Installation manual

1.3 Methods used

Two independent methods are used to scan email messages:

Mailbox scanning via VSAPI

Message filtering on the SMTP server level

1.3.1 Mailbox scanning via VSAPI

The mailbox scanning process is triggered and controlled by the Microsoft Exchange Server. Emails in the Microsoft

Exchange Server store database are scanned continuously. Depending on the version of Microsoft Exchange Server,

the VSAPI interface version and the user-defined settings, the scanning process can be triggered in any of the

following situations:

When the user accesses email, e.g. in an email client (email is always scanned with the latest virus signature

database)

In the background, when use of the Microsoft Exchange Server is low

Proactively (based on the Microsoft Exchange Server’s inner algorithm)

The VSAPI interface is currently used for antivirus scan and rule-based protection.

1.3.2 Message filtering on the SMTP server level

SMTP server-level filtering is secured by a specialized plugin. In Microsoft Exchange Server 2000 and 2003, the

plugin in question (Event Sink) is registered on the SMTP server as a part of Internet Information Services (IIS). In

Microsoft Exchange Server 2007/2010, the plugin is registered as a transport agent on the Edge or the Hub roles of

the Microsoft Exchange Server.

SMTP server-level filtering by a transport agent provides protection in the form of antivirus, antispam and user-

defined rules. As opposed to VSAPI filtering, the SMTP server-level filtering is performed before the scanned email

arrives in the Microsoft Exchange Server mailbox.

1.4 Types of protection

There are three types of protection:

1.4.1 Antivirus protection

Antivirus protection is one of the basic functions of the ESET Mail Security product. Antivirus protection guards

against malicious system attacks by controlling file, email and Internet communication. If a threat with malicious

code is detected, the Antivirus module can eliminate it by blocking it and then cleaning, deleting or moving it to

quarantine .

1.4.2 Antispam protection

Antispam protection integrates several technologies (RBL, DNSBL, Fingerprinting, Reputation checking, Content

analysis, Bayesian filtering, Rules, Manual whitelisting/blacklisting, etc.) to achieve maximum detection of email

threats. The antispam scanning engine’s output is the spam probability value of the given email message expressed

as a percentage (0 to 100).

Another component of the antispam protection module is the Greylisting technique (disabled by default). The

technique relies on the RFC 821 specification, which states that since SMTP is considered an unreliable transport,

every message transfer agent (MTA) should repeatedly attempt to deliver an email after encountering a temporary

delivery failure. A substantial part of spam consists of one-time deliveries (using specialized tools) to a bulk list of

email addresses generated automatically. A server employing Greylisting calculates a control value (hash) for the

envelope sender address, the envelope recipient address and the IP address of the sending MTA. If the server cannot

find the control value for the triplet within its own database, it refuses to accept the message, returning a

temporary failure code (temporary failure, for example, 451). A legitimate server will attempt a redelivery of the

message after a variable time period. The triplet’s control value will be stored in the database of verified

connections on the second attempt, allowing any email with relevant characteristics to be delivered from then on.