivery settings to specify a delivery method for email that is addressed to specific domains. For example, if your company has two separate domain names, you might want to use smarthost to route email between the two domains.
65
To specify the routing method, click Configuration | SMTP Routing | Delivery | Domain-Based Delivery. The Domain-Based Delivery screen appears (see Figure 3-6). The screen displays configurations for processing email destined for specified domains. To edit the settings, click the view link in the Details column. To add another domain to the list, click Add and enter the requested information in the fields provided (see Figure 3-7).
Figure 3-6: The SMTP Domain-Based Delivery screen.
66
Figure 3-7: The SMTP Domain-Based Delivery Add screen.
aNote: If you do not enter the IP address of the DNS server here,
InterScan MSS uses the DNS server that is listed in the TCP/IP configuration settings.
aNote: To apply the new domain-based delivery settings to your
current InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied when you restart the InterScan MSS service.
Advanced Delivery
InterScan MSS includes optional delivery settings that you can use to customize how the built-in SMTP server processes messages. You can configure how often InterScan MSS tries to deliver a message, the number of times a message can be sent from server to server, and whether you want people to know you are using InterScan MSS.
67
Deferrals
When InterScan MSS cannot deliver an email, it temporarily stores the email in the retry queue and tries sending it again later. To prevent InterScan MSS from continually attempting to deliver an undeliverable email, you can configure the Retry interval. The retry interval is the frequency with which InterScan MSS attempts to deliver email in the retry queue. You can also configure the Maximum retry period, or the time frame during which InterScan MSS can attempt to deliver the email. If InterScan MSS cannot deliver the email during the retry period, it deletes the email and sends a non-delivery receipt (NDR) to the sender.
Hop Count and Masquerade Domains

Configuring the hop count prevents messages from indefinitely looping. For example, if Email Server A routes a message to Email Server B and Email Server B sends it back to Email Server A, the message may loop between these servers indefinitely if you do not configure a hop count (see Figure 3-9).
Email Server A
Internet Firewall
Email Server B
Receiving Client
Figure 3-9: A hop count prevents messages from looping indefinitely, as shown in this figure.
Configuring a masquerade domain changes the domain name listed in the Email From lines in the SMTP protocol. For example, if your company has two unique domain names and you want all messages to use the same domain name, you can configure a masquerade domain.
Received Header Information

If you do not want other users to know that you are using InterScan MSS, you can disable the Received header setting. To customize your SMTP delivery settings, click Configuration | SMTP Routing | Delivery | Advanced. The Advanced screen appears (see Figure 3-10). In the fields provided, enter the information requested and click Save.
68
Figure 3-10: The SMTP Routing Delivery Advanced screen.
aNote: To apply the new delivery settings to your current InterScan
MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
Message Settings
You can use the InterScan MSS Message set limits on the following items: Message size Data size per session Number of messages per connection Number of recipients per message
The limitations that you set are the first rules that InterScan MSS applies when it receives and email. Email is not accepted if it exceeds these limits, which provides extra security against Denial of Service attacks.
69
To set message limits, click Configuration | SMTP Routing | Message. The Message screen appears (see Figure 3-11). Select the check box next to each restriction that you want to enable and type a size or quantity in the fields provided.
Figure 3-11: The SMTP Routing-Message screen.
aNote: If you do not want to set a limit, leave the items option
button unselected. Entering 0 into any of the fields on the Message screen is equivalent to not selecting the option button.
aNote: To apply the new message settings, click Apply Now in the
Retry Queue Viewer
You can view messages in the retry queue and view the first 1 KB of data in a message. InterScan MSS automatically tries to deliver messages in the retry queue. However, depending on the values you entered in the SMTP Routing settings, InterScan MSS might not try to deliver messages in the retry queue for several hours. If needed, you can forcedeliver messages in the retry queue without waiting for the retry interval to elapse.
top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
To manage your delivery queue, click Configuration | System Monitor | Retry Queue Viewer. The Retry Queue Viewer screen appears, displaying the email in the retry queue (see Figure 3-12). Select the email(s) that you want to force-deliver and click Deliver Now.
70
Figure 3-12: The Retry Queue Viewer screen.
aNote: For more information about a message, click the View link
next to the message.
Undeliverable Messages (Badmail Directory)

To prevent InterScan MSS from deleting undeliverable email after the retry period expires, you can move the email to the badmail directory. To move undeliverable message to the badmail directory, use a text editor to edit the IsntSmtp.ini file. Search for the words QueueBadmail=no and change them to read QueueBadmail=yes. The IsntSmtp.ini file is located in the C: Program Files\Trend\IMSS folder.
aNote: The badmail directory is \Trend\IMSS\isntsmtp\badmail. Its

path cannot be modified.
71
Testing the InterScan MSS Installation

The European Institute of Computer Anti-Virus Research (EICAR), along with antivirus vendors, has developed a test file that can be used to check if your system can detect viruses. The test file is not an actual virus and can neither harm your system nor replicate. It is a file whose signature has been included in the Trend Micro virus-pattern file. As a result, the Trend Micro scan engine can detect this file. You can download EICAR test file from the following web site: http://www.antivirus.com/vinfo/testfiles/index.htm You may need to disable HTTP scanning, if any, before downloading the file. Include the test virus as an email attachment to test Simple Message Transfer Protocol (SMTP) scanning. Alternatively, copy the following text into a text file and then save the file with a .COM extension (for example, virus.com): X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTI-VIRUS-TEST -FILE!$H+H*
72

Summary
InterScan MSS has its own built-in SMTP server. You can configure routing settings for this SMTP server, such as the IP address, SMTP greeting, and connection time-out. You can also configure the SMTP server to perform reverse-lookups, limit which SMTP hosts are permitted to connect to the SMTP server, and control which hosts can use the SMTP server as a relay. Furthermore, you can configure delivery settings such as domain-based delivery, hop counts, masquerade domains, and message limits.
Review Questions
1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an email can be forwarded b. The number of times InterScan MSS can retry delivering an email c. The number of times an email is scanned d. The number of times an email can loop between the InterScan MSS and email servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all email from specified domains c. To change the domain name in the From: field d. All of the above
73
74
Chapter 4: Configuring POP3 Email Scanning Settings

Chapter Objective
After completing this chapter, you should be able to Configure and edit POP3 email scanning settings
75
Notes
76
Notes
77
Notes
78
POP3 Email Scanning

In addition to Simple Mail Transfer Protocol (SMTP) traffic, InterScan Messaging Security Suite (InterScan MSS) can scan POP3 messages at the gateway. Even if your company does not use Post Office Protocol 3 (POP3) email, employees might want to access personal POP3 email accounts using email clients on their computers. If this POP3 email traffic is not scanned, your network is vulnerable to virus attacks.
How It Works
The InterScan MSS POP3 scanner acts as a proxy, sitting between email clients and POP3 servers (see Figure 4-1).
POP3 Server A
InterScan MSS for SMTP POP3 Scanner
POP3 Client
POP3 Scanner POP3 Server B Internet Firewall
POP3 Client
POP3 Client
Figure 4-1: How POP3 scanning works
To scan POP3 traffic, configure your email clients to connect to the InterScan MSS server POP3 proxy. You can set up the following connection types: GenericAccess different POP3 servers using the default port for POP3 traffic (typically 110). DedicatedAccess the POP3 server using a specified port, when the POP3 server requires authentication using the Advanced Post Office Protocol (APOP) command or requires a port other than 110.
Requirements
For InterScan MSS to scan POP3 traffic, a firewall must be installed on the network and configured to block POP3 requests from all computers except the InterScan MSS server. In addition, configuration changes must be made to every email client so that messages are retrieved only through the InterScan MSS server. InterScan MSS includes the POP3 Client Tool to help users make configuration changes on the Eudora, Microsoft Outlook/Outlook Express, Netscape Messenger, and Pegasus email clients. The POP3
79
Client Tool is packaged as an ActiveX control so that users can run it from the following Web page: http://<InterScanMSS_server> /InterScanPOP3ClientTool.html Replace InterScanMSS_server with the name of your InterScan MSS server.
aNote: The POP3 Client Tool only works using Internet Explorer on a
Windows platform.
If users need to connect to a POP3 server that requires an APOP or a Windows NT LAN Manager (NTLM) authentication, or if you need to manually configure a email client that is not supported by the POP3 Client Tool ActiveX control, see the Manually Configuring Email Clients section in this chapter.
Settings
If you enable POP3 scanning, you can customize the following settings:
Inbound POP3 IP address Simultaneous User Connections
Select the IP address over which InterScan MSS will receive POP3 traffic. Specify the number of simultaneous connections that you want InterScan MSS to allow. The number of connections can affect the performance of your InterScan MSS server. The default value is five. If you installed InterScan MSS on a server with multiple CPUs, you can increase this number to take advantage of the increased processing power. Type the message that you want InterScan MSS to send to users when email addressed to them triggers a filter. If InterScan MSS deletes an email because of content that violated the companys email policies, the message sent to the recipient might be similar to the following example: InterScan Messaging Security Suite cannot retrieve this message due to the administrators policy.
Status Message Tool
To enable POP3 message scanning, click Configuration | POP3 | Settings. The Settings screen appears (see Figure 4-2). Select the Enable POP3 Scanning check box and enter the requested information in the fields provided and click Save.
80
Figure 4-2: The POP3 Settings screen.
aNote: To apply the new POP3 scanning settings to your current
InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
You must run the POP3 Client Tool to reconfigure your email clients to retrieve email through the InterScan MSS POP3 proxy with the updated settings. To use the POP3 Client Tool without running the ActiveX control, unzip the tmp3proa.cab file from the C:\Program Files\Trend\IMSS\UI\xhtml\en\ folder and send tmp3cmd.exe and pop3.ini files to your client users. The pop3.ini file is located in the C:\Program Files \Trend\IMSS\ folder.
Connections
You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. However, if your users need to access a POP3 server through an authenticated connection (using the APOP command or NTLM), you may also set up a dedicated connection with a customized port assignment.
81
Viewing and Editing Connections

To view and edit the POP3 connections currently set up on your server, click Configuration | POP3 | Connections from the left-hand column of the InterScan MSS Web console. The Connections screen appears (see Figure 4-3). Click the view link to edit the POP 3 server and port connections that appear in the table. The Edit screen appears (see Figure 4-4). Enter the requested port numbers and IP address in the fields provided and click Save. To add a new POP3 connection, click the Add button and enter the requested port numbers and IP address in the fields provided. To delete a POP3 connection, select the check box next to the respective connection and click Delete.
Figure 4-3: The POP3 Connections screen.
82
Figure 4-4: The POP3 Connections Edit screen.
aNote: To apply the new POP3 connection settings to your current
InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the InterScan MSS service.
aNote: You must run the POP3 Client Tool to reconfigure your email
The POP3 Client Tool
The POP3 Client Tool modifies Eudora, Microsoft Outlook/Outlook Express, Netscape Messenger, and Pegasus email clients to enable POP3-email access through the InterScan MSS POP3 proxy. The POP3 Client Tool Configures any available POP3 accounts when executed Replaces the client POP3 server address with the InterScan MSS proxy IP address Appends the client pre-existing POP3 server address to the account name, separating them by a # delimiter
clients to retrieve email through the InterScan MSS POP3 proxy with the updated settings.
aNote: The POP3 Client Tool uses settings that you enter in the
InterScan MSS Management Console. If you change these settings, you must run the POP3 Client Tool to reconfigure your email clients with the new settings.
83
Running From a Web Page

To reconfigure email clients using the POP3 Client Tool, users can run an Active X control from the following Web site: http://FQDN_of_InterScan_Server/InterScanPOP3ClientTool.html
Manually Configuring Email Clients

You can also use the POP3 Client Tool to manually configure your client POP connection settings. Manual configuration is useful when the client requires a specific, dedicated connection to its POP3 server through the InterScan MSS proxy.
Generic Connections
For generic connections that support most POP3 servers, assume the following account information is provided as the current client POP3 configuration: Incoming email (POP3) server: pop.domain.com Account name: John_Smith
In addition, assume the inbound POP3 IP address used by InterScan MSS is 123.123.123.12. To enable POP3 email retrieval and scanning, change the client settings to the following: Incoming email (POP3) server: 123.123.123.12 Account name: John_Smith#pop.domain.com
aNote: When accessing a POP3 server that uses a port other than
that specified in the InterScan MSS generic connection port setting, append an extra # separator and add the port. For example, if the POP3 server uses port 120 when InterScan MSS is set to use 110, the account name is John_Smith#pop.domain.com#120.
Dedicated Connections
To use a dedicated connection, modify your email client in the following ways: Change the POP3 server port in your email-client settings to the port used by InterScan MSS as the Inbound POP3 Port. Modify the incoming email POP3 server to use the InterScan MSS proxy IP address. The account name does not change because the actual POP3 server is referenced in the dedicated-connection settings of InterScan MSS.
Include the # separator and port number only if the client requires the InterScan MSS proxy to retrieve email using a port that differs from the one specified in the POP3 Server settings.
84

Summary
To scan POP3 traffic, you can set up generic or dedicated connections to the InterScan MSS server POP3 proxy, which sits between email clients and POP3 servers. You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. You can also set the number of clients that can retrieve POP3 messages simultaneously (which affects performance), and you can customize the status message users receive if POP3 messages sent to them trigger a filter that prevents delivery. The POP3 Client Tool modifies Eudora, Outlook/Outlook Express, Netscape Messenger, and Pegasus email clients to enable POP3-email access through the InterScan MSS POP3 proxy. The POP3 Client Tool is packaged as an ActiveX control so that users can run it from a browser.
Review Questions
1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager 2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure a email client that is not supported by the POP3 Client Tool ActiveX control.
85
86
Chapter 5: Configuring General and Security Settings

Chapter Objectives
After completing this chapter, you should be able to Change the InterScan Messaging Security Suite (InterScan MSS) Management Console password Enable notification by email, Simple Network Management Protocol (SNMP) trap, or pager Learn and change (if permitted) the default locations of message-processing directories Configure InterScan MSS security settings
87
Notes
88
Notes
89
Notes
90
Notes
91
Notes
92
Notes
93
General Settings
The InterScan MSS Web console password, notifications, and queue directories can all be configured in the General Settings.
InterScan MSS Web Console Password

After installing InterScan MSS, you should set a password for the InterScan MSS Management Console. Requiring a password prevents unauthorized users from making changes to the InterScan MSS settings. Trend Micro recommends that you change your password frequently to ensure security. To change the InterScan MSS Web console password, click Configuration | General | Password from the left-hand column of the InterScan MSS Web console. The Password screen appears (see Figure 5-1). Enter your old and new passwords in the field provided and click Save.
Figure 5-1: The Password screen.
aNote: When setting the password for the first time, the Current
password field will be blank.
94
Notification Settings
You and other network administrators can be notified by email or SNMP Trap when any of the following events occur: A virus is detected. A policy is updated. The system requires attention.
Email Notifications
When configuring email notifications, you must supply the following information:
SMTP server
This setting is configured during installation. If you want InterScan MSS to use an SMTP server, you must supply the IP address of the server that InterScan MSS should use. The default setting for the SMTP port is 25. If you need to use a different port number to send notification messages, you must change this setting. This setting determines to whom notifications are sent. You can enter a single email address, or you can enter multiple email addresses and use a semi-colon (;) to separate each address. When InterScan MSS sends a notification to a user, the address that you enter for this setting appears in the From: field. You can make it appear as though the message is coming from the administrator and not from InterScan MSS. If you want non-English characters to appear in email notification messages, you should change this setting to the appropriate option from the Preferred charset dropdown menu. The message header is a user-defined message that appears at the front of the Non Delivery Receipt. For example, you might create a message to show that InterScan MSS sent the notification. The message footer is another user-defined message that that appears at the end of the Non Delivery Receipt. By default, InterScan MSS will not send out more than 1,500 notifications in one hour. You can raise or lower this limit by entering a different value in the field provided. If you enter a zero, InterScan MSS can send an unlimited amount of messages.
SMTP port
Administrator email
From address
Preferred charset
Message header
Message footer
Notify Mail Limit in one hour
95
When configuring SNMP Trap notifications, you must supply the following information:
Server name (IP or FQDN)
InterScan MSS uses the IP address or Fully Qualified Domain Name in this setting to determine which server to use when sending SMTP notifications InterScan MSS uses the community name that you enter in this field to determine to whom notifications should be sent. If the community name that you enter is not listed in the SNMP management console, or it is entered incorrectly, the notifications InterScan MSS sends are not received.
Community
To configure the settings for both email and SNMP Trap notifications, click Configuration | General | Notification Settings from left-hand column of the InterScan MSS management console. The Notification Settings screen appears (see Figure 5-2 and Figure 5-3). Enter the requested information in the fields provided and then click Save. You only have to configure the settings for the notification method(s) that you want to use.
Figure 5-2: The Email section of the Notification Settings screen.
96
Figure 5-3: The SNMP Trap section of the Notification Settings screen.
Queue Locations
InterScan MSS uses several queues to process messages, store log files, and quarantine messages. If you change the location of the queue to a folder that does not exist, InterScan MSS will create a new folder in the specified location.
Processing, Retry, and Postpone Queues

The processing queue is where messages are temporarily stored pending scanning and final delivery to their destination. The following directory path shows the default location of the processing queue: C:\Program Files\Trend\IMSS\ISNTSMTP\mqueue\ The retry queue is where undeliverable messages are temporarily stored pending additional attempts at delivery. The following directory path shows the default location of the retry queue: C:\Program Files\Trend\IMSS\ISNTSMTP\bmqueue\ The postpone queue is where messages are temporarily stored as a result of a postpone filter action. The following directory path shows the default location of the postpone queue: C:\Program Files\Trend\IMSS\ISNTSMTP\postpone\ During normal operation, most of the email waiting to be scanned and delivered is temporarily stored in the processing folder. However, if the connection to the downstream server is lost or if a Domain Name System (DNS) lookup failure occurs, email is temporarily stored in the retry queue for later delivery.
Log Queue
Many modules within InterScan MSS write log information for troubleshooting purposes. The logs record information such as the number of times the virus-pattern file was updated, when it was updated, how many viruses were found (if any), and which viruses were found.
97
The following directory path shows the default location of the queue in which these logs are stored: C:\Program Files\Trend\IMSS\ISNTSMTP\logs\
Quarantine Queue
After InterScan MSS is installed, one default quarantine area is created. However, you can define multiple quarantine directories in different locations. The following directory path shows the default location of the quarantine area created during installation: C:\Program Files\Trend\IMSS\IsntSmtp\quarantine
Badmail Folder
You can configure InterScan MSS to save undeliverable messages in the badmail folder after the retry period has elapsed. When a message is delivered to the badmail folder, a non-delivery receipt (NDR) is forwarded to the sender. The location of this folder is not configurable. The following directory path shows the default location of the badmail folder: C:\Program Files\Trend\IMSS\isntsmtp\badmail
Temporary Folder
All application-generated temporary files are stored in the temporary folder. This location of this folder is not configurable. The following directory path shows the location of the temporary folder: C:\Program Files\Trend\IMSS\isntsmtp\temp\
Delivery Pickup
The quarantine manager and the retry queue viewer include a feature called Deliver Now. Messages selected for Deliver Now are moved to the Delivery Pickup folder. The InterScan MSS service has dedicated threads that deliver messages in this folder immediately. The location of this folder is not configurable. The following directory path shows the location of the Delivery Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_deliver When the quarantine manager selects an email to be reprocessed, it puts the email in the Pickup Scan folder. The InterScan MSS service has dedicated threads that pick up messages in this folder and put them into the scan queue. The location of this folder is not configurable. The following directory path shows the location of the Pickup Scan folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_scan
98
All notification messages are put in the Notification Pickup folder. InterScan MSS has dedicated threads to pick up and deliver messages in this folder to a specified SMTP notification server. You can configure this server on the Configuration | General| Notification screen, but location is not configurable. The following directory path shows the location of the Notification Pickup folder: C:\Program Files\Trend\IMSS\isntsmtp\pickup_notify
Changing Directory Paths

You can change the following directory paths: Processing queue Retry queue Postpone queue
When changing directory paths, you should remember the following guidelines: The path must be to a local folder (such as d:\foldername) or a mapped drive. You must save the new settings and click Apply Now, which restarts the service. Messages in the previous processing, postpone, and retry queues are not processed automatically.
Before defining a new queue location, you should make a note of the old location. You should also use Windows Explorer to manually copy all of the old queues contents to the new queue. To change the directory path of the Processing, Retry, or Postpone queues, click General | Directories from the left-hand column of the InterScan MSS Web console. The Directories screen appears (see Figure 5-4). Find the name of the queue that you want to modify, change the directory path accordingly, click Save, and then click Apply Now.
99
Figure 5-4: The Directories screen.
Security
InterScan MSS has several security settings that control the maximum size of messages and their attachments. These security settings also determine how messages are processed upon program failure.
Security Settings
All security settings run as part of the virus filter in Policy Manager. If any of these values are met or exceeded, IMSS will take the filter action specified in the Virus Scanning Aborted message may contain viruses section of the virus filter. You can configure the following security settings to prevent email messages from consuming excessive storage space or CPU time: Compressed file-scanning limits Attachment and message virus-scanning limits Multiple virus-infected message limits eManager filter size limit Exception handling
100
You can also use these security settings to block DoS attacks that result from malicious people sending large or multiple attachments.
Compressed File-Scanning Limits

Recursively compressed files are compressed files, such as ZIP or LZH files, that contain other compressed files. Scan engines must decompress these files before they can be opened and scanned. As a result, scanning recursively compressed files that contain multiple compressed layers can be resource intensive. Most scan engines have a maximum number of compressed layers that they can scan. InterScan MSS can scan a maximum of 20 layers. Some virus writers use these limitations to smuggle malicious code or inappropriate content past antivirus and content-management software. Virus writers hide their content deeply inside a recursively-compressed file where the scan engines cannot find it. Recursively-compressed files are often used to create a zip of death, which launches a DoS attack. As the file is unzipped, its size continues to grow until it overloads the system. To prevent zip of death and other DoS attacks, you can specify the maximum allowable size of a file after decompression. When the file reaches the maximum allowable size, InterScan MSS aborts decompression and takes the action specified for the Virus scanning aborted message may contain virus filter result. When a compressed file contains other separately compressed files, the scanning process can take a long time. For example, you might receive a file from a customer called customer_info.zip. If the file contains additional zipped files, such as financial_info.zip, sales_records.zip, and projected_earnings.zip, InterScan has to decompress each file to complete the scanning process. You can limit the number of files inside a compressed file that InterScan MSS decompresses. If the number of files exceeds the limit that you set, InterScan MSS aborts decompression and takes the action specified for the Virus scanning abortedmessage may contain virus filer result.
Attachment and Message Virus-Scanning Limits

When and email with a large attachment arrives at the InterScan MSS server, email flow stops while the scan engine checks the attachment for viruses. Malicious people sometimes use an email with multiple large attachments to disrupt email flow. Other email cannot be processed until all the attachments are scanned. To decrease your vulnerability to such an attack, you can configure two options:
Attachment + message size Number of attachments
This option controls the maximum size of an email message and its attachments. This option controls the maximum number of attachments that an email message can have.
aNote: Some users have legitimate reasons for sending large
attachments. Being overly protective against DoS attacks might disrupt necessary information flow.
101
Multiple Virus-Infected Message Limits

Virus writers sometimes send email messages that have multiple viruses to disrupt the delivery of email. For example, an email message might contain 20 attachments, and each attachment might contain a virus. No other email can be delivered while the system cleans the attachments. You can configure the following settings to protect your company from such an attack:
Number of cleaning attempts Number of viruses reported
This option controls the number of times InterScan MSS tries to clean the email message. This option controls the number of notification messages you receive per email.
eManager Filter Message Size Limit

The eManager filter group manages spam, message content, and email delivery. You can use the eManager Filter Message Size option to limit the size of messages that eManager filters handle. Size restrictions decrease system vulnerability against large messages that virus writers send to disrupt your email processing. To configure security settings, click Configuration | Security | Security Settings from the left-hand column of the InterScan MSS Web console. The Security Settings screen appears (see Figure 5-5). Enter values in the fields provided for message size limits and click Save.
102
Figure 5-5: The Security Settings screen.
Exception Handling
When InterScan MSS cannot process an email, the event is known as a processing failure. Processing failures might be caused by insufficient system memory or invalid IP addresses or domain names. Encrypted email can cause processing failures because the Antivirus filter and the eManager filters cannot scan them. If InterScan MSS fails to process a message, you can choose one of the following default actions:
Deliver Delete Delete and Notify Deliver and Notify
Delivers the message normally Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator
103
Postpone and Notify Quarantine Quarantine and Notify
Postpones delivery of the message until after midnight and notifies the administrator Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator
You can create your own filter actions that you can use in addition to the default filter actions (for more information on creating filter actions, see the Creating New Filter Actions section in Chapter 6: Understanding and Creating Policies). To choose an action for email that cannot be processed, click Configuration | Security | Exception Handling from the left-hand frame of the InterScan MSS Web console. The Exception Handling screen appears (see Figure 5-6). Use the pulldown menus to select the filter action for both types of processing failures and then click Save.
Figure 5-6: The Exception Handling screen.
aNote: To apply updated exception handling settings to your current

InterScan MSS session, click Apply Now in the top-left corner of the console. Otherwise, the settings will be applied after you restart the programs SMTP scanning service.
Lab Exercise 3: Configuring InterScan MSS
104

Summary
You can use the InterScan MSS Web console to set the console password, configure notification settings and locate or change queue directories. You can also block DoS attacks by configuring security settings such as the number of layers of recursively compressed archives, the maximum attachment and file size, and the maximum number of viruses that can be cleaned from a single attachment. In addition, you can configure the action InterScan MSS takes if it cannot successfully process a message.
Review Questions
1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively-compressed layers c. Reject all compressed files such as ZIP and LZH files e. Block all large attachments
105
106
Chapter 6: Understanding and Configuring Policies

Chapter Objectives
After completing this chapter, you should be able to Identify the main features of Policy Manager Define the global policy Create a sub-policy Set up policies for different individuals and groups within your organization Define address groups Define and use filter actions
107
Notes
108
Notes
109
Notes
110
Notes
111
Notes
112
Notes
113
Notes
114
Notes
115
Notes
116
Policy Overview
A policy is a set of rules. An email policy is a set of rules that a business creates to govern email use. For example, in order to reduce the amount of offensive material circulating in the office, a business might decide that employees cannot use the company email for personal use. This rule is policy. InterScan MSS has policies of its own that you can configure and use to enforce your companys email rules. You can use these policies to determine which file types are scanned for viruses and the action InterScan MSS takes if a virus is detected. You can also use the policies to determine how InterScan MSS filters content and what action it takes if an email contains forbidden content. For example, your company may establish the following email rules: Users cannot exchange email that contain sexual or racial terms. Users cannot forward chain email. Users cannot send attachments that are larger than 4 MB.
To enforce these rules, you might create a policy that Blocks email containing sexual or racial content Blocks chain email Postpones the delivery of email with large attachments until after business hours
There are three parts to every InterScan MSS policy and sub-policy: Route Filter Filter Action
Route
A route is a set of sender and recipient email addresses to which a policy is applied. To define a route, you must decide to whom you are directing your policy. Address groups and wildcard expressions are normally used to simplify the route configuration.
Filter
To create a filter, you must know what you are trying to find. Filters are used to check email both for viruses and for prohibited content. Policies can contain more than one filter. InterScan MSS contains predefined filters that you can use to combat common virus and content threats. You can also create your own filters.
117
Filter Action
The filter action that you specify determines how InterScan MSS deals with email that triggers the filters. For example, if you set the filter action on your virus filter to Delete, then InterScan MSS will delete all files in which it detects a viruses. The filter action determines how the email is finally processed.
aNote: You can dynamically apply all policy-related settings by

When you create a policy, and want to use an existing filter action, you configure the components in the following order: 1. Define the route. 2. Configure the filter. 3. Select the filter action. If you want to create a new filter action when you create a policy, you configure the components in the following order: 1. Create a new filter action. 2. Define the route. 3. Configure the filter. 4. Select the filter action.
clicking Apply Now in the upper left-corner of the console. Changes do not take effect until you click Apply Now.
Two Types of Policies

You might not want a policy to apply to every user in your company. For example, if your company has a graphics department, the users in that department might need to exchange files that are larger than 4 MB. If you configure InterScan MSS to postpone or deny delivery of email with attachments larger than 4 MB, with no exceptions, it would hinder the graphic departments ability to send legitimate files. To help you create policies that meet the needs of all the users in your company, InterScan MSS includes two types of policies: Global Policyapplies to all email flowing through the InterScan MSS server. Sub-policiesapply only to the email messages or the users that you specify.
When InterScan MSS receives an email, it evaluates the email against sub-policies and then against the global policy. If there is a filter in the global policy that matches, it takes precedence over a sub-policy filter.
aNote: You can allow the Global Policy to be overwritten by a subpolicy.
118
The Global Policy

The global policy is created when you install InterScan MSS (see Figure 6-1). By default, the global policy contains the following filters:
Antivirus Heuristic Spam Filter (SPS) Anti-Spam
compares all email and attachments against the virus-pattern file compares email content with common spam characteristics to detect spam compares email content with a database of expressions commonly found in spam scans email for obscenities scans email for racial slurs scans email for sexually offensive language scans email for expressions found in common hoaxes that circulate through Internet email scans email for chain messages that encourage users to forward the email to everyone they know scans email for expressions that appear in email messages that harbor the auto-spamming ILOVEYOU virus scans for HTML email with embedded scripts (such as JavaScript or VBScript)
Profanity Racial Discrimination Sexual Discrimination Hoaxes
Chain Email
Love Bug
Block HTML Script Messages
By default, only the Virus filter and Heuristic Spam filter are active after installation. You can enable the other filters, and you can create additional filters in the global policy.
aNote: The Heuristic Spam filter will not be active after installation if
you do not enter a valid activation code. The Spam Prevention Service (SPS) must be activated separately from InterScan MSS.
119
Figure 6-1: The Filters List on the Global Policy screen.
Sub-policies
When you create a sub-policy, it inherits the active filters contained in the parent policy. For example, if you create a sub-policy directly under the global policy, that sub-policy inherits the active filters contained in the global policy. Filters that are inactive in the parent policy will remain inactive in the sub-policy. If you do not want the sub-policy to use a filter that is inherited from the global policy, you can disable that filter at the sub-policy level. You can also add filters to the sub-policy as needed. You can create a maximum of 10 sub-policies within a single policy. However, each subpolicy can have an unlimited number of filters. By default, the InterScan MSS installation program creates the following sub-policies, based on the domain name that you entered in the installation wizard:
120
Incoming Outgoing POP3
In order for a sub-policy to take precedence over the global policy, you must enable the Allow filter to be overwritten by a sub-site feature before creating the sub-policy. To prevent a policy from applying to a specified sub-policy, you must make that policy available in the global policy. Once the policy is available in the global policy, it will be active in all sub-policies too. To disable the policy, change the status to Inactive in both the global policy and the sub-policies in which you want to enable it.
Incoming and Outgoing Policies

The incoming policy has the following route: email from * going to *@domain The outgoing policy has the following route: email from *@domain going to * Both of these policies contain an active antivirus filter, which has the following default configuration: All attachments are scanned, including compressed files. Viruses are cleaned, and uncleanable viruses are deleted. When a virus is cleaned, a disclaimer is added to the message before it is delivered. If a virus cannot be cleaned or virus scanning is aborted, the message is quarantined, and a notification is sent. Any mass-emailing virus is deleted.
The incoming policy also contains some content-management filters, such as a filter that restricts message size. These filters are disabled, but you can enable and customize them. The outgoing policy contains an inactive message size filter that you can enable and customize.
POP3 Policy
The route for the POP3 policy is configured as follows in the isntsmtp.ini file: POP3From=POP3FromLabel POP3To=POP3ToLabel
To define the route information with the default setting, enter POP3FromLabel@* in the From field and POP3ToLabel@* in the To field.
aNote: The domain must be the asterisk (*) wildcard for the To and
From fields.
121
If you modify the route information of the POP3 policy, you must make the same modifications to the isntsmtp.ini file. If the modifications do not match, POP3 email will not be detected by the POP3 policy, and they will be subject to the global policy only. You can modify only the name part of the route (before the @) in the InterScan MSS Management Console. If these conditions are not met, the policy will not work. InterScan MSS matches all POP3 messages to the POP3 messages policy. If you delete this POP3-only policy, POP3 messages are matched to the global policy.
The Order of Sub-Policies

When InterScan MSS receives a message for processing, it analyzes the sender and recipient addresses to determine which policy should be applied. By default, InterScan MSS uses the best match method to select the policy that is executed.
The Best Match Method
InterScan MSS searches the policy tree level-by-level, starting with the global policy. InterScan MSS first chooses the best match on the top level and then continues searching its child level (if any) until no route is matched or until another match is found. Once InterScan MSS finds an exact match, it stops searching the policies. If the addresses of an email match more than one route, InterScan MSS uses the weight of the routes to determine which policy to apply to the message. The route with the greatest weight is applied. If two routes have the same weight, InterScan MSS uses the route that appears first in the policy order.
First Match Method
When InterScan MSS uses the first match method, it matches the email address with the first route on the list that does not have a weight of 0. If there is a route further down on the policy list that matches better, it will not be applied. You can change the matching method from best match to first match. Open the registry editor and change the HKEY\Local Machine\Software\Trend Micro\ISNT5\registry\config\MatchMethod key value from 1 to 0.
Priority Rules (Best Match Method)
InterScan MSS uses the following rules to analyze routes: 1. A fully qualified address has the highest priority, and an address that consists only of wildcards has the lowest priority. 2. The number of qualified terms that an address contains increases the priority. In addition, InterScan MSS evaluates the route as follows: 1.1. The domain in an email address is more significant than the name. 1.2. Both sender and receiver addresses are of equal importance. 1.3. When InterScan MSS analyzes messages, it assigns every email address a weight. InterScan MSS also adds the weights of the sender and receiver addresses and assigns the pair a weight. The overall possible priority could be anywhere between 0 and 10,000 (see Table 6-1).
122
Name 1 2 3 Only Wildcards Qualified Only Wildcards
Domain Only Wildcards Only Wildcards Only Wildcards 0
Weight
Example *@*, * user@* *@*.uk *@*.co.uk *@*.domain.co.uk
1000 2000 + #Q: The number of terms in the domain part 3000 + #Q
Qualified
Only Wildcards
joy@*.uk joy@*.co.uk joy@*.domain.co.uk *@domain.co.uk joy@domain.co.uk
5 6
Only Wildcards Fully Qualified
Fully Qualified Fully Qualified
4000 5000
Table 6-1: The six types of email addresses and their corresponding weights
A message with more than one recipient may be split and have different filters applied to it based on the different recipient addresses listed. For example, if Tyra sends the same message to Bob, Maria, Shayla, Jose, and Carl, each message might be evaluated against a different filter, depending on how you have configured your sub-policies. Consider the following examples: 1. The route (From: *@trendmicro.com, To: *@*) has precedence over (From: joy@*.com, To: *@*). When the recipient is the same, the weight of *@trendmicro.com is higher than joy@*.com because the domain is more significant than the name. 2. The incoming route (From: *@*, To: *@trendmicro.com) has the same precedence as outgoing route (From: *@trendmicro.com, To: *@*) because the sender and receiver addresses are of equal importance. 3. The route (From: *@trendmicro.com, To: *@*.com) has precedence over (From: joy@trendmicro.com, To: joy@*). This is because the weight of the sender and receiver pair of the former route is (4000, 2001), but the latter is (5000, 1000). 4. The route (From: *@*.co.uk, To: *@*.co.uk) has precedence over (From: *@*.domain.co.uk, To: *@*). This is because the weight of the sender and receiver pair of the former route is (2002, 2002), but the latters is (2003, 0). To specify the order of sub-policies, select Policy Manager | Global Policy | Manage Sub Policies from the left-hand frame of the InterScan MSS Management Console. You can adjust the order of execution in the Manage Sub Policy page.
123
aNote: In general, you should have InterScan MSS execute the most
specific sub-policies first.
Editing Global Policy Filters

You can enable, disable, and modify the Global Policys nine filters to fit your scanning needs. Each filter has the three edit buttons (see Figure 6-2). The edit buttons can be used to configure the search criteria a filter uses, the location or types of documents the filters scans, and the action the filter takes when it finds an email that violates the policy.
Figure 6-2: Using the three edit buttons available on the Global Policy screen.
Filter Type
The edit button in the Filter Type column can be used to change a filters properties. You can select or enter specific words, phrases, and expressions for which InterScan MSS searches. You can determine whether InterScan MSS applies the filters to the email header, body, or attachment. The Filter Type edit button can also be used to specify what size the messages need to be in order to scan them. The filter will not be applied to messages that exceed the size restrictions.
aNote: The configurable options for the Filter Type vary with each
filter.
~Warning: When you click the Filter Type Edit button for the
profanity, racial discrimination, and sexual discrimination filters, the resulting screen displays the words against which InterScan MSS filters. Most people find these keywords offensive. These words are shown so that you know the content of the filter.
124
Filter Availability and Status

The edit button in the Filter Availability and Status column can be used to specify whether the filter is available for a policys definition, whether the filter is active, and whether the filter can be overridden by another filter in a sub-policy. To use a filter in your policy definitions, its availability status must be set to available. If the Filter Availability is set to disabled, no policy can use it. The availability setting determines whether the filter could be used in the policy. If you decide to use the filter, you must ensure that the filter status is set to Active. If you do not want the filter to apply to a particular policy, you must ensure that the filter status is Inactive.
aNote: For a sub-policy to inherit filters from a parent policy, the filter
availability in the parent policy must be Available. If you do not want the filter to apply to the parent policy, you can set the filter status to Inactive.
When you create a sub-policy, if you want one of the filters in that sub-policy to override the settings in the parent policy, you must enable the override feature. For example, in an attempt to eliminate spam from your network, you activate the Heuristic Spam Filter (SPS) in the global policy. However, you know that the sales department travels a lot and might benefit from receiving special offers on airfare and hotel rates. You create a sub-policy targeted at email addressed to anyone in the sales department. This time, however, you configure the Heuristic Spam Filter to allow commercial offers about airfare and hotel rates. In order for this sub-policy to take precedence, you must set the override property in the global policy to Allow filter to be overwritten by a sub-site.
aNote: The override property applies only to the eManager filters.
When the global policy and a sub-policy both contain an antivirus filter, the filter in the sub-policy is always the one executed. In other words, enabling Do not allow filter to be overwritten for the global policys antivirus filter has no effect.
Filter Action
The filter action is the action that InterScan MSS takes against email that triggers policy filters. When configuring the filter action, you can create a new filter action (see the Creating New Filter Actions section in this chapter), or you can choose from the following default actions (see Figure 6-3):
Delete Delete and Notify Deliver and Notify Postpone and Notify
Deletes the message Deletes the message and notifies the administrator Delivers the message and notifies the administrator Postpones delivery of the message until after midnight and notifies the administrator
125
Quarantine Quarantine and Notify
Sends the message to the default quarantine area Sends the message to the default quarantine area and notifies the administrator
You may want to quarantine messages for any of the following reasons:
To review messages that trigger content filters and determine the severity of policy infractions To keep a record of oversized messages in case they contain important information that the recipient needs To reduce the chance of deleting important messages, in case they are mistakenly detected by the Antivirus or eManager filters To collect evidence, for disciplinary purposes, of an employees misuse of your organizations messaging system
Figure 6-3: The Filter Action screen.
You configure filter actions for each possible filter result. For filters that use the antivirus filter, the following results are possible: No virus detected Virus(es) detected and successfully cleaned Virus(es) detected but some/all were not cleaned Mass emailing virus detected Virus scanning abortedmessage may contain viruses
126
For filters the use the eManager filters, only two results are possible: Triggered Not triggered
Filter actions are stored in the following registry: C:\HKLM\Software\TrendMicro\ISNTS\registry\policy\classification
aNote: For filter actions that notify the administrator, the notification
is sent to the email address that was entered during installation.
Filter Order
The order of filter execution within a sub-policy is significant. For example, if the first filter triggers a delete action, execution stops after the first filter. If a filter triggers other filter actions, processing continues. Filter actions are executed as outlined below. The following actions are taken immediately, and the next filter is not processed: Quarantine

Forward original message Delete
The following actions are taken after the policy has processed all the filters: Postpone
Forward modified message Notification Archive Quarantine Forward original message Delete
The following actions are taken after the corresponding filter runs:

The message is delivered if the user has not selected one of the following actions:

The Quarantine, Forward original message, and Delete actions are given priority over Postpone and Forward modified message actions. If your sub-policy contains an antivirus filter, Trend Micro recommends that you place the antivirus filter at the top of the Filter Order list so it will be executed first. Executing the antivirus filter first ensures that all messages are checked for virus infection. If another filter executes first, a virus-infected message could be quarantined and later delivered without being scanned for viruses. To order the filters in a sub-policy, click Policy Manager | Global Policy from the lefthand frame of the InterScan MSS Web Console. The Global Policy screen appears. Click the Order filters link near the top of the screen. The Filter Order screen appears (see Figure 6-4). Highlight the filter that you want to move and click the up or down arrow to change its location on the list. When you finish reordering the filters, click Save.
127
Figure 6-4: The Filter Order screen.
Creating a Sub-Policy
Before you create a sub-policy, you must define the following policy components:
Filter action
Decide what you want InterScan MSS to do with messages that trigger the filters. If you do not want to use one of the default filter actions, you must first create a new filter action. All filters must have a filter action. Decide to whom the sub-policy will apply. Use email addresses and domain names to specify the routes. You can use an address book to create the route, but you must create the address book before you create the sub-policy. Determine the type of filter that is best suited for finding the items you want to filter. For example, if you want to filter for sexual content, you would choose the Sexual Discrimination filter.
Route
Type of filter
Name the Policy

When creating a sub-policy, the first step is to give it a name. The name you choose should reflect the purpose of the sub-policy, so that it can be easily identified. For example, if you create a sub-policy to filter email that contains sensitive company financial information, you might give it a name like Financial.
128
To create a sub-policy, complete the following steps: 1. In the left-hand column of the InterScan MSS Web console, click Policy Manager | Global Policy. The Global Policy screen appears. 2. Click the Sub-policies link near the top of the Global Policy screen. The Manage Sub Policy screen appears. 3. Click the Create new sub-policy link near the top of the screen. The Create Sub Policy screen appears (see Figure 6-5). Type a name for the new sub-policy in the Name: field, and type a brief description of the policy in the Description: field.
Figure 6-5: The Create Sub Policy screen.
4. Click Next. The Create Sub Policy screen appears.
Define the Route

Defining the route is the second step to creating a sub-policy. To define a route, you must know to whom the sub-policy will apply. Routes are a list of sender and receiver email addresses. The list of email addresses that you define in the route will determine to which email messages InterScan MSS applies the new sub-policy. Use the Create Sub Policy screen to define the sub-policy route (see Figure 6-6). Enter the email address of the users to whom you want InterScan MSS to apply the sub-policy. Enter the senders email address in the From column, and the recipients email address in the To column. Click Finish when the lists are complete.
129
Figure 6-6: The Create Sub Policy screen used to create the route of the sub-policy.
aNote: Click the Select link if you want to add an entire address list
to the sub-policy.
Using the Asterisk (*) Wildcard

A single asterisk (*) matches everything, including nothing. For example, when you enter a single asterisk, it matches the following: Any email address Empty From field
Spam messages sometimes have an empty From field because the sender does not want to disclose his or her identity. The behavior of the asterisk wildcard depends on whether it appears before or after the @ in an email address. Text that comes before the @ is treated as the name. Text that comes after the @ is treated as the domain. If no @ exists, the entire string is considered invalid. To match the name part of an email address, you can use a single wildcard asterisk or the exact name. Partial matches are not allowed. The asterisk wildcard matches everything except no entry in the field, as illustrated below: *@trendmicro.com matches stanley_edwards@trendmicro.com. *@trendmicro.com does not match @trendmicro.com.jp. Stanley*@trendmicro.com or *edwards@trendmicro.com is invalid.
130
To match the domain part of an email address, you can use the asterisk wildcard only at the beginning of the domain. The asterisk wildcard can match one or more subdomains, as illustrated below: *@*.solar.com matches *@earth.solar.com. *@*.solar.com matches *@europe.earth.solar.com. *@*.solar.com does not match *@solar.com.
Partial matching of subdomains is not allowed. For example, *@trend*.com is an invalid format. Other invalid patterns are listed below: *@trend.*.jpWildcard occurs in the middle of domain name. *@trend.com.*Wildcard occurs at the end of domain name. *@*.*.comSecond wildcard occurs in the middle of domain name.
After you create a sub-policy, it appears in the left-hand column of the InterScan MSS Web console, directly the Global Policy branch of the directory tree. The filters that the subpolicy inherits from its parent policy, along with the status of those filters, appear in the main screen.
Address Groups
Address groups allow you to organize email addresses into groups. You can define address groups for people to whom you want to apply the same email policy. Frequently, members of the same address group belong to the same department. For example, suppose that you have identified three types of content that you want to block from being transmitted through your companys email system. You want to define three policies (which are shown in parentheses below) to detect that content: Sensitive company financial data (FINANCIAL) Job search messages (JOBSEARCH) VBScripts (VBSCRIPT)
Now consider the following address groups within your company: All executives All Human Resources (HR) department All IT development staff
131
When you define the route for the policies, you would use the address books as shown below:
Address Groups all executives all HR department all IT development staff FINANCIAL not included in route included in route included in route JOBSEARCH included in route not included in route included in route VBSCRIPT included in route included in route not included in route
Executives, HR staff, and IT developers have legitimate business reasons for sending financial information, job search-related correspondence, and VBS files, respectively. Because those legitimate reasons exist, you exclude these groups from the policies. To create an address group, click Policy Manager | Address Group from the left-hand frame of the InterScan MSS Management Console. The Address Group screen appears (see Figure 6-7). Enter the requested information in the fields provided on the screen and use the prompts to complete the process.
Figure 6-7: The Address Group screen.
aNote: You cannot use the asterisk wildcard in address groups.

To modify an existing address group, access the Address Group screen again and click the Details link next to the group that you want to modify (see Figure 6-6). To delete an address group, click the option button next to the group you want to remove and then click Delete.
132
aNote: If an address group has in use instead of an option button
in the right-hand column, this address group is currently being used within a route and cannot be deleted while the route exists. To delete the address group, you must deactivate the route.
Importing an Address Group from a File
InterScan MSS supports address imports from Comma Separated Value (CSV) files. The file must reside on a drive that is local to the InterScan MSS server. You can then type the directory path to the file that contains the address information. If you are using a browser to view the InterScan MSS Web console from a remote computer, you should copy the text file into a shared directory on the InterScan MSS server.
aNote: When importing an address group from a CSV and merging

it with an existing address group, duplicate email addresses will be overwritten.
aNote: You cannot import address list information from a remote
computer, either by an HTTP upload or by typing a Universal Naming Convention (UNC) path. The file must be either on a drive that is local to the InterScan MSS server, or on a mapped drive.
When you import an address group from a text file, make sure that each line contains only one email address. For the file to work correctly, each address must have its own line. An example text file is shown below: Andy@trendmicro.com Raymond@trendmicro.com SomeDude@yahoo.com
Add a Filter and Choose the Action

Adding a filter is the third step to creating a sub-policy. When you create a sub-policy, it automatically inherits the filters that were available in the parent policy. The inherited filters can be activated and used in the sub-policy. However, if you want the sub-policy to filter email for material that is not included in the inherited filters, you must make a new filter for the sub-policy to use.
aNote: A policy can contain only one antivirus filter. If both a parent
To create a sub-policy filter, click the Create new filter link near the top of the Manage Filters screen. The New Filter screen appears.
policy and a sub-policy contain an antivirus filter, only the one in the sub-policy is executed.
1. Enter a name for the filter you are creating, specify whether it can be overwritten by another filter in a sub-policy, and choose the type of filter that you want to use. Click Next after you finish configuring the options. The screen that appears varies depending on the filter type that you chose.
133
2. Configure the options on the screen and click Next. Another screen appears, confirming the settings you made (see Figure 6-8).
Figure 6-8: The New Filter Settings verification screen that appears when creating a content filter.
If you need to change some of the settings, click Back. If the settings are correct, click Next. The New Filter screen appears.
aNote: If you click Next, you cannot go back and alter the settings.
Any modifications to the settings must be made before continuing on from this screen. However, once you have created the filter, you can edit it.
3. Choose the filter action that InterScan MSS should take when an email triggers the filter (see Figure 6-9). Click Save. Your new filter appears in the filters list on the Manager Filters screen.
134
Figure 6-9: The New Filter Screen.
Creating New Filter Actions

If the default filter actions do not meet your requirements, you can create a new filter action. For example, your company might be negotiating a contract with another company and you might want to archive all email messages exchanged with the other company. In this case, you create filter action that delivers the email message, archives the email message, and notifies you that these actions have been taken.
Filter Action Components

Filter actions specify the action InterScan MSS takes against email that triggers a filter and to whom notifications are sent. A filter action is comprised of one or more of the following components: Processing action Archive Notification
Processing Action
The processing action is the action that you configure InterScan MSS to take with an email that triggers a filter. You can quarantine, delete, or forward the message, or you can postpone and deliver. A filter can have just one processing action.
Archive
InterScan MSS can archive messages either in a local directory or in an email account. You can either archive the message in its original form, or you can archive the message with the filter changes, such as viruses cleaned from the attachment or a disclaimer appended to the message body. While a filter can have only one processing action, it can have an unlimited amount of archive and notification actions.
135
Notification
InterScan MSS can send email or Simple Network Management Protocol (SNMP) Trap notifications when an email triggers a filter. These notifications can be sent to the original sender, recipient, administrator, or any other email address that you choose. You cannot use address groups to send notifications, but you can use exchange distribution lists. InterScan MSS can either attach the message in its original form or send the message that was modified by the filter.
Configuring Notification Messages
When you configure notifications, you can use the following tokens to provide more information about the event that triggered the filter: %SENDER% %RCPTS% %SUBJECT% %DATE&TIME% %EMAILID% %RULENAME% %FILTERNAME% %TASKNAME% %GLOBALACTION% %DETECTED% %QUARANTINE_PATH% %QUARANTINE_NAME% %QUARANTINE_AREA% %ADDINFO% %CLSNAME% %DEF_CHARSET% Message sender Message recipients Message subject Date and time of incident Email ID Name of the policy that contained the triggered filter Type of filtersuch as antivirus filter, Advanced Content Filter, Message Size Filter, and so on Name of the filter that user entered during filter creation Current action to be taken What triggered the filter, which filter was triggered, and details from the filter Quarantine path (if quarantine action is performed) Quarantine name (if quarantine action is performed) Quarantine area (if quarantine action is performed) Additional information from filter (currently used when the result of the antivirus filter is uncertain) Name of current filter action Default character set of the notification message
aNote: Tokens are case-sensitive.

136
For example, you might want the notification message that InterScan MSS sends to include the following information: Name of the filter that took action against the email Name of the policy that contained the filter Identification number of the email User who sent the message User (s) who received the message Subject of the message Time and date the incident occurred Current location of message
The notification that you configure might look similar to the following example: The %FILTERNAME% filter defined in InterScan MSS has detected the following message using its %RULENAME% rule. The messages ID is %EMAILID%. The following information describes the message that may breach your companys policy: Message sender: %SENDER% Message recipients: %RCPTS% Message subject: %SUBJECT% Incident time: %DATE&TIME% Per the configuration of your filters action, this message can be reviewed in the %QUARANTINE_AREA% quarantine folder. The notification message that InterScan MSS would send in response to virus event would look like the following example: The Detect Script Viruses filter defined in InterScan MSS has detected the following message using its Catch LOVELETTER rule. The messages ID is 12345-12345-12345-12345. The following information describes the message that may breach your companys policy: Message sender: Joe@yahoo.com Message recipients: Rahul@company.com Message subject: Check out the attached Loveletter coming from me Incident time: 10-30-2001, 6:15 PM Per the configuration of your filters action, this message can be reviewed in the VirusArea1 quarantine folder.
137
aNote: If you want a filter action to have more than one option for
the Archive or Notification features, you must click New Item in the Filter Action screen to add each one separately.
To create a new filter action, click Policy Manager | Filter Action from the left-hand frame of the InterScan MSS Management Console. The Filter Action screen appears. Click the New Filter Action link. The New Filter Action screen appears (see Figure 6-10). In the Name: field, enter a name for the new filter and then click New Item. Follow the prompts to finish creating the filter action.
Figure 6-10: The New Filter Action screen.
Modifying and Deleting Filter Actions

After you implement a policy, you may need to modify the filter action that you created. For example, when you implement a filter, you may create a filter action that forwards the message, archives the message, and notifies you. You may decide later that the filter and the filter action are working correctly, and you no longer need to be notified. You could then modify the filter action and remove the notification. To modify an existing filter action, click Policy Manager | Filter Action from the left-hand frame of the InterScan MSS Management Console. The Filter Action screen appears (see Figure 6-11). Click the filter action that you want to modify, then click Edit and modify the filter action.
138
Figure 6-11: The Filter Action screen.
To delete a filter action, access the Filter Action screen again, click the option button next to the filter that you want to remove, and then click Delete.
aNote: If a filter action has in use instead of an option button in the

right-hand column, the filter action is being used by a filter and cannot be deleted while the filter exists. To delete the filter action, you must deactivate the filter.
Lab Exercise 4: Configuring Policies
139

Summary
Use the Policy Manager to create and modify policies that enforce your companys email usage rules. By default, InterScan MSS includes a global policy that affects all messages flowing through the InterScan MSS server. Other policies you create affect only the messages that you specify. Each policy has three components: route, filters, and filter action. To create a policy, you configure these three components. Each policy can contain a maximum of 10 sub-policies, but each sub-policy can contain an unlimited number of filters. To create effective subpolicies, you must understand the order in which filters are executed. If a message triggers a filter, the filter takes the action that you specified. For example, a message may be quarantined if the attachment exceeds the limits you specified, if the attachment appears to contain a virus, or if the content violates your companys policies.
Review Questions
1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which eManager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which eManager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter
140
4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last
141
142
Chapter 7: Understanding Filters

Chapter Objectives
After completing this chapter, you should be able to Explain the InterScan Messaging Security Suite (InterScan MSS) built-in filter groupsAntivirus and eManager Explain how the antivirus filter works Configure which message attachments are scanned Explain how InterScan Messaging Security Suite (InterScan MSS) reports an infected file that is sent to multiple recipients Write keyword expressions that the InterScan eManager filter can use to block content at your Simple Mail Transfer Protocol (SMTP) gateway Write file extensions in expressions Explain how the eManager filter handles Multipurpose Internet Mail Extensions (MIME) subtypes Add and delete quarantine areas
143
Notes
144
Notes
145
Notes
146
Notes
147
Notes
148
Notes
149
Notes
150
Notes
151
Notes
152
Notes
153
Notes
154
Notes
155
Notes
156
Notes
157
Notes
158
Filters
InterScan MSS includes seven types of filters. These filters are divided into two groups the Antivirus filter group and the eManager filter group. The Antivirus filter group consists of only the antivirus filter. The antivirus filter uses pattern-matching technology to scan messages and their attachments for viruses. You can configure the file types the filter scans, compressed file-scanning behavior, the filter action, and notifications that InterScan MSS inserts into the email body. The eManager filter group manages spam, message content, and email delivery. eManager filters compare message content to keyword expressions and other criteria that you configure. Messages are processed filter actions that you configure. eManager also compares email to a spam signature file to identify spam and stop it at the gateway. There are six types of eManager filters: Advanced Content Message Attachment General Content Message Size Disclaimer Manager Anti-Spam filter
In addition to the Antivirus and eManager filter groups, InterScan MSS has a heuristic spam filter called Spam Prevention Service (SPS). The heuristic scanning technology is used to detect first-time spam, or spam that the eManager signature file might not detect. When used with the eManager filter group, this heuristic spam filter provides an additional layer of protection against unwanted junk email.
The Antivirus Filter

Although the antivirus filter is enabled by default, you should modify the filter to meet the needs of your company and its messaging environment. For example, by default InterScan MSS scans all attachments. If your server hardware does not have the resources to scan every message, you can modify the antivirus filter to scan only the file types that are vulnerable to viruses. To modify the antivirus filter in the global policy, select Policy Manager | Global Policy from the left-hand frame of the InterScan MSS Management Console. By default, the antivirus filter is the first filter listed in the global policy. To edit the file types the antivirus filter scans, the action taken when viruses are detected, and the notification messages that are sent, click Edit button in the Filter Type column. The Virus screen appears (see Figure 7-1). Configure the settings you see on the screen.
159
Figure 7-1: The Virus screen.
Selecting the File Types to Scan

When configuring which file types InterScan MSS will scan, you can choose from the following options: Scan all file types IntelliScan Scan specified file types by extension
The Scan all file types option is the safest setting because InterScan MSS scan every file for viruses. However, this option is also the most resource intensive. If you have a network with limited resources, scanning all file types might put too much strain on your network.
160
When you use the IntelliScan option, InterScan MSS uses a Trend Micro method of determining the true type of a file. Virus writers can rename file extensions to make an executable file look like a different file type. IntelliScan performs an internal analysis of the file rather than relying on a files extension to determine the true file type. InterScan MSS scans only the files that exhibit a true file type that has been known to harbor viruses. The IntelliScan option is a compromise between maximum security and maximum efficiency. It is better suited for networks with limited resources because not all files are scanned. When you choose the Scan specified file types by extension option, you can either create your own list of file types to scan, or you can use a list of file types that Trend Micro recommends scanning. This scan option scans files based on the file extension and does not consider the true file type.
Using Wildcards to Specify File Types

You can use the asterisk (*) and question mark (?) wildcards when configuring the file types to scan and the file types to exclude. The asterisk can stand for any number of characters, whereas the question mark stands for a single character. Table 7-1 shows examples of files that would be scanned under different wildcard scenarios.
Wildcard .* File Types Scanned All files, regardless of extension DOC, DOT All file types starting with the letter e
.do? .e*
Table 7-1: Depending on how they are used, wildcards can tell InterScan MSS to scan any combination of file types.
When configuring file types to exclude from scanning, the wildcards can be used in the same way. However, if you use a standalone asterisks, only files without extensions are scanned.
Selecting the Antivirus Filter Action

You can configure the following actions for the antivirus filter if a virus is detected. Cleanremoves virus from infected file Deleteremoves infected file Passrecords virus infection in the log but takes no action on the file
You can also specify whether you want InterScan MSS to delete uncleanable files or pass them to the next filter.
161
Configuring Notification Messages

The notifications that InterScan MSS sends when email messages trigger the Antivirus filter are different from the notifications sent when eManager filters are triggered. The eManager notifications are optional, whereas InterScan MSS automatically sends a notification if the Antivirus filter is triggered. Notifications are sent for the following actions: The antivirus filter detects a virus The antivirus filter removes an attachment
You can also configure InterScan MSS to attach safe stamps to email messages that are clean. The safe stamps can be sent as an attachment or entered directly into the email body. The Antivirus filter inserts only one safe stamp per email message. You can use the following tokens to create messages that are inserted into the body of infected email messages: %FILENAME% %VIRUSNAME% %ACTION% %MAXENTITYCOUNT% Filename of the attached file (noname when file name cannot be determined) List that shows all viruses found Either pass or clean or remove, or else defined by the process String that shows the maximum number of entities that can be scanned, such as 20, for example. This string is configurable on the Security Settings page.
For example, suppose you configured the following message to insert inside an infected message: A file that was attached to this message, %FILENAME%, was found to be infected with the %VIRUSNAME% computer virus. InterScan MSS has taken the following action against the message: %ACTION%. If InterScan MSS detected the W97M-MARKER virus in a file called resume.doc, it would insert the following text into the body of the email message: A file that was attached to this message, resume.doc, was found to be infected with the W97M_MARKER computer virus. InterScan MSS has taken the following action against the message: CLEAN
162
To prevent messages from appearing in the recipients email, edit the following registry key: HKEY\Local Machine\Software\TrendMicro\ISNTS\Registry\Config\FilterManager\0001\0001 1. Find the following line: Add a DWORD key: 2. Type the following text and then restart InterScan MSS: AddAlert = 0
Infected Messages to Multiple Clients

If a virus-infected message is sent to multiple recipients in different domains, InterScan MSS may show a record of processing just one message, but virus detection is shown for each recipient. For example, suppose a message containing one virus is sent to three recipients at trend.com, trendmicro.com, and trendmicrosales.com. The System Monitor shows that one message was processed, and three viruses were detected.
Virus Filter Results

To configure the action InterScan MSS takes with password protected files, click Policy Manager | Global Policy from the left-hand column in the InterScan MSS Web console. The Global Policy screen appears. Click Edit in the Filter Action column, and then configure the settings on the Virus screen that appears (see Figure 7-2).
Figure 7-2: The Virus screen used to configure the filter action for the Antivirus filter.
163
From the virus screen, you can also configure the following seven antivirus filter actions: Mass emailing virus detected Virus(es) detected but some/all were not cleaned Joke program attachment detected Virus scanning aborted message may contain viruses Password protected file detected (not scanned) Virus(es) detected and successfully cleaned No virus detected
For each filter result, you can select one of the pre-defined filter actions or a filter action that you configured. The default filter actions for each of these possible results are shown in Figure 7-2.
aNote: Before editing the registry, ensure that you understand how
to restore it if a problem occurs. For more information, view the Restoring the Registry Help topic in Regedit.exe or the Restoring 4a Registry Key Help topic in Regedt32.exe.
Configuring the Advanced Content Filter

InterScan MSS uses the advanced content filter to check the email header, body, and attachments for simple or complex expressions. You can configure InterScan MSS to use the built-in synonym list to check for keyword synonyms.
Features
The Profanity, Racial Discrimination, and Sexual Discrimination filters are examples of an advanced content filter. The advanced content filter provides the following functionality: Contains a configurable severity index, which you can use to configure a filters sensitivity to keyword matches Supports case sensitivity for keyword matches Supports complex expressions that use the eManager built-in operators Evaluates keyword frequency and proximity to other terms when deciding to trigger the filter
Writing Expressions
InterScan MSS uses the advanced content filter to search for keyword expressions that you define. For example, if you wanted to block email messages that contain the words you are a jerk, you might create the following expression. you .NEAR. jerk
164
You can also specify the proximity of the words so that the filter catches the following phrases: You are a big jerk. You are a big fat jerk.
Expressions consist of operands and operators. Operands are words for which you want to search. Operators define the relationship between the operands in the expression. Consider the expression in the previous example. The words you and jerk are operands. The word .NEAR. is an operator.
aNote: The space between the operand and the operator is
significant to how the expression is parsed. For example, the expression High .AND. Low is parsed as two operands (High, Low) and one operator (.AND.). The expression High.AND.Low is parsed as one operand (High.AND.Low).
Operators
The eManager operators can be divided into five groups: Grouping operators Decorating operators Logical operators Limiting operators Relational operators
Grouping Operators
The grouping operators are listed below: .(. .).
The grouping operators are used to change the order in which operators are evaluated. The operators between the grouping operators are evaluated first. For example, the following two expressions are evaluated differently because the second expression contains grouping operators: better .AND. faster .OR. cheaper better .AND. .(. faster .OR. cheaper .). The first expression matches content that contains both keywords better and faster. It also matches content that contains the keyword cheaper (see Table 7-2). The second expression matches content that contains better and either faster or cheaper (see Table 7-3).
165
Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper than living in the peninsula communities broadband Internet access can be up to 50 times faster than dial-up connections, and rates are expected to Table 7-2: Matching the first expression with email content. Content analysts agree that the 2002 model is a better, faster, and more economical vehicle than its predecessors many young families have found that buying houses in the East Bay suburbs is cheaper and offers a better quality of life broadband Internet access can be up to 50 times faster than dial-up connections, and cheaper rates Table 7-3: Matching the second expression with email content. Decorating Operator
Result Match
Match
No Match
Result Match
Match
No Match
The decorating operator is .WILD. When you use the .WILD. operator, content is evaluated against the operand. The asterisk (*) wildcard character is often used with the .WILD. operator, as shown in the following example: .WILD. This * message This expression matches content when the word message follows the word This. The word This and the word message can be separated by any number of words (see Table 7-4). The .WILD. operator can also be used in place of letters in a word, as shown in the following example: .WILD. *ed This expression matches any content that ends with ed (see Table 7-5).
166
Content This message is being sent to you because you signed up for our free email newsletter This is to inform you that I will be on holidays until 10/12. You can leave a message at 408-555-1212 This is arguably the most exciting software that I have Table 7-4: Matching expressions using the .WILD. operator. Content that movie has been edited for TV broadcast this program is followed by an infomercial The editor sent the manuscript for final proofreading Table 7-5: Using the .WILD. operator in place of partial words. Logical Operators
Result Match
Match
No Match
Result Match Match No Match
The logical operators are used to perform logical operations on operands. You can use the following three operators when creating expressions: .AND. .OR. .NOT.
The following expression contains a logical operator: High .AND. Low This expression matches content when both the word High and the word Low are present (see Table 7-6). Now evaluate a similar expression, this time using the logical operator .OR.: High .OR. Low This expression matches content when either the word High or the word Low is present. This expression also matches content when both words are present (see Table 7-7).
167
Content High today in the interior is 87. Low tonight will be 53 near the coast His favorite movies are High Noon an Eject at Low Level and Live she plans to attend Central High next fall Table 7-6: Using the logical operator .AND. to write expressions. Content High tide will be at 9:00 PM. Low tide will be at 7:00 AM the box was too High for her to reach please turn the heater to lowIm sweating Table 7-7: Using the logical operator .OR. to write expressions.
Result Match
Match
No Match
Result Match Match Match
The .NOT. logical operator functions a little differently than the other two logical operators. Expressions that use the .AND. and .OR. operators are used to search for combinations of operands. Expressions that use the .NOT. operator are used to search for one operand and not another. For example, if you wanted to create a filter that finds email about pets, but you want to allow content about dogs, you might create the following expression (see Table 7-8): Pets .NOT. Dog
Content the sign at the beach said that pets are not allowed I do not like visiting people who own 100 pets pets are an enormous pain to care for, but my dog is worth it Table 7-8: Using the logical operator .NOT. to write expressions. Limiting Operator Result Match Match No Match
You can use the limiting operator .OCCUR. to create an expression that a filter can use to search for multiple occurrences of a word or phrase used in an email. If the appearances of the word or phrase exceed the Frequency setting, the email will trigger the filter.
168
aNote: If you write an expression that uses the .OCCUR. operator,

Relational Operator
you should configure the Frequency setting under Advanced Settings (see the Advanced Settings section in this chapter).
You can use the relational operator .NEAR. to create an expression that a filter can use to search for words that are close to each other. If the words appear close enough together, the email triggers the filter.
aNote: If you write an expression that uses the .NEAR. operator,

Regular Expressions
you should configure the Proximity setting under Advanced Settings (see the Advanced Settings section in this chapter).
InterScan MSS supports the use of regular expressions. Regular expressions are not as limited as the expressions you create using Boolean terms. When using only Boolean terms to create expressions, the search is limited to the words or phrases specified, and variants within the words themselves are not found. However, when you use regular expressions, the filter you create can catch variants of the word(s) for which you are searching. For example, evaluate the following expression that uses only Boolean terms: sex .OR. sexual Filters that use the expression in this example catch email that contain the words sex or sexual. However, variants of these words, such as s3x and sExual are not caught. Now evaluate the following expression that uses a regular expression: .REG. s[eE3]x Filters that use the expression in this example catch the word sex, as well as any variants of the word, such as s3x and sEx.
aNote: When creating regular expressions, do not use \n, \r, or \t

as regular expressions because they are InterScan eManager separators.
Table 7-10 contains descriptions of the characters that you can use when creating regular expressions. Each description is accompanied by an example of how the expression is used.
Characters . Descriptions This character matches any single character. This character matches any number and combination of letters between the characters specified in the expression (0 Examples The expression r.t catches rat, rut, rot, and r t, but not root. The expression b.*t catches the words breast and butt, but also catches the word best.
169
Characters
Descriptions to infinite occurrences).
Examples
This character matches 0 or 1 occurrence of the preceding character, forcing minimal matching when an expression might match several strings within a search string. This character matches one or more of the preceding characters.
The expression suc?k catches the word suck and the variant suk.
The expression Ri+ch catches the word Rich and variants such as Riich, Riiich, and so on. The expression off$ catches the string tell him to back off, but not the string Get off my back. The expression s[eE3]x catches the word sex and variants such as sEx and s3x. The expression p[0-9]rn catches p0rn, p1rn, p2rn, p3rn, and so on. The expression sh[^ou]t catches every four-letter word beginning with sh and ending with t, except shut and shot. The expression x\{3,\} catches xxx, xxxx, and xxxxx, but does not catch x or xx. The expression \<out catches the string out to the ballpark, but does not catch strikeout. The expression \>out catches strikeout, but does not catch outfield.
This character matches the end of a line.
[abc]
This syntax matches any one of the characters between the brackets.
[a-c]
This syntax specifies a range of characters. The characters can only be letters or numbers. This syntax matches all characters except those between the brackets.
[^a-b]
{n, m}
This syntax matches a specific number of instances or instances within a range of the preceding character. This syntax matches the beginning of a word.
\<
\>
This syntax matches the end of a word.
Table 7-10: Writing regular expressions.
170
Priority of Operators
When expressions are evaluated, certain operators are given priority over others (see Table 7-11).
Operator .(. .). .WILD. .OCCUR. .NOT. .NEAR. .AND. .OR. Priority * * 1 2 2 3 4 5
Table 7-11: Priority 1 is the highest, and Priority 5 is the lowest.
Advanced Settings
Each eManager filter has advanced settings that you can configure to compliment some of the keyword expressions that you write (see Figure 7-4). InterScan MSS uses the Proximity setting to determine how far apart keywords can be when using the relational operator (.NEAR.). The Frequency setting defines how many times a keyword can appear in an email when using the limiting operator (.OCCUR.).
171
Figure 7-4: The eManager filters have advanced settings.
Proximity
When configuring expressions, you can create intelligent filters, or filters that allow you to take the proximity of keywords into consideration. For example, use the expression punch .NEAR. face to evaluate the following message from an upset colleague: ...be forewarned: if your bill collectors persist in calling me, I will come down to your office and punch your face into oblivion... If the proximity value is set at two, the expression punch .NEAR. face causes the filter to trigger on the colleagues message. When InterScan MSS detects the first word, it assigns that word the number 1, and then it counts each word until it detects the second word (see Table 7-12).
punch 1 your 2 face 3
Table 7-12: Calculating the proximity setting.
After detecting the second word, InterScan MSS subtracts the number assigned to the first word from the number assigned to the second word. If the value is equal to or less than the proximity setting, the filter triggers.
172
Now use the same expression to evaluate the following message taken from a newsletter: ...The party was a tremendous success. The children had fruit punch and cookies. A clown showed up after snack time to distribute presents, and the children laughed at his painted face and colorful clothes... The expression will not cause the filter to trigger on the newsletter because the word punch is not close enough to the word face.
Frequency Setting
When you write a keyword expression using the limiting operator, you may want your filter to trigger only when that expression appears several times. Being lenient with the frequency setting gives your users a few chances when using prohibited keywords. The filter is triggered, however, when the keywords are used excessively. For example, suppose you wanted to search for email messages that contain more than five occurrences of the word free. You would create the following expression: .OCCUR. free After creating the expression, you can set the frequency value five. Select Policy Manager | Global Policy from the left-hand column of the InterScan MSS Web console. Click Filter Type Edit button for the filter you want to configure, and then click the Advanced Setting link on the screen that appears (see Figure 7-5). Set the value of the Frequency: field to five.
Separating Characters
By default, the eManager filter divides message content into words when it encounters the space, tab, line feed, and carriage return characters. If you want to use other characters to divide keywords, enter them in the Separators: field.
173
Figure 7-5: The eManager filters all have advanced settings that you can configure by clicking the Advanced Settings link shown here. This link is available only after the filter has been created. These settings cannot be modified while creating the filter.
Intelligent Keyword Matching

You can assign a severity value to advanced content filter expressions. If the value exceeds the threshold that you set, then the filter takes the filter action that you have configured. For example, you give the word jerk a severity rating of three, and then set your threshold at 10. An email that contains three instances of the word jerk would not trigger the filter because the severity total (9) is lower than the threshold. However, if the email contains a fourth instance of the word jerk, the severity total (12) would be higher than the threshold, triggering the filter (see Figure 7-6).
aNote: If the severity-index result of scanning the attachment
surpasses a threshold, you can automatically delete the attachment before sending the message to the recipient.
174
Figure 7-6: Setting severity values for keywords and expressions.
Combinations of words can cause the total to exceed the threshold as well. For example, you give the word jerk a severity rating of three, the word punk a severity rating of five, and you set your threshold at seven. If an email contains two instances of the word jerk, the filter will not trigger. However, if the email contains the words jerk and punk, then the filters will trigger because the total value (eight) exceeds the threshold. Severity values can only be positive. If, however, you want to ignore a keyword when it occurs in conjunction with another term, you can configure this kind of filter behavior by using the .AND., .OR., and .NOT. operators.
Calculating Severity
When calculating severity, the eManager filters consider each message component separately, such as the header, body, and attachment. For example, suppose you set the severity threshold at 10 and give keywords jerk and punk a severity value of five. A message with a subject containing jerk and email body containing punk will not trigger the filter, even though the words matched. Because the words are found in different entities, the message is permissible.
Writing Complex Expressions

Sometimes you want the eManager filter to detect tokens except when they appear in conjunction with other words. For example, as part of a policy designed to detect sexually harassing email content, you want to filter for the keyword buns. However, you want to exclude legitimate occurrences of this keyword, such as hamburger buns and hotdog buns. The requirements of this expression are summarized below: Detect buns but ignore when part of the expression hamburger buns. Detect buns but ignore when part of the expression hotdog buns.
175
You can create several expressions that will block messages with sexual usage of the word buns, but permit legitimate email about hamburger and hotdog buns. The following four examples show how to write such an expression. Requirement 1: buns .AND. .NOT. hamburger buns Requirement 2: buns .AND. .NOT. hotdog buns
aNote: You do not have to use parentheses in the first two
expressions because the .NOT. operator is evaluated before the .AND. operator.
You can combine the expressions for both requirements by using the .OR. operator. The final expression is as follows: .(.buns .AND. .NOT. hamburger buns.). .OR. .(.buns .AND. .NOT. hotdog buns.).
aNote: The
.(. and .). operators are required in the final expression because the .OR. operator has the lowest priority of operation. The evaluation order would not be correct if the .(. or .). operators were omitted.
Evaluation Rules
The way an expression is written is vital to the functionality of the expression. To ensure that the expression filters the correct material, you should remember the following guidelines when creating expressions: The expression must be valid. Contents within parentheses are evaluated first. Contents are evaluated from left to right. Contents are evaluated according to the priority of the operators.
Seven Types of Valid Expressions

There are seven types of valid expressions:
Type 1
Type 1 is an operand-only expression, or an expression that does not have an operator. An example is shown below: keyword
176
Type 2
.WILD. <Type (1) expression>
aNote: Due to performance issues, the first token and the last token
following the operator .WILD. cannot consist of a single asterisk. For example, .WILD. *, .WILD. * Birthday and .WILD. Happy * are all invalid expressions.
Type 3
.NOT. .NOT. .NOT. .NOT. .NOT. .NOT.

Type 4
<Type <Type <Type <Type <Type <Type
(1) (2) (3) (4) (5) (7)
expression> expression> expression> expression> expression> expression>
.OCCUR. <Type (1) expression> .OCCUR. <Type (2) expression>

Type 5
<Any Type (1 to 7)> .AND. <Any Type (1 to 7)> <Any Type (1 to 7)> .OR. <Any Type (1 to 7)>
Type 6
<Any Type (1 to 2)> .NEAR. <Any Type (1 to 2)>

Type 7
.(. <Type (1 to 7) expression> .).
aNote: Expressions that do not comply with one of the above seven
forms are treated as invalid (see Table 7-13). Validity Invalid Expression .OCCUR. .(. High .AND. LOW .). Explanation .OCCUR. cannot appear before Type 7 expression. .NEAR. can apply only to Type 1 and Type 2. .NOT. is Type 3. Complies with Type 3.
.NOT. High .NEAR. Low
Invalid
.NOT. .(. High .NEAR. Low .).
Valid
177
Expression .WILD. better * faster .NEAR. coming soon .WILD. *
Validity Valid Invalid
Explanation Complies with Type 6. The first token that follows .WILD. is the asterisk. The last token, which follows .WILD. is all asterisks.
.WILD. Hello, every ****
Invalid
Table 7-13: Examples of valid and invalid expressions. Using Reserved Words as Operators
If you want to match some reserved keywords, or text that resembles an operator within an operand, you have to add an escape character (\) to it. For example, if you want to match keywords cats and dogs you might write the following expression: cats \.AND. dogs. However, if you want to match the escape character as part of the keywords cats\dogs and pets, you have to use two escape characters when writing the expression, as shown in the following example: cats\dogs \\.AND. pets.
aNote: The escape character is not character-based but token-based.

The escape character covers the whole token instead of the character. Also, it does not escape the special character asterisk (*) in the expression that follows the .WILD. operator.
Creating an Advanced Content Filter

To create an advanced content filter, click Policy Manager | Global Policy from the lefthand menu of the InterScan MSS Web console. The Global Policy screen appears. Click the Create new filter link at the top of the screen. Follow the step-by-step instructions on the New Filter screen that appears (see Figure 7-7).
178
Figure 7-7: The New Filter screen.
Configuring a Message-Attachment Filter

The message-attachment filter is used to block message attachments or MIME content-types at the SMTP gateway. For example, your company might prohibit users from exchanging MP3 files and WAV files because these files might distract users. Your company may also prohibit users from exchanging EXE and COM files because these files are vulnerable to viruses. You can use a message-attachment filter to prevent these types of files from entering your email system.
Features
The message-attachment filter checks messages according to the following criteria: Attachment name (supports wildcards) Attachment types from MIME content-type field in the message header Attachment file type from a binary analysis of the attachment
179
Creating a Message-Attachment Filter

To create a message-attachment filter, click Policy Manager | Global Policy and click the Create new filter link. The New Filter screen appears (see Figure 7-7). Follow the step-bystep instructions to create a message-attachment filter. To modify an existing message-attachment filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-8).
Figure 7-8: The attachment filter modification screen.
Message MIME Content Type

Email messages with MIME content contain a content type field in their headers. The following is an example of an email message header: Mime-Version: 1.0 Content-Type: multipart/mixed; This is a multi-part message in MIME format. Content-Type: text/plain; format=flowed Content-Type: application/msword; ... The message-attachment filter detects the MIME types you select and then performs the action you configure (see Figure 7-9).
180
Figure 7-9: The MIME content types.
Table 7-14 shows how the eManager filter blocks certain MIME content-type attachments. You can use this table to determine which MIME content type is blocked (right column) by enabling the corresponding item (left column) in the programs user interface.
eManager Options Image File Formats JPEG GIF TIF/TIFF BMP Audio File Formats WAV MP3 MIDI audio/x-WAV, audio/WAV, audio/Microsoft-WAV audio/x-MPEG, audio/MPEG x-music/x-MIDI, audio/MID image/JPEG, image/PJPEG image/GIF image/TIFF image/x-ms-bmp, image/bmp MIME Content Type(s)
181
eManager Options Video File Formats MPEG QUICKTIME MSVIDEO
MIME Content Type(s)
video/MPEG video/quicktime video/x-msvideo, video/AVI, video/x-ms-asf, video/xms-wmv
Application File Formats PDF ZIP msword/RTF mspowerpoint application/PDF application/ZIP, application/x-ZIP-compressed application/msword, application/RTF, text/richtext application/vnd.ms-powerpoint, application/mspowerpoint application/vnd.ms-excel, application/x-msexcel, application/ms-excel
msexcel
Table 7-14: The MIME content types.
aNote: Email clients may list MIME content type differently. The exact
wording in the messages Content-Type field may vary slightly depending on which email client was used to send the message.
Attachment File Type

You can filter a number of attachment file types at the SMTP gateway. For example, you can filter the following executable files: EXEsAll DOS, Windows 3.1, 32-bit Windows and OS/2 executable files are filtered. DLLsWindows 3.1 and 32-bit Windows DLLs are filtered. Java byte code
In addition, you can filter compressed files with the following extensions: ZIP, RAR, ARJ, TAR, and G.Z: If you check the Others option, you can also filter the LZW, CAB, LHA, ARC, AR, PKLITE, DIET, LZH, and LZ compressed file formats.
182
Analyzing True File Type
The eManager filter does not rely on a files extension to determine the file type. Instead, the eManager filter performs an internal analysis of the file. The following list shows the file types that are most likely to be attacked by viruses. If you want to filter for any of these filter types, you can enter them in the Other field. Use a semi-colon (;) to separate multiple entries.
BAS
Microsoft Visual Basic class module batch file compiled HTML help file Microsoft Windows NT command script Microsoft MS-DOS program control panel extension security certificate program help file HTML program setup information Internet naming service Internet communication settings JScript file JScript Encoded Script file shortcut Microsoft Access add-in program Microsoft Access program
MSC
Microsoft Common Console document Microsoft Windows installer program Windows installer patch Visual Test source files photo CD image or Microsoft Visual Test compiled script shortcut to MS-DOS program registration entries screen saver Windows script component shell scrap object Internet shortcut VBScript file VBScript encoded script file VBScript file Windows script component Windows script file Windows script host settings file
BAT
MSI
CHM CMD
MSP MST
COM
PCD
CPL CRT EXE HLP HTA INF INS ISP
PIF REG SCR SCT SHS URL VB VBE
JS JSE LNK MDA
VBS WSC WSF WSH
MDB
183
Configuring General Content Filter

The general content filter is a simple content and attachment filter. You can use this filter to scan subject line, keyword(s) in the message body, attachment file size, and attachment file extension.
Features
The general content filter provides the following functionality: Filters content in the following:

Message subject field (permits multiple subjects) Keywords in message body Message size Attachment file name (supports wildcard)
Supports case sensitivity
aNote: The general content filter cannot use complex expressions
that include the built-in operators .NOT., .OCCUR., and so on. When these terms are entered, they are treated as part of the keyword expression and not as operators.
Modifying the General Content Filter

When modifying the General Content filter, you must choose which parts of the email the filter will scan. You can select any combination of the following elements:
Subject line
You can search for keywords, such as ILOVEYOU, in the subject line. This option supports the asterisk (*) wildcard within an expression, but the asterisk must be accompanied by at least one character. The asterisk cannot stand alone. You can search for keywords in the email body. This option supports the asterisk (*) wildcard within an expression. You can filter attachments that match the parameters you specify. For example, you can filter attachments that are larger than 2 MB. You can enter the file names to detect. This option supports the asterisk (*) wildcard within an expression.
Email body
Message size
Attachment file name
If you select multiple filtering criteria for the same general content filter, all the criteria must be found in an email in order to trigger the filter. For example, if you specify that the email must contain ILOVEYOU in the subject line, and the document attachment must have a DOC extension, then both attributes must be found in the email in order to trigger the filter. An email with ILOVEYOU in the subject line and no attachment will not trigger such a filter.
184
To create a general content filter, click Policy Manager | Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-attachment filter. To modify a general content filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-10):
Figure 7-10: The general content filter modification screen.
Configuring Message-Size Filters

The message-size filter allows precise control over the sizes of messages that can be processed throughout the day. InterScan MSS checks for postponed messages every five minutes. You can use this filter to postpone processing large messages until after peak hours, reducing the amount of resources you use during business hours.
Features
The message-size filter provides the following functionality: Supports message filtering based on message size (body + attachments), an attachments size, and/or the number of attachments Enforces message-size restrictions during time periods selected from a weekly calendar
185
Creating a Message-Size Filter

When creating or modifying a message-size filter, you can set the following size limitations: Body + attachments Size of any single attachment Number of attachments
To create message-size filter, click Policy Manager | Global Policy and click the Create new filter link. The New Filter screen appears. Follow the step-by-step instructions to create a message-size filter. To modify a message-size filter, access the Global Policy screen and click Edit in the Filter Type column next to the filter that you want to modify. Follow the instructions on the screen that appears (see Figure 7-11):
Figure 7-11: the message-size filter modification screen.
Configuring Disclaimer Manager Filter

You can use the disclaimer manager filter to append standard text to specified messages. For example, your company may want to configure disclaimer manager filters to append the following information: A standardized statement about the company A confidentiality statement A statement that explains the views of the sender do not necessarily reflect the views of the company
186
Features
The disclaimer manager filter provides the following functionality: Appends user-configurable disclaimer text at the beginning or end of messages Supports complex expressions using the eManager filters Alternatively appends disclaimer to all messages
Creating a Disclaimer Manager Filter

The disclaimer can be a maximum of 1,024 characters long. To create or modify a disclaimer manager filter, click Policy Manager | Global Policy from the left-hand menu of the InterScan MSS Web console, and then click the Create new filter link on the Global Policy screen that appears. Supply the information requested on the screen and follow the prompts to finish creating the filter (see Figure 7-12). When creating new expressions, you can use Boolean terms to define when the disclaimer will be added to a message.
Figure 7-12: Creating a disclaimer manager filter.
187
Configuring the eManager Anti-Spam Filter

Trend Micro has a team of spam collectors who add identifying characteristics of spam email to the spam databases. Because spam senders frequently change their email addresses, identifying characteristics such as Web sites or telephone numbers are used to detect them. The anti-spam filter detects spam messages by comparing message content with the Trend Micro spam database. The filter updates the following two files from the spam database and uses the files to block spam: TM_Trend$SE.###contains message header characteristics such as the Subject, From, and To fields of known spam messages (### represents database version). TM_AntiSpam.###contains typical keyword expressions such as phone number, URL, that appear in spam messages. Keywords might be a phone number, URL, or expressions such as Get rich in 30 days.
If you receive a suspected spam message that the Trend Micro spam database fails to detect, forward it (including all email headers) to spam@trendmicro.com. If Trend Micro confirms that it is a spam message, it will be added to the spam database. To create a spam filter, click Policy Manager | Global Policy from the left-hand column of the InterScan MSS Web console. On the Global Policy screen that appears, click the Create new filter link and follow the instructions provided on the screens. When creating a spam filter, you must choose one of the following scanning options:
Enable for Message Subject Enable for Both Message Subject and Body
Scans the email headers and compares them with the Trend Micro spam database Scans both the email subject line and the body (higher spam detection rate and strain on the email processing system)
Spam Prevention Service (SPS)

Spam Prevention Service (SPS) uses a heuristic scan engine to detect spam. As the email passes through InterScan MSS, the SPS heuristic filter compares the characteristics of the email against predefined rules and assigns a numbered score to each characteristic. The scores are processed through a mathematical formula that is based on the weighted significance of each characteristic and the combination of characteristics observed in the message. The result of this equation is the spam score (see Figure 7-17). SPS measures the spam score against the desired level of spam sensitivity to determine whether the message is spam. If the spam score for a given message exceeds the sensitivity level of your policy, the message is considered spam. This process can only be overridden in the following scenarios: If the sender appears on the Approved Senders list, the message is not considered to be spam, regardless of the score.
188
If the sender appears on the Blocked Senders list, the message is considered to be spam, regardless of the score. If text in the message triggers a Text exemption filter, the message is not considered spam.
SPS compares heuristic expressions in a message to known heuristic expressions (rules) of spam.
IMSS
Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Rule 6 Rule 7
X Match
Match
X Match X Match
Match
Internet
Rule 8 Rule 9
X Match X Match X Match X Match
Client
Infer. Engine
The Inference Engine computes the statistical probability that the message is spam.
Firewall
Spam Prevention Service
Figure 7-17: The SPS filter uses heuristic scanning technology to calculate the probability that an email is spam.
Detecting first-time spam is the primary advantage to heuristic scanning. Most spam scan engines compare incoming email to a database of known spam, or spam that has been circulating for weeks, months, or even years. Because the heuristic scan engine does not rely on a database of known spam, it can detect first-time spam, or spam that no one has ever seen before.
Features
The heuristic scan engine provides the following features that you can use to control the flow of spam entering your network: Text exemption rules Approved senders and blocked senders lists A baseline detection rate applied to all email Additional sensitivity settings by category
To view and configure the heuristic scan engine features, select Policy Manager | Global Policy and click the Heuristic Spam Filter (SPS) Edit button in the Filter Type column. The Heuristics Spam Filter (SPS) screen appears (see Figure 7-13).
189
Figure 7-13: The SPS Baseline Detection Rate has six settings.
Text Exemption Rules

You can create text exemption rules to prevent SPS from scanning email with specified content. For example, if you work for a sales company, you might decide that the salespeople need to receive email about special airfare rates because they travel so often. You can create an exemption rule that scans the subject line for the word airfare. SPS forwards email that matches the exemption rule to the next filter in the global policy. The email is never analyzed by the SPS filters.
Approved Senders and Blocked Senders Lists

You can accept or deny all email coming from specified domains, regardless of the email content. For example, if you suspect that all email from the domain @spamman.com is spam, you can add that domain to the Blocked Senders list. Once you add the domain, SPS blocks all email from that specific domain, regardless of whether it is spam. If you want to accept all email from a specific domain, you can add the domain to the Approved Senders list. Once you add the domain to the list, SPS accepts all email from that specific domain, regardless of whether it is spam.
190
When you add a domain to either list, you must add it to either the modifiable or the unmodifiable section of the list. If you add the domain to the modifiable section, you can add a subset of the domain to the other list. However, if you add the domain to the unmodifiable section, you cannot add a subset of the domain to the other list. For example, if you add *@trendmicro.com to the modifiable section of the Approved Senders list, then you can add tom@trendmicro.com to the Blocked Senders list.
Using the Asterisks Wildcard
You can use the asterisks wildcard (*) to compose entries on the Approved Senders and Blocked Senders lists. The asterisks can be used in place of either the name or the address in the domain. For example, if you want to accept all email from Trend Micro, you might enter the following address in the window (see Figure 7-16): *@trendmicro.com
Figure 7-15: Using the asterisks wildcard when configuring the Approved and Blocked senders list.
To match the name portion of an email address, you can only use a single wildcard * or the exact name. Partial matches, like the one in the following example, are not allowed: bobby*@trendmicro.com
191
When using wildcards for the domain part of an email address, the asterisks must appear at the beginning of the pattern. The wildcard can match one or more subdomains, and you can use multiple wildcards to match subdomains (see Table 7-15):
Wildcard Entry Possible Matches Non-Matches
*@*.solar.com
reggie@earth.solar.com lucy@europe.earth.solar.com
*kim@solar.com
*@*.*.com
maria@earth.solar.com
chang@solar.com
Table 7-15: Wildcards must appear at the beginning of the domain in an email address.
Partial matching of subdomains is not allowed. You must enter wildcards from the most significant portion of the address to the least significant. For example, *@trend.*.com is an invalid format, but *@*.trend.com is valid. All address that you enter must contain the @ symbol. If no @ exists, then the entire string is considered invalid. Valid addresses are approved as they are entered. A dialog box appears when you enter an invalid address (see Figure 7-16).
Figure 7-16: InterScan MSS will not accept invalid email addresses.
To modify the Approved Senders or Blocked Senders list, click the appropriate Edit link under Filter Settings section of the screen (see Figure 7-11). On the screen that appears, enter the information requested.
Baseline Detection Rate

The heuristic scan engine analyzes all email with a uniform level of aggression. You can adjust this level of aggression by setting the baseline detection rate at one of the six following options:
192
Most conservative Conservative Moderately conservative Moderately aggressive Aggressive Most aggressive
When you use conservative setting, SPS allows some spam to enter your network. However, if you choose the most aggressive setting, SPS might falsely identify legitimate messages as spam. Trend Micro recommends that you select a setting in the middle and then gradually adjust the setting as needed.
Additional Sensitivity Settings

SPS sorts spam into four categories: Sexual content, Make Money Fast content, Racist content, and Commercial offers. Each of these four categories can be set to one of the following sensitivity levels: Lowest Low Moderate High
If you want to adjust the level of aggression with which SPS analyzes all email, you should change the baseline detection rate. However, if you only want to adjust the level of aggression for a specific category of spam, you should use the additional sensitivity settings. By adjusting individual sensitivity settings, you can configure SPS to be more aggressive as it searches for some types of spam and less aggressive when it searches for other types. For example, if your company has a legitimate use for email with commercial content, you might set the Commercial offer setting at Lowest. If your company has no tolerance for sexual and racist content, you might set the Sexual content and Racial content settings at High. When SPS analyzes email with these settings, most commercial offers are accepted as legitimate email. Anything moderately sexual or racial is blocked at the gateway. SPS uses the baseline detection rate and the additional sensitivity settings to determine whether an email is spam. For more information on how SPS determines if an email is spam, see the Calculating the Spam Probability section in this chapter.
Configuring Sensitivity Settings

The Baseline Detection Rate and the Additional Sensitivity Settings should be used together. When fine-tuning the SPS filters, remember the following tips: It is best to adjust the heuristic spam filter in small increments rather than making large changes. If too many junk email messages are getting through the heuristic spam filter, increase the Baseline Detection Rate sensitivity. If the Baseline Detection Rate is set too low, the individual category filters must be set very high in order to have a noticeable effect on the amount of spam being delivered. When you increase the Baseline Detection Rate sensitivity, reduce the category filter sensitivities to the lowest setting. Monitor your message flow and then increase the category sensitivities as necessary. Setting the individual category filters too high can result in valid messages being falsely identified as spam (false positives). While a high Baseline Detection Rate sensitivity can also result in false positives, it generally produces fewer false positives than setting an individual category filter too high.
193
Filter Actions
The filter actions SPS takes on messages that are identified as spam can vary depending on the confidence assigned to the email. When SPS determines that an email is spam, it assigns one of the four confidence levels shown in Table 7-16. You can configure a different filter action for each level of confidence (see Table 7-17). For example, you might choose to delete email if SPS is Most confident that the email is sexually explicit spam. However, you might choose to quarantine email to which SPS assigns a level of Least confident.
Confidence Rating Rough Percentage of Confidence that the Message Is Spam 90 100 percent 80 89 percent 70 79 percent 69 percent and below
Most confident Very confident Confident Least Confident
Table 7-16: The confidence ratings SPS assigns to spam and the rough percentage of confidence for each rating.
aNote: The percentages shown in Table 7-16 are not exact for every
email. Remember, the definition of spam varies from one company to another. What one person considers spam might be another persons most important email. Trend Micro recommends that you use these percentages as guidelines, but as absolute rules. Description Puts Spam in the subject line and delivers the email Deletes the email Deletes the email and notifies the administrator or user Sends the email to the recipient without a Spam tag in the subject line Delivers the email without a Spam tag in the subject line and notifies the administrator Postpones delivery of the email and notifies the administrator
Filter Actions Tag and Deliver
Delete Delete and Notify
Deliver
Deliver and Notify
Postpone and Notify
194
Filter Actions Quarantine Quarantine and Notify
Description Quarantines the email Quarantines the email and notifies the administrator
Table 7-17: The default filter actions for the SPS heuristic filter.
To set actions according to specific confidence levels, click Policy Manager | Global Policy. The Global Policy screen appears. Click Edit in the Filter Action column. Click the Advanced link next to the individual category that you want to configure. Use the menu options w to set a specific action for each level of confidence for that type of spam (see Figure 7-17).
Figure 7-17: Configuring SPS sexual content filter actions for various levels of confidence.
Interpreting Message Header Information

All email messages include a header section that contains address information. This information helps Internet servers route the message to the proper destination. SPS writes additional information into these headers. SPS and other programs use this information, known as X-headers, to determine what should be done with the email.
195
The following sections describe typical email headers and the how SPS incorporates Xheaders into normal email headers.
Basic Message Headers

Most email is handled by at least four computers from the time it is composed until the recipient receives the message. When a user sends an email, the message is sent from that users workstation to the organizations mail server. The organizations email server then forwards the email to the recipients email server. The recipients email server receives the incoming message and stores it until the recipients computer retrieves the message and the recipient opens the email. During this process, message headers are added three times (see Figure 7-18): When the message is composed by whatever email program the sender uses When the email program forwards the email to the senders email server When the senders email server forwards the email to the recipients email server
1 2 3
Sender's Email Server Sending Client
Recipient's Email Server Receiving Client
Internet
Figure 7-18: Headers are added to the email message 1) when the message is composed, 2) when the email program forwards the email to the senders email server, and 3) when the senders email server forwards the email the recipients email server.
For example, if Joe at mydomain.com sends a message to his friend Amy at herdomain.com, the first header, generated by Joes email program before forwarding the message to Joes mail server, would look like the following example: From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST X-Mailer: Groovymail v2.01 Subject: Lunch today? When Joes email server transmits the message to Amys email server, it adds more information to the header: Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun 20 2003 14:36:17 -0800 (PST) From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST Message-Id: <Joe031897143614-00000298@mail.mydomain.com>
196
X-Mailer: Groovymail v2.01 Subject: Lunch today? Amys mail server adds more information to the header when it receives the message, then stores the message until Amy retrieves it. The final header looks like this: Received: from mail.mydomain.com (mail.mydomain.com [124.211.3.78]) by mailhost. herdomain.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <Amy@herdomain.com>; Fri, 20 Jun 2003 14:39:24 -0800 (PST) Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, June 20 2003 14:36:17 -0800 (PST) From: Joe@mydomain.com (Joe Smith) To: Amy@herdomain.com Date: Fri, June 20 2003 14:36:14 PST Message-Id: <Joe031897143614-00000298@mail.mydomain.com> X-Mailer: Groovymail v2.01 Subject: Lunch today? The table in Appendix E contains explanations of the information shown in the example header.
X-Headers Generated by SPS

SPS adds X-header tags to header section of every email processed by the heuristic filter. Programs that are downstream from SPS use the contents of these X-headers to decide how to process messages that have been identified as spam. SPS generates the following X-headers:
X-imss-version
indicates the version of the SPS scan engine that examined a particular email message indicates which category of spam most describes the email message, the level of confidence SPS has that the email is spam and the action taken as a result of the confidence level indicates the numerical value assigned to the email for each filter category indicates the SPS sensitivity levels that were used to evaluate an email indicates that the sender of the email appears on the Approved Senders list indicates that the sender of the email appears on the Blocked Senders list
X-imss-result
X-imss-scores:
X-imss-settings
X-imss-approveListMatch
X-imss-blockedListMatch
197
X-imss-sender
indicates the email address that triggered the match; added to email messages that also receive the approveListMatch or blockListMatch header indicates that the email contains keywords or combinations of keywords that appear on the exclusion list
X-imss-exclusionListMatch
aNote: X-header tags are not unique to SPS. You may see other tags
in an email header that begin with the letter X. SPS generates only the tags in the above table, all of which contain the imss marker.
Calculating the Spam Probability

SPS uses a mathematical equation to determine whether an email is spam. Figure 7-19 shows the details of an email that SPS analyzed. The X-imss-scores: line shows the baseline score that the heuristic filter assigned to the message (1.1800). The letters in this line represent each of the four spam categories (see Table 7-18). The value for each category can range between 0 and 100, with 0 indicating that the message possesses none of the characteristics attributed to that particular category of spam. A value of 100 indicates that the message perfectly matches that particular category.
Figure 7-19: Viewing email details.
198
Letter C M P R
Category of Spam Represented Commercial spam (Sale notices, coupons, special offers) Make Money Fast spam (Get-rich-quick type material) Pornographic spam (Sexually explicit material) Racist spam (Racially insensitive material)
Table 7-18: X-header abbreviations.
The X-imss-settings: line shows the baseline detection rate when SPS analyzed the email (Clean: 3). In this line, the numbers next to each letter represent the sensitivity setting for each category of spam when SPS analyzed the email. In Figure 7-19, the Commercial and Racist content filters were set at the lowest settings, while the Make Money Fast and Sexual content filters were set at the highest and second highest settings respectfully. SPS uses the baseline score and the sensitivity setting of the filter that best matches the email to calculate whether an email is spam. Both the baseline score and the sensitivity setting have corresponding multipliers. The multipliers are inserted into the following equation, which SPS uses to calculate the probability that an email is spam: BM times SM equals SPAM SCORE In the equation, BM represents the Baseline Multiplier and SM represents the Sensitivity Multiplier (see Table 7-19 and Table 7-20).
Setting Commercial offer Make Money Fast Sexual Content Racist Content
1 2 3 4
1 2 3 4
1 2 3 4
1 25 50 750
1 25 50 750
Table 7-19: The sensitivity multipliers for the four different sensitivity settings for the individual content filters.
199
Setting
Baseline Multiplier
1 2 3 4 5 6
0.0000 0.0100 0.0500 0.1000 0.2500 1.0000
Table 7-20: The baseline multipliers for the six different baseline settings.
For example, the X-imss-result: line in Figure 7-19 shows that SPS was very confident the email was pornography. The baseline detection rate was set at three, so SPS used .0500 as the multiplier for the baseline detection filter. The sensitivity level of the Sexual content filter was also set at three, and SPS used the corresponding multiplier value of 50. The spam score, or the value produced when these two numbers were multiplied together, was 2.500, as shown in the following equation: .0500 times 50 equals 2.500 The spam score is last number shown in the X-imss-settings: line. In this example, the email is spam because the spam score is greater than the baseline score displayed in the X-imssscores: line. If the two scores had been the same, or the spam score had been less than the baseline score, the email would not have been spam.
Managing the Quarantine Area

The directory for the default location of the quarantine area is C:\Program Files\Trend\IMSS\IsntSmtp\quarantine. You can add or delete quarantine areas as needed. However, all quarantine areas must be local directories. You can view, reprocess, deliver, or delete the email messages and attachments that are quarantined, and you can search the quarantine area to find a particular email message.
Adding Quarantine Areas

To add a quarantine area, click Policy Manager | Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, click Add. Enter the requested information and click Save (see Figure 7-20).
200
Figure 7-20: The New Quarantine Area screen.
aNote: Quarantined items can be saved for a maximum of 99 days.

Deleting Quarantine Areas
To delete a quarantine area, click Policy Manager | Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, select the check box next to the quarantine area that you want to eliminate and click Delete.
aNote: Deleting the quarantine area in the InterScan MSS console
makes it unavailable to the program as a quarantine area. If you want to delete the folder, you must do so manually. All quarantined messages remain in the folder.
If a quarantine area has in use instead of a check box in the right-hand column, this quarantine area is currently being used within a filter action and cannot be deleted.
Changing a Quarantine Area

To change the location of a quarantine area, click Policy Manager | Quarantine Area from the left-hand frame of the InterScan MSS Management Console. In the Quarantine Area screen that appears, click Edit next to the quarantine area that you want to relocate and change the directory in the field provided. You can also change the name of the quarantine area and the number of days that quarantine items are saved.
aNote: Changing the quarantine location affects only items
quarantined after the change. Any messages in the old quarantine directory must be deleted or manually copied to the new directory.
201
Managing Quarantined Messages

To manage the contents of a quarantine area, click Policy Manager | Quarantine Area from the left-hand frame of the InterScan MSS Web Console. In the Quarantine Area screen that appears, click View next to the quarantine area that you want to manage. A new screen appears, showing the email in the quarantine area (see Figure 7-21).
Figure 7-21: The Default Area screen.
When managing the Quarantine area, you have three options that you can apply either to selected messages or to all the messages in the folder.
Reprocess
Reprocess messages to apply the policies configured for the messages route. Sometimes content filters mistakenly quarantine email that do not contain viruses. You can change the content filters properties and reprocess the quarantined email. Reprocessing allows virus-free messages to pass through the content filters. Infected messages are still quarantined by the updated virus-pattern file. Deliver the message without further processing. Delete the message.
Deliver Delete
202
Querying Quarantine Areas

InterScan MSS includes a search function to query a quarantine area for messages that fit your criteria. To query the contents of a quarantine area, click Policy Manager | Query from the left-hand frame of the InterScan MSS Web Console. In fields provided on the Query screen that appears, enter the information for which you want to query and click Query (see Figure 7-22).
Figure 7-22: The Query screen.
Lab Exercise 5: Configuring the Spam Prevention Service
203

Summary
InterScan MSS includes eight default filtersthe Antivirus filter, Heuristics Scanning Filter (Spam Prevention Service), and six filters in the eManager filter group. The Antivirus filter group, which contains only the antivirus filter, scans for viruses. The SPS and eManager filters scan for spam, specified content, and message size. When you configure the antivirus filter, you can determine which messages are scanned and which messages are not scanned. You can also configure the action that is taken if a virus is found and the notification messages that are sent. You can configure eManager filters to block content at your SMTP gateway. You can specify keywords, select message parts for filtering, and use operators to create expressions that define how the keywords should be used by the filter. With the operators, you can create expressions that check how near one keyword is to another or how often a keyword occurs in a message. You can also configure filters that look for specific attachment file types, message size, and spam.
Review Questions
1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them.
204
3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats. 5. How does the SPS heuristic scan engine detect spam? a. Compares email to a spam database b. Compares characteristics of the email against predefined rules or common characteristics of spam c. Compares email to the search criteria that you define, based on Trend Micro recommendations d. Compares email to previous spam that you have saved in the SPS SpamBank
205
206
Chapter 8: Configuring System Monitor and Log Maintenance Settings

Chapter Objectives
After completing this chapter, you should be able to View real-time status-performance data Specify the fault conditions under which InterScan Messaging Security Suite (InterScan MSS) should notify you View and maintain log files
207
Notes
208
Notes
209
Notes
210
Notes
211
System Monitor Settings

By keeping track of the InterScan MSS servers status, you can identify potential problems before they affect the email flow.
System Status
The System Status window in the InterScan MSS Web console provides real-time system-performance data (see Figure 8-1). You can check the volume of messages in the processing and retry queues, the number of messages processed since the service was started (including undeliverable messages), and the number of viruses detected.
Figure 8-1: System Status screen
To view the system status, select Configuration | System Monitor | System Status from the left-hand frame of the InterScan MSS Management Console. When the System Status screen appears, click Refresh to update the view.
Event Monitoring
InterScan MSS can notify you if a potential fault condition threatens to disrupt email processing or constitutes a security risk. You can be notified of the following conditions: Excessive messages in the delivery queue Results of scheduled update attempts (either successful or unsuccessful) Stopped scanning service Lack of disk space in the processing queue foldera condition that might disrupt email processing
212
To configure the events for which you want to be notified, select Configuration | System Monitor | Event Monitoring from the left-hand frame of the InterScan MSS Management Console. The Event Monitoring screen will appear (see Figure 8-2).
Figure 8-2: The Event Monitoring screen.
Select the appropriate check boxes for the fault conditions about which you want to be notified and enter values in the required fields. Also select the notification methods you desire. If you wish to configure a customized notification message for different events, click the Edit message link next to the notification method(s) that you want to use.
aNote: Immediately after you save event monitor settings, the

Excessive Messages in the Delivery Queue
updated settings are applied to the InterScan MSS System Monitor.
When email cannot be delivered, the delivery queue becomes larger than usual. When you have excessive messages in the delivery queue, check your network settings and SMTP routing delivery settings to verify that all connections are working. You should also check to see if the messages have something in common, such as an IP address.
213
Log Maintenance Settings

InterScan MSS records information about all the messages it handles and the program modules that are used. For example, InterScan MSS records the following: Services starting and stopping Program modules loaded and unloaded Threads, sockets, and program update status (failed or successful) Date and time that a message was received Message ID Process IDs Final action taken on the message
InterScan MSS records this information in the ISNT5.yyyy.mm.dd.xxxx log file.
Viewing Logs
To view logs, select Configuration | Logs and choose from Virus Logs, eManager, or Program Logs. Enter the log parameters for which you want to search and click View Logs (see Figure 8-3):
Figure 8-3: The Program Logs viewing parameters screen.
aNote: When your InterScan MSS server processes a high volume of

messages and you do not regularly remove old log files from your log directory, the log file may consume excessive disk space.
214
Log Maintenance
You can configure the programs logging behavior, including the level of detail logged, the location of the log database, the maximum size of log files, and the amount of time that log entries are retained. When you set the level of detail logged, you control the amount of information recorded about the processing of email messages, the message transfer agent (MTA), and the email delivery agent (MDA). You can select Normal, Detailed, or Diagnostic.
Normal
When log settings are set to Normal, InterScan MSS records a minimal amount of information in the logs. This setting is optimal when the amount of available disk space is limited. The following information is included in Normal logs: Service start/stops Program module load/unloads Program update status Date/time the message was received Message ID Process ID Action InterScan MSS took with the message
Detailed
When the log settings are set to Detailed, InterScan MSS increases the amount of information recorded in the logs. This setting is optimal when you need more information about system events, and the amount of disk space available is not limited. The following information is included in Detailed logs: All information recorded in Normal logs Filter results for each filter used to evaluate the message
Diagnostic
The Diagnostic setting is typically used to gather information for troubleshooting purposes. InterScan MSS records in-depth information about a system event. This setting should only be used when available disk space is unlimited. The following information is included in Diagnostic logs: All information recorded in Normal logs and Detailed logs Telnet sessions to/from Email MIME type Policy name and the message processed Outcome of each filter in the policy Action taken by each filter Final action taken by InterScan MSS
215
Message routing used to deliver message Outcome of message delivery
For examples of information displayed in each type of log, see Appendix D: Example Logs.
Configuring Log Behavior

To configure the logging behavior, complete the following steps: From the InterScan MSS Management Console, select Configuration | Logs | Log Maintenance from the left-hand menu. The Log Maintenance screen appears (see Figure 8-3). You can configure the following parameters: The level of detail that you want saved to the log file The directory where you want the logs kept The number of days you want to keep logs The maximum amount of memory space all of the log files can consume
Figure 8-3: The Log Maintenance screen.
aNote: You must restart the InterScan MSS service to apply your new
log settings.
Lab Exercise 6: Monitoring InterScan MSS
216

Summary
The System Monitor provides real-time system performance data and event monitoring. You can configure the System Monitor to notify you if a fault condition threatens to disrupt email processing or if the fault signals a security risk. In addition, you can use the InterScan MSS Web console to configure log files. You can determine the location and maximum size of log files, you can configure logs to show more or less detail, and you can specify the amount of time that log entries are stored.
Review Questions
1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced
g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. d. InterScan MSS sends a notification.
217
218
Chapter 9: Troubleshooting
Chapter Objectives
After completing this chapter, you should be able to Troubleshoot common problems Use SolutionBank to find answers to frequently asked questions
219
Notes
220
Notes
221
Notes
222
Notes
223
Notes
224
Troubleshooting Common Problems

Web Console Cannot Be Viewed after Microsoft Proxy 2.0 Is Installed
Installing Microsoft Proxy 2.0 prevents the default Web site from functioning correctly. A workaround is to create a second Web site and install the CGI filter on this Web site.
Message Looping
If a content-management filter sends an email notification with the original message attached and InterScan Messaging Security Suite (InterScan MSS) is used as the notification server, an infinite loop occurs. This problem occurs because the original message is attached to the notification email message and is tested by all filters when processed by InterScan MSS, which triggers the same filter again. Another notification is sent, attaching the original, and filter is triggered. Trend Micro recommends that you do not use the InterScan MSS server as your notification server.
Troubleshooting the Installation Process

A log file is created while InterScan MSS is being installed. This log file lists all the steps taken in the installation process. You can use the information in the log to see where and why the installation failed. To view the log file, open the Isnt_Setup.txt file in the C:\IMSS_RILOG directory.
Install on the local server fails

If you are unable to install InterScan MSS on a local server, you can try two different techniques that might make the installation successful.
First technique Second technique
If you receive an error message that says unable to logon, try using a local administrator account instead of a domain administrator account. If asked to specify on which server InterScan MSS will be installed, manually type in the loopback address (127.0.0.1) and click Add.
225
Getting Support from Trend Micro

If you have inquiries or suggestions, you can submit a problem report to the Trend Micro technical support center, or you can submit a case to the Trend Micro Web site. If you are a Trend Micro customer, please send the problem to the support team of your local branch or distributor. If you are a Trend Micro Business Unit (BU)/distributor, please send the problem to support@support.trendmicro.com
SolutionBank
Trend Micro provides SolutionBank, an online knowledge database filled with answers to common questions. Use SolutionBank, for example, if you are having trouble receiving program file updates and want to find out what you can do to solve the problem. Or, if you are receiving an error message, search SolutionBank using the text of message to find out what is causing the error and how to fix it. The contents of SolutionBank are continuously updated. New solutions are added daily. If you are unable to find an answer, however, you can describe the problem in an email message and send it directly to a Trend Micro support engineer. The support engineer investigates such issues and responds as soon as possible. To access the Trend Micro support database, open a Web browser and enter the following URL: http://solutionbank.antivirus.com/solutions/solutionSearch.asp The following is an example of an error message and the possible solutions: Can perform neither manual update through the console nor scheduled update.
Description
The manual update through the console fails. The scheduled update also does not work. When a manual update is performed through the console, the checkmarks (update options) disappear after the console page refreshes. Ensure that Scheduler.exe is running and its corresponding window is on the desktop.
Solution
Changes to the ISNTSmtp.ini File

ISNTSmtp.ini is one of the main configuration files for InterScan MSS. The majority of all the interface settings are stored in this file. Several configuration parameters are not available through the interface. These parameters must be configured in the ISNTSmtp.ini file. Some of the major configuration parameters from the ISNTSmtp.ini file are outlined in the following tables.
226
[General-Performance] ISNTPerformance=low Specifies the multiplier for the number of threads specified in the [Email-Scan] section of this file. Setting to med will double the number of threads or setting to high will quadruple all threads If the ISNTSMTP process doesn not close down its threads within this number of seconds, the ISNTSysMonitor forces the process to close. This number should be lower than RecycleProcessMaxWaitSeconds Specifies many AF, DF & BF files are checked at start-up for orphan messages files
ISNTServiceMaxShutdownSeconds=60
FileEnumerateLimit=
Table 9-1: General Performance [Receiver-Connection] IdleWaitingMin=10 Specifies how many minutes an idle SMTP connection will be held open for incoming E-mail Enables/disables a limit on incoming connections. The maximum number of connections is specified in the next parameter. The setting can be modified to have no connection limit Specifies how many SMTP connections are permitted at once Corresponds with the setting in the interface. Determines whether InterScan MSS will perform the Reverse DNS validation check on incoming email.
EnableMaxIncomingConnectionLimit=yes
MaxIncomingConnectionLimit=250
PerformReverseDNSLookup=no
227
[Receiver-Connection] NumberOfQueueSizeSteps: Specifies the number of queue size steps where the maximum number of receiving threads will be recalculated. Each QueueSize_ key, has two values. The 1st value determines the queue size, and the 2nd value determines the number of receiving threads. The actual queue size and number of receiving threads are determined by multiplying the values by the number of CPUs (this is the same calculation done to determine the number of scanning threads from the ScanningThread key). The values are separated by a semicolin (;) Specifies the number of steps or QuesSize settings that may be specified Determines that when there are zero messages in the queue, 250 threads are utilized for receiving email (times the number of processors). Determines that when there are 250 messages in the queue, 100 threads are utilized for receiving email (times the number of processors). Determines that when there are 1000 messages in the queue, 20 threads are utilized for receiving email (times the number of processors). Determines that when there are 10,000 messages in the queue, 5 threads are utilized for receiving email (times the number of processors). Determines that when there are 25,000 messages in the queue, one thread is utilized for receiving email (times the number of processors). default: no Specifies that InterScan MSS should reject the SMTP connection if the sender does not supply DNS information when asked Compare domain name in helo domainname with domain given by sender as its domain give 550 SMTP error if no match
NumberOfQueueSizeSteps=5
QueueSize_0=0;250
QueueSize_1=250;100
QueueSize_2=1000;20
QueueSize_3=10000;5
QueueSize_4=25000;1
SupportDSN= RejectRDNSFailedConnection=
RejectRDNSUnverifiedConnection=
228
[Receiver-Connection] CommandCheckingOption= 0 compatible with main-stream SMTP servers, 1=strict RFC 2821, 2=1+block mail from: <> 1=reject if mail from: <>
RejectIncomingMailWithEmptyMailFromP arameter= RDNSSuccessCacheTimeInSeconds=
Specifies how many seconds to cache a RDNS approved connection as good Specifies how many seconds to cache a RDNS failed connection as bad Allows mail from: and rcpt to: to provide domains like ...george@georgesdomain.com, g..e..o..r..g..e@georgesdomain & george.@georgesdomain.com
RDNSFailCacheTimeInSeconds=
AcceptDotInAtom=
Table 9-2: Receiver Connection [EMail-Scan] ScanningThread PickupDeliverThread PickupScanThread Number of threads used to scan e-mails Number of threads used to check the pickup_deliver directory Number of threads used to check the Pickup_scan directory Number of threads used to check the mqueue directory Number of threads used to check the BouncedMailQueue directory Generally used for troubleshooting only; yes=scan inbound email, no=do not scan inbound email Generally used for troubleshooting only; yes=scan outbound email, no=do not scan outbound email Generally used for troubleshooting only; yes=bypass message module completely, no=do not bypass message Number of threads used to deliver the postponed email
MailQueueThread BounceMailQueueThread
InboundMailScan=yes
OutboundMailScan=yes
BypassMessageModule=no
PostponeDeliverThread=
229
[EMail-Scan] BypassMessagePartial= The Yes setting delivers a message that is deemed as being partially formed If the value for this setting is NO, then InterScan MSS will quarantine the message =1 will launch DrWatson if the process crashes
MessagePartialAction=
LaunchDrWatson= Table 9-3: Email-Scan [EMail-Other] RestrictInDomain=yes
When the RCPT TO: field contains the percent symbol (%), InterScan Mss accepts the message and relays it from yourdomain.com to spamdomain.com Example: user%spamdomain.com@yourdomain.com Setting this parameter to yes allows you to specify illegal characters in the RCPT TO: field
RestrictInDomainMeta=!#$%
Strange/illegal characters to check for in the domain specification If IMSS cannot connect to any of the MX records queued from DNS server, it tries to connect to the domain after the @ directly. By default (according to RFC standard), it will not.
DNSDirectConnectToDomain=
Table 9-4: Email-Other
230
Appendix A: Using Trend Micro Online Resources
Appendix A: Using Trend Micro Online Resources

Contacting Trend Micro
You can contact Trend Micro by telephone, fax, BBS, email, regular email, and the Internet. Complete support, sales, and product information for Trend Micro offices worldwide is available at http://www.trendmicro.com. Comprehensive antivirus information is available over the Internet at the Trend Micro free antivirus center (http://www.trendmicro.com). From there, you can take advantage of the following resources: Access the online Trend Micro Virus Encyclopedia, which contains detailed information about 1,000 viruses Download 30-day trial versions of other server-based Trend Micro antivirus products Get advice on what to do if you think your network has a virus Read white papers pertaining to viruses in the enterprise Perform a quick cost analysis of the financial impact of virus infections
Trend Micro Virus Doctors

If you believe that you have an infected file but the InterScan Messaging Security Suite (InterScan MSS) scan engine does not detect or clean it, Trend Micro encourages you to send the file to the following address: virus_doctor@trendmicro.com. Please include in the message text a brief description of the symptoms you are experiencing. The Trend Micro team of engineers will dissect the file to identify and characterize any virus(es) it may contain and return the cleaned file to you. Send the suspected file in a password-protected zipped file. Use virus as its password.
Client Scans with HouseCall

HouseCall is free virus-scanning service available from Trend Micro. In 1997, Trend Micro pioneered the concept of online scanning. Anyone can use HouseCall. You do not need to install any software. You simply follow the on-screen instructions to begin.
231
aNote: Although HouseCall detects and cleans any viruses found on

the users hard drive, it does not provide real-time protection. HouseCall requires Internet Explorer 3.x or above or Netscapes Navigator 3.01 or above. Links to either browser are provided.
1. Open a Web browser and enter the following URL: http://www.antivirus.com. 2. Select Products | Free Tools | HouseCall. After a few seconds, a directory tree of your hard drive is created, and the offer to perform a free scan is presented.
Trend Micro Security Information Center

Comprehensive security information is available over the Internet at the Trend Micro free antivirus center: http://www.antivirus.com. Use the Security Information Center to find out about the following: Computer virus hoaxes Weekly virus alerts, listing the viruses that may trigger during the current week Virus false alarms and how to identify them The Trend Micro Virus Encyclopedia, which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code Basic guides to computer viruses The Trend Micro virus reading room, with dozens of articles about the latest issues in computer viruses, including the threat posed by Java applets and ActiveX controls Product details and white papers
You can access the Trend Micro Security Information Center at the following URL: http://www.antivirus.com/vinfo/
232
Appendix B: Adding Entries to DNS and Excluding Files From Scanning
Appendix B: Adding Entries to DNS and Excluding Files From Scanning

This appendix includes the following instructions: Adding entries to Domain Name System (DNS) Excluding certain types of ASCII text files from scanning
Adding Entries to DNS

To use the DNS Service Manager in Windows NT 4.0 to add an A and MX record, follow the instructions outlined below: 1. Launch DNS Manager by selecting Start | Programs | Administrative Tools | DNS Manager. In this example, Emailer1 is the only SMTP server defined. Corresponding A and MX records are as shown. 2. To add another email exchanger, create a new host (A record) by clicking on [DNS | New Host] menu. You will automatically be prompted for a host name and an IP address for that corresponding host. 3. After creating a new host, click on the [DNS | New Record] menu to create an MX record that defines the InterScan Messaging Security Suite (InterScan MSS) server as the primary email exchanger. 4. The New Resource Record window appears. Under record type, select MX Record. Enter the email exchange server DNS name (FQDN). Next, enter a preference value for the new record. Make sure you enter a lower numerical value than that of your original SMTP server. The lower numerical value sets the InterScan MSS server as the primary email exchanger for the entire domain. Lower numerical values mean higher preference values. All email is routed to the email exchanger with the highest preference value. 5. Use the nslookup utility to test for a successful record definition. Set type to MX and perform a query for the specified domain. 6. If you are using another DNS service, such as the DNS service in Windows 2000, the steps for adding entries to DNS will be different.
233
Adding Entries to DNS Service in Windows 2000

To use the DNS service in Windows 2000 to add an A and MX record, complete the following steps: 1. Launch DNS Manager by selecting Start | Programs | Administrative Tools | DNS. 2. Double-click the DNS server name. 3. Double-click on Forward Lookup Zone. 4. Select the domain. 5. In the menu that appears, click Action and select New Email Exchanger. 6. Type in the domain. 7. Specify the email server. 8. Specify the email server priority.
Excluding Certain Types of Text Files from Scanning

By default, InterScan MSS does not allow you to exclude text files from scanning. To exclude certain types of text files from scanning, you must modify the TMeMgr.ini file. For example, to exclude data exchange files (DXF) from scanning, complete the following steps: 1. Locate the TMeMgr.ini file in the [drive]\Program files\Trend\IMSS\ISNTSmtp directory. 2. Modify the following settings: [em_core] EnableSkipASCIIFile=yes SkippedASCIIFileList=dxf
aNote: You must enter yes and no in lowercase letters. If you want to
skip other types of text files, use the semicolon (;) to separate each extension.
3. Save the TMeMgr.ini file. 4. Restart InterScan MSS from Windows 2000/NT Service Manager. 5. The new setting takes effect after you click Apply Now. When InterScan MSS scans the email header (from, to, and cc) and the body of the email, separators, quotation marks ("), a comma (,), brackets (<>), and a semicolon (;) are added. These separators are not removed when you deselect the filters email header check box.
234
Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite
Appendix C: Uninstalling and Reinstalling InterScan Messaging Security Suite

When uninstalling or reinstalling InterScan Messaging Security Suite (InterScan MSS) you must use the installation program, setup.exe. You should not use Add/Remove Programs in the Windows Control Panel to uninstall InterScan MSS. Likewise, you should not attempt to remove the program by manually deleting the InterScan folder and registry keys. The order used to uninstall the InterScan MSS components is critical, and only the InterScan MSS installation program uninstalls these components in the correct order. If you want to preserve your customized settings on InterScan MSS, you should save the INI files and registry entries before uninstalling the program. You can use these files and entries to later recreate your previous configuration and settings. You can run setup.exe either from the server on which you have installed the components or from a remote Windows NT or 2000 computer.
235
236
Appendix D: Example Logs

The following logs are examples of information recorded in Normal, Detailed, and Diagnostic logs if a policy is triggered and a message is quarantined:
Normal Log
2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message from: <dburnell@home.local> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\DE6DD418-BACA-4F9F-9F8FF5A876D33AA8.DF>, Subject=<normal logging with attachment policy triggered>, TID=<624> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] Message to: <rrivero@home.local> 2003/04/03 21:38:47 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [270] MTA finish, spend <60> ms, size=(0, 71681) bytes 2003/04/03 21:38:48 GMT-08:00 de6dd418-baca-4f9f-9f8ff5a876d33aa8 [4c4] email has been quarantined 2003/04/03 21:38:48 GMT-08:00 subject [normal logging with attachment policy triggered], sender [dburnell@home.local], recipient[<rrivero@home.local>], entity [NOTEPAD.EXE] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [stri... 2003/04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 Final action is Quarantine. 2003/04/03 21:38:48 GMT-08:00 DE6DD418-BACA-4F9F-9F8FF5A876D33AA8 [4c4] Scan finish, spend <381> ms
Detailed Log
2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message from: <dburnell@home.local> 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\83198C17-750D-43C8-A070-
237
DA61B7E4226C.DF>, Subject=<detailed logging with policy triggered>, TID=<520> 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] Message to: <rrivero@home.local> 2003/04/03 21:44:10 GMT-08:00 83198c17-750d-43c8-a070da61b7e4226c [208] Push email into <scanning queue> OK 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [208] MTA finish, spend <110> ms, size=(0, 162067) bytes 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C To do action: Quarantine 2003/04/03 21:44:10 GMT-08:00 83198c17-750d-43c8-a070da61b7e4226c [3f8] email has been quarantined 2003/04/03 21:44:10 GMT-08:00 subject [detailed logging with policy triggered], sender [dburnell@home.local], recipient["Raffy Rivero" <rrivero@home.local>], entity [poledit.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action... 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C Final action is Quarantine. 2003/04/03 21:44:10 GMT-08:00 83198C17-750D-43C8-A070DA61B7E4226C [3f8] Scan finish, spend <70> ms
Diagnostic Log
2003/04/03 21:47:07 GMT-08:00 2003/04/03 21:47:07 GMT-08:00 [192.168.253.252] 2003/04/03 21:47:07 GMT-08:00 <dburnell@home.local> [71c] << HELO gwsvr [71c] >> 250 gw-svr Hello [71c] << EMAIL FROM:
2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 <dburnell@home.local>: Sender Ok 2003/04/03 21:47:07 GMT-08:00 <rrivero@home.local> [71c] << RCPT TO:
2003/04/03 21:47:07 GMT-08:00 [71c] >> 250 <rrivero@home.local>: Recipient Ok 2003/04/03 21:47:07 GMT-08:00 [71c] << DATA
238
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Received from gwsvr ([192.168.253.252]) by gw-svr 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 354 gw-svr: Send data now. Terminate with "." 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] DOT command received 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 250 gw-svr: Message accepted for delivery 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message from: <dburnell@home.local> 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message map <c:\program files\trend\imss\ISNTSMTP\mqueue\2565EE87-62E9-4417-AC5C40927E2F4625.DF>, Subject=<Diagnostic Logging policy triggered>, TID=<1820> 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] Message to: <rrivero@home.local> 2003/04/03 21:47:07 GMT-08:00 2565ee87-62e9-4417-ac5c40927e2f4625 [71c] Push email into <scanning queue> OK 2003/04/03 21:47:07 GMT-08:00 40927E2F4625 [71c] << QUIT 2565EE87-62E9-4417-AC5C-
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] >> 221 gw-svr closing connection. Goodbye! 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [71c] MTA finish, spend <191> ms, size=(0, 334368) bytes 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 parsing message. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: multipart/mixed, encoding: (none)]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: multipart/alternative, encoding: (none)]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: text/plain, encoding: quoted-printable]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: text/html, encoding: quoted-printable].
239
2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 entity [content-type: application/xmsdownload, encoding: base64]. 2003/04/03 21:47:07 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished parsing message. 2003/04/03 21:47:07 GMT-08:00 Policy\Incoming Policy Matched rule : Global
2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 splitting message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished splitting message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Filter(0x20002, ATTACHMENT FILTER) runs successfully, outcome: Triggered 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 To do action: Quarantine 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 writing back message. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 finished writing message. 2003/04/03 21:47:08 GMT-08:00 2565ee87-62e9-4417-ac5c40927e2f4625 [320] email has been quarantined 2003/04/03 21:47:08 GMT-08:00 subject [Diagnostic Logging policy triggered], sender [dburnell@home.local], recipient["Raffy Rivero" <rrivero@home.local>], entity [explorer.exe] violates policy [ATTACHMENT FILTER], reason [File type: WIN32 EXE, violates file-type checking], action [... 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 Final action is Quarantine. 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Scan email result <16908288>, return code <16908288> 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Scan finish, spend <140> ms 2003/04/03 21:47:08 GMT-08:00 2565EE87-62E9-4417-AC5C40927E2F4625 [320] Delete Message file<c:\program files\trend\imss\ISNTSMTP\mqueue\2565EE87-62E9-4417-AC5C40927E2F4625.DF> success
240
Understanding Information in the Logs

To troubleshoot what happens when InterScan MSS processes a message, locate the message ID next to the following entries: Message from:<sender@company.com> and the Message to:<recipient@company.com>. The message ID contains all the processing information for a message. The information will not always be in sequence as shown in the examples above. For example, the log may list information about message 1, information about message 4, and then more information about message 1. To discover what happened to a message, locate the message ID and then locate the last entry in the log file with that message ID. The log file format is ISNT5.yyyymmdd.xxxx. The extension (xxxx) represents a number starting from 0001. When the log file grows to approximately 10 MB, it will be incremented to 0002. Some messages may be logged in more than one log file.
241
242
Appendix E: Interpreting Header Information
Appendix E: Interpreting Header Information

The table in this appendix contains email headers. The headers are added to an email as it travels from the senders computer and email server, through the Internet, and to the recipients email server and computer.
Line From Header Received: from mail.mydomain.com (mail.mydomain.com [124.211.3.78]) Explanation The name of the sending mail server The true name and IP address of the sending mail server The name of the receiving mail server
by mailhost.anotherdomain.com (8.8.5/8.7.2)
aNote: The numbers refer to the version

of the mail program being used by the receiving server. The ID number (LAA20869) assigned to this message by the receiving mail server
with ESMTP id LAA20869
aNote: This ID number is for the servers

own use. If necessary, an administrator can use the number to look up the message in the servers log files, but the number has no use for anyone else.
for <Amy@anotherdomain.com>; Fri, 20 Jun 200314:39:24 -0800 (PST)
The intended recipient of this message The date and time that this mail transfer took place
aNote: "-0800" PST indicates that the
message originated in the Pacific Standard Time zone, which is 8 hours behind Greenwich Mean Time.
243
Line From Header Received: from alpha.mydomain.com (alpha.mydomain.com [124.211.3.11]) by mail.mydomain.com (8.8.5) id 004A21; Fri, Jun 20 2003 14:36:17 0800 (PST)
Explanation This line documents that alpha.mydomain.com (Joes workstation) sent the message to mail.mydomain.com at 14:36:17 Pacific Standard Time. The sending machine called itself alpha.mydomain.com. The sending machines true name and IP address are listed inside the parentheses. Mail.mydomains mail server is running SendMail version 8.8.5, and it assigned the ID number 004A21 to this email message for internal processing.
From: Joe@mydomain.com (Joe Smith)
The sender of this message, whose real name is Joe Smith. The intended recipient of this message, as designated by the sender when the message was composed The data and time this message was composed The message ID assigned to this message by the sending mail server.
To: Amy@anotherdomain.com
Date: Fri, June 20 200314:36:14 PST Message-Id: <rth03189714361400000298@mail.mydomain.com>
aNote: This ID is different from the
SMTP and ESMTP ID numbers in the Received: headers above because it is permanently attached to this message; the other IDs are associated with specific mail transactions and are only meaningful to the machine that assigns them. Sometimes (as in this example) the Message-ID includes the sender's email address. More frequently, it has no apparent meaning.
X-Mailer: Groovymail v2.01
The message was sent using a (fictitious) program called Groovymail, version 2.01. Self-explanatory.
Subject: Lunch today?
244
Appendix F: Answers to Review Questions

Chapter 1
1. Which feature allows you to control the level of antivirus and content management that is applied to members of your organization? a. Domain-based message routing b. Quarantine manager c. Policy-based management d. Single-server, multiple policy support 2. Which feature can you use to filter unwanted email, such as sexually or racially insensitive material? a. Domain-based message routing b. Content management c. Policy-based management d. Single-server, multiple policy support 3. Which feature notifies you when a fault condition threatens to disrupt email flow? a. Content management b. Enhanced server access control c. Quarantine manager d. System Monitor
245
Chapter 2
1. Which of the following are recommended installation configurations for InterScan MSS? (Choose two.) a. Behind the firewall b. In front of the firewall c. In a DMZ d. Behind a DMZ 2. Which of the following installation instructions does Trend Micro recommend? a. Install InterScan MSS on the existing email server. b. Install InterScan MSS on a dedicated server. c. Install InterScan MSS on a server with other Trend Micro products. d. Install InterScan MSS on the largest server on your network. 3. Which of the following are reasons why it is beneficial to install InterScan MSS on the email server? (Choose two.) a. Additional servers are not required b. Overhead on the email server does not increase c. Requires less network bandwidth d. Greater efficiency 5. Which four of the following items can you update? (Choose four.) a. Virus pattern file b. Pattern-Matching engine c. Spam database d. Scan engine e. SPS Heuristic spam rules f. TrueScan filter
246
Chapter 3
1. Why would you want to use a reverse-lookup? a. To configure a deny access list b. To prevent known spam senders from using your SMTP server as a relay c. To enable domain-based delivery d. To create a masquerade domain 2. What does the hop count limit? a. The number of times an email can be forwarded b. The number of times InterScan MSS can retry delivering an email c. The number of times an email is scanned d. The number of times an email can loop between the InterScan MSS and email servers 3. What is the purpose of a masquerade domain? a. To block spam coming from specified domains b. To block all email from specified domains c. To change the domain name in the From: field d. All of the above
Chapter 4
1. Which of the following must be installed on your network in order for InterScan MSS to scan POP3 traffic? a. VPN b. RADIUS server c. Firewall d. Trend Micro Control Manager
247
2. Why might you need to set up a dedicated connection to the InterScan MSS server POP3 proxy? a. InterScan MSS is installed on a server that has more than one network interface card. b. Users need to authenticate to the POP3 server using the APOP command. c. You are using the POP3 Client Tool. d. You need to configure an email client that is not supported by the POP3 Client Tool ActiveX control.
Chapter 5
1. What is the purpose of the badmail directory? a. To hold messages that are undeliverable so they will not be deleted b. To hold messages that are infected by a virus c. To hold messages that do not have empty subject fields d. To hold messages that cannot be scanned 2. Which of the following statements about queue directory locations is true? a. UNC paths are supported. b. The path must be a local directory path. c. It is not necessary to restart InterScan MSS to apply changes to directories. d. All of the above 3. How do you use InterScan MSS to prevent zip-of-death attacks on your network? a. Specify the maximum allowable file size after decompression b. Restrict the number of recursively compressed layers c. Reject all compressed files such as ZIP and LZH files d. Block all large attachments
248
Chapter 6
1. Which of the following is not a policy component? a. Filter action b. Route c. Filters d. Sub-policy 2. Which eManager filter blocks messages that have the words Get Rich Quick in the subject line? a. Anti-spam filter b. Disclaimer manager filter c. Message size filter d. Subject line filter 3. Which eManager filter do you use to block large messages during business hours? a. Anti-spam filter b. Disclaimer manager filter c. Message-size filter d. Subject line filter 4. Which filter action is executed first? a. Deliver b. Forward original message c. Notification d. Forward modified message 5. In which order should you organize sub-policies? a. Most general policies first, most specific policies last b. Most specific policies first, most general policies last c. Incoming policies first, outgoing policies last d. Outgoing policies first, incoming policies last
249
Chapter 7
1. Which is not a good reason to exclude graphics files such as TIFF and BMP files from scanning? a. Graphics files are resource-intensive to scan. b. Graphics files are not known to carry viruses. c. Your messaging system frequently transfers graphics files. d. Graphics files, by default, always produce false positives 2. Why is it resource-intensive to scan compressed files? a. Compressed files are the most common type of attachment. b. Compressed files often contain empty spaces that slow most scan engines. c. Compressed files must be decompressed before scanning. d. Compressed files require complicated algorithms to scan them. 3. How does InterScan MSS record one virus-infected message that is sent to three recipients in three domains? a. One message processed, one virus detected b. One message processed, three viruses detected c. Three messages processed, three viruses detected d. Three messages processed, one virus detected 4. How do you search for a phrase that contains a semicolon (;)? a. Enter the phrase as it is: I like dogs; I adore cats. b. Enter a backslash before the semicolon: I like dogs\; I adore cats. c. Enclose the semicolon between parentheses: I like dogs (;) I adore cats. d. Enclose the phrase between quotation marks: I like dogs; I adore cats.
250
5. How does the SPS heuristic scan engine detect spam? a. Compares email to a spam database b. Compares email to the search criteria that you define, based on Trend Micro recommendations c. Compares email to previous spam that you have saved in the SPS SpamBank d. Compares characteristics of the email against predefined rules or common characteristics of spam
Chapter 8
1. For which event can you configure the System Monitor to notify you? a. An undeliverable message b. Slow performance c. An attempt to bypass security d. The result of a scheduled-update attempt 2. When configuring the level of details that logs will record, which three of the following options can you choose? (Choose three.) a. High b. Low c. Medium d. Diagnostic e. Normal f. Advanced
g. Detailed 3. What happens when the total size of the log files exceeds the designated amount? a. InterScan MSS reserves a new block of space for log files. b. The oldest files are deleted. c. The newest files are deleted. e. InterScan MSS sends a notification.
251

IMSS 55 Student 01 00

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IMSS 55 Student 01 00

Uploaded by

Copyright:

Available Formats

Trend Micro InterScan Messaging Security Suite

Certification Training Course Student Textbook

Chapter 1: Overview of InterScan Messaging Security Suite..........................7

Chapter 2: Setup, Installation, and Registration ............................................23

Chapter 3: Configuring SMTP Routing Settings.............................................55

Chapter 4: Configuring POP3 Email Scanning Settings ................................75

Chapter 5: Configuring General and Security Settings .................................87

Chapter 6: Understanding and Configuring Policies ...................................107

Chapter 7: Understanding Filters ..................................................................143

Chapter 8: Configuring System Monitor and Log Maintenance Settings...207

Chapter 9: Troubleshooting ...........................................................................219

Appendix A: Using Trend Micro Online Resources .....................................231

InterScan Messaging Security Suite

InterScan Messaging Security Suite

How to Use This Material

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

Chapter 1: Overview of InterScan Messaging Security Suite

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

Automatic Detection of Multiple Network Interface Card

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

Domain-Based Message Routing

Early Detection of Mass-Emailing Viruses

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

Secure, Web-Based Management Console

Server Access Control

Single-Server, Multiple-Policy Support

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

SMTP Load Balancing to Downstream Email Servers

InterScan MSS forwards email to the first available server. 4

Support for POP3 Email

aNote: The ActiveX configuration tool only works with Outlook

2003 Trend Micro Incorporated

Trend Micro InterScan Messaging Security Suite Student Textbook

New Feature: Spam Prevention Service

Enterprise Protection Strategy

SMTP and POP3 HTTP SMTP

ScanMail for Lotus Notes

2003 Trend Micro Incorporated

Chapter 1: Overview of InterScan Messaging Security Suite

Product ScanMail for OpenMail ServerProtect

Protection SMTP File system

Damage Cleanup Server

OfficeScan Corporate Edition

Client: Windows Server: Windows