GFI MailSecurity 2011 for Exchange/SMTP Administration & Configuration Manual
http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document.
Contents 1 Introduction ............................................................................................................... 1 1.1 1.2 2 About GFI MailSecurity ............................................................................................. 3 2.1 2.2 2.3 3 Introduction ....................................................................................................... 7 Status and statistical information ......................................................................
5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 6 BitDefender configuration ............................................................................... 27 McAfee configuration ...................................................................................... 29 Norman configuration...................................................................................... 31 Virus scanner actions...................................................................................... 33 Virus scanner updates ...........
Quarantine ............................................................................................................... 77 7.1 7.2 7.3 7.4 7.5 8 Reporting ................................................................................................................. 97 8.1 8.2 8.3 9 Introduction ..................................................................................................... 77 The Quarantine Store ..........................................................................
10 Troubleshooting .................................................................................................... 113 10.1 10.2 10.3 10.4 10.5 10.6 11 Introduction ................................................................................................... 113 Knowledge Base ........................................................................................... 113 Web Forum ...................................................................................................
1 1.1 Introduction Introduction to GFI MailSecurity Email is frequently used as a means for distributing harmful content (for example, through email attachments). GFI MailSecurity acts as an email firewall to protect an email system against malicious email attacks. The software uses various methods to block malicious emails, such as multiple virus scanning engines and link scanning technology.
Chapter 8 Reporting Describes how to configure the reporting database to generate reports using the GFI MailSecurity ReportPack. Chapter 9 Miscellaneous Provides information how to use and configure other features of the product. Chapter 10 Troubleshooting Contains information on how to deal with any problems encountered while using GFI MailSecurity. Also provides extensive support information. Chapter 11 Glossary Defines technical terms used within GFI MailSecurity. 1.2.
2 About GFI MailSecurity 2.1 GFI MailSecurity components GFI MailSecurity scan engine The GFI MailSecurity scan engine analyzes the con tent of all inbound and outbound email. If you install GFI MailSecurity on the Microsoft Exchange Server, it will also scan the Microsoft Exchange Information Store and internal emails. When GFI MailSecurity quarantines an email, it informs the appropriate supervisor/administrator via Email or RSS feed, depending on the options configured.
Incoming email is relayed to the GFI MailSecurity machine. Email is scanned by GFI MailSecurity using the email scanning engines and filters configured to scan inbound emails. EMAIL SCANNING ENGINE DESCRIPTION Virus Scanning Engines Scan emails for viruses and malicious code. Some engines also include other features, such as macro checking, link scanning and Sandbox technology.
Virus Scanning Engines Scan emails for viruses and malicious code. Some engines also include other features, such as macro checking, link scanning and Sandbox technology. Content and attachment filtering Block emails that match any rules containing pre-configured conditions within the email body or attachments. Trojan & executable scanner Analyzes the function of executable files for malicious code. Email exploit engine Checks if attachments contain any exploits.
3 Monitoring the GFI MailSecurity status 3.1 Introduction The GFI MailSecurity Dashboard node provides important information in real time that enables you to monitor the functionality of GFI MailSecurity. This includes: Important statistical information about blocked emails Status of GFI MailSecurity services Graphical presentation of email activity List of emails processed Status of virus scanning engines updates NOTE: Configure the refresh settings from the top side of the page.
3.2 Status and statistical information Screenshot 3 - The GFI MailSecurity Dashboard Navigate to GFI MailSecurity ► Dashboard to open the Dashboard page. This page displays GFI MailSecurity statistics, status of services and a graphical presentation of email activity. More details on these sections are provided below.
Services Screenshot 4 - The GFI MailSecurity Services The Services area displays the status of the GFI MailSecurity services. Indicates that the service is started. Indicates that the service is stopped. NOTE: Start or stop services from the Microsoft Windows Services console. To launch the Services console, navigate to Start ► Run, key in services.msc and click OK.
Email Statistics Screenshot 6 - The GFI MailSecurity Charts The Charts area displays graphical information about emails processed by GFI MailSecurity. Select the time period from the drop-down list to display information for that period in the charts. Total emails processed/ Total quarantined emails/ Shows various global statistics, including total number of emails scanned and quarantined by GFI MailSecurity since installation, and unprocessed emails in the last 24 hours.
Unprocessed emails in this period 3.3 Email processing logs Screenshot 7 - Email processing logs From GFI MailSecurity, you can monitor all processed emails in real time. Navigate to GFI MailSecurity ► Dashboard and select the Logs tab to display the list of processed emails. The following details are displayed for each email processed: Date/Time Sender Recipient(s) Subject Scan Result The Scan Result column shows the action taken on the email.
NOTE: The email cannot be previewed in quarantine if it was manually deleted or it was blocked by a rule configured to save emails to a folder on disk. Deleted Email is blocked by an engine or filter with the action set to delete detected emails. Failed Email could not be scanned by GFI MailSecurity. Email is moved to the following folder: \GFI\Content Security\MailSecurity\FailedMails For more information about failed emails refer to http://kbase.gfi.com/showarticle.
3.4 Virus scanning engine updates Screenshot 9 - Virus scanning engines updates The updates of virus scanning engines can be monitored from a central configuration page. Navigate to GFI MailSecurity ► Dashboard and select the Updates tab to review the following update information: Engine Virus scanning engines Last Update Displays the date and time of the last successful update. Status Shows the current status of the updating process.
4 General settings 4.1 Introduction The Settings node enables you to configure a number of options. Administrator‟s email address Proxy settings for automatic updates The list of Local Domains. SMTP server bindings The list of local users 4.2 Configuring the administrator’s email address GFI MailSecurity sends important notifications to the administrator via email. To set up the administrator‟s email address: 1.
4.3 Configuring proxy server settings for automatic updates GFI MailSecurity automatically searches for and downloads updates (for example, virus definitions updates and Trojan & Executable Scanner definitions) from the GFI update servers. If the server on which GFI MailSecurity is installed, connects to the internet through a proxy server, configure the proxy server settings as follows: 1. From the GFI MailSecurity Configuration navigate to GFI MailSecurity ► General ► Settings and select Updates tab.
6. Click Apply. 4.4 Adding Local Domains Screenshot 12 - Local Domains list GFI MailSecurity requires the list of local domains to enable it to distinguish between inbound, outbound or internal emails. During installation, GFI MailSecurity automatically imports local domains from the IIS SMTP service. If, however, you wish to add or remove local domains after installation, follow these steps: 1.
4.5 SMTP server bindings NOTE: The SMTP Server bindings tab is not available when GFI MailSecurity is installed on a Microsoft Exchange Server 2007/2010 machine. Screenshot 13 - Binding GFI MailSecurity to a different SMTP Server GFI MailSecurity relies on the IIS SMTP service to send and receive emails. By default, it binds to your default SMTP virtual server. If however, you have multiple SMTP virtual servers installed on your machine, select to which one you want to bind GFI MailSecurity.
4.6 Managing local users GFI MailSecurity uses 3 ways to retrieve users depending on the installation environment. NOTE: The number of users retrieved is also used for licensing purposes. 4.6.1 GFI MailSecurity installed in Active Directory mode When GFI MailSecurity is not installed on the same machine as your mail server and Active Directory is present, then GFI MailSecurity retrieves mail-enabled users from the Active Directory domain of which the GFI MailSecurity machine forms part.
NOTE: GFI MailSecurity automatically populates the list of local users using the sender‟s email address in outbound emails. To add a new local user: 1. Enter the email address in the Email address box. 2. Click Add. 3. Repeat to add more local users and click Apply. To remove a local user: 1. Select the local user you want to remove from the Local Users list and click Remove. 2. Repeat to remove more local users and click Apply.
5 Configuring Virus Scanning Engines 5.1 Introduction GFI MailSecurity uses multiple Virus Scanning Engines to scan all emails for the presence of viruses. As part of its standard package, GFI MailSecurity ships with Norman and BitDefender Virus Scanning Engines. You can also acquire a license for the following antivirus engines: AVG Kaspersky McAfee This chapter describes how to configure Virus Scanning Engines, updates, actions and the scanning sequence.
5.2 AVG configuration Screenshot 15 - Anti-virus Scanning Engines: AVG configuration page (General Tab) 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► AVG Anti-Virus. NOTE: In this page, you can also review the anti-virus engine licensing and version information. 2. Select Enable Gateway Scanning (SMTP) check box, to scan SMTP traffic using this Virus Scanning Engine. 3. Select whether to scan inbound and/or outbound emails using this Virus Scanning Engine.
4. If you installed GFI MailSecurity on the Microsoft Exchange machine, you will also have the option to scan the Information Store using this Virus Scanning Engine. To scan the Information Store select the Enable Information Store Virus Scanning (VSAPI) check box. NOTE: To be able to use the Information Store Virus Scanning feature, you must enable the option from Information Store Protection node.
Screenshot 16 - AVG LinkScanner options 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► AVG Anti-Virus ► AVG LinkScanner. 2. Select Scan inbound SMTP emails to scan incoming emails using AVG LinkScanner. 3. Select Scan links destination pages for exploits to check the content of links‟ destination pages for exploits. This feature requires HTTP access. Click Test http access to verify that AVG LinkScanner can access the links‟ destination pages.
5.3 Kaspersky configuration Screenshot 17 - Anti-virus Scanning Engines: Kaspersky configuration page (General Tab) 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► Kaspersky Anti-Virus. NOTE: In this page you can also review the anti-virus engine licensing and version information. 2. Select Enable Gateway Scanning (SMTP) check box, to scan SMTP traffic using this Virus Scanning Engine. 3. Select whether to scan inbound and/or outbound emails using this Virus Scanning Engine.
NOTE: To be able to use the Information Store Virus Scanning feature, you must enable the option from Information Store Protection node. For more information about Information Store Protection, refer to Configuring Information Store Scanning section in this chapter. 5. Select Actions tab to configure the actions to take when this anti-virus engine finds malicious emails. Refer to the Virus scanner actions section in this chapter. 6.
5.4 BitDefender configuration Screenshot 18 - Virus Scanning Engines: BitDefender configuration page (General Tab) 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► BitDefender Anti-Virus. NOTE: In this page you can also review the anti-virus engine licensing and version information. 2. Select Enable Gateway Scanning (SMTP) check box, to scan SMTP traffic using this Virus Scanning Engine. 3. Select whether to scan inbound and/or outbound emails using this Virus Scanning Engine.
Scan outbound SMTP email Select this option to scan outgoing emails 4. If you installed GFI MailSecurity on the Microsoft Exchange machine, you will also have the option to scan the Information Store using this Virus Scanning Engine. To scan the Information Store select the Enable Information Store Virus Scanning (VSAPI) check box. NOTE: To be able to use the Information Store Virus Scanning feature, you must enable the option from Information Store Protection node.
5.5 McAfee configuration Screenshot 19 - Virus Scanning Engines: McAfee configuration page (General Tab) 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► McAfee Anti-Virus. NOTE: In this page you can also review the anti-virus engine licensing and version information. 2. Select Enable Gateway Scanning (SMTP) check box, to scan SMTP traffic using this Virus Scanning Engine. 3. Select whether to scan inbound and/or outbound emails using this Virus Scanning Engine.
4. If you installed GFI MailSecurity on the Microsoft Exchange machine, you will also have the option to scan the Information Store using this Virus Scanning Engine. To scan the Information Store select the Enable Information Store Virus Scanning (VSAPI) check box. NOTE: To be able to use the Information Store Virus Scanning feature, you must enable the option from Information Store Protection node.
5.6 Norman configuration Screenshot 20 - Virus Scanning Engines: Norman configuration page 1. Navigate to GFI MailSecurity ► Virus Scanning Engines ► Norman Anti-Virus. NOTE: In this page you can also review the anti-virus engine licensing and version information. 2. Select Enable Gateway Scanning (SMTP) check box, to scan SMTP traffic using this Virus Scanning Engine. 3. Select whether to scan inbound and/or outbound emails using this Virus Scanning Engine.
Scan inbound SMTP email Select this option to scan incoming emails Scan outbound SMTP email Select this option to scan outgoing emails 4. Select Enable Sandbox to use the Norman Anti-Virus Sandbox feature. This executes email attachments in a virtual environment and monitors all actions and effects on a system. If an attachment exhibits viral behavior, email is marked as malicious and all appropriate actions are taken.
5.7 Virus scanner actions Screenshot 21 - Virus Scanning Engine: Configuration page (Actions Tab) In GFI MailSecurity, you can configure what each of the installed Virus Scanning Engines should do whenever an infected email is detected. NOTE: When GFI MailSecurity is installed on same machine as Microsoft Exchange 2003, GFI MailSecurity may not be able to block outbound emails, but instead replaces the blocked content (e.g. the attachment) with a threat report. 1.
NOTE: This feature is not applicable to emails scanned using the Information Store Virus Scanning feature. 4. GFI MailSecurity can send email notifications whenever an infected inbound email is detected. To enable this feature, select any of the following options: Notify administrator Notify the administrator whenever the virus scanner detects an infected email. To configure the administrator‟s email address refer to chapter Configuring the administrator‟s email address.
5.8 Virus scanner updates Screenshot 22 - Virus Scanning Engines: Configuration page (Updates Tab) You can configure GFI MailSecurity to download virus scanner updates automatically or to notify the administrator whenever new updates are available. 1. Select the virus scanner to configure and select the Updates tab. 2. Select the Automatically check for updates check box to enable anti-virus engine autoupdate. 3.
Check for updates and download Select this option if you want GFI MailSecurity to check for and automatically download any updates available for the virus scanner. 4. Specify how often you want GFI MailSecurity to check/download updates for this Virus Scanning Engine, by specifying an interval value in hours. 5. In the Update options area, select Enable email notifications upon successful updates to send an email notification to the administrator whenever the virus scanning engine updates successfully.
5.10 Configuring Virus Scanning optimizations From the GFI MailSecurity ► Virus Scanning Engines node you can instruct GFI MailSecurity to stop scanning an item if a particular number of virus scanning engines detect a virus in that item. Screenshot 24 - Configure virus scanning optimizations To enable this option, select the Stop virus scanning the current item, if viruses are detected by check box, and specify the number of virus scanners that need to detect a virus to stop virus scanning, in the box.
Screenshot 25 - Information Store Protection node 2. In the Information Store Virus Scanning tab, check Enable Information Store Virus Scanning and click Apply. The status of the Virus Scanning Engines used to scan the Information Store is displayed in the table. You can also disable a particular anti-virus engine from Information Store Scanning. To do this, navigate to the Virus Scanning Engines page, select the anti-virus engine and disable Enable Information Store Virus Scanning (VSAPI). 5.11.
Screenshot 26 - VSAPI scan settings 2. Select the VSAPI Settings tab. 3. (Optional) Select Enable background scanning to run Information Store Scanning in the background. Background scanning causes all the contents of the Information Store to be scanned. This can result in a high processing load on the Microsoft Exchange server depending on the amount of items stored in the Information Store. It is recommended to enable this option only during periods of low server activity such as during the night. 4.
This is the default and recommended mode of operation, since in general the delay associated with on-access scanning is avoided. NOTE: In the event that an email client tries to access an item that is still in the queue, it will be allocated a higher scanning priority so that it is scanned immediately. 5. Click Apply.
6 Configuring other mail filters Apart from virus scanning engines, GFI MailSecurity also includes a number of other mail filtering mechanisms as described in this chapter. 6.1 Content Filtering 6.1.1 Introduction The Content Filtering feature allows you to set up rules to filter emails containing particular keywords or a combination of keywords in an email.
6.1.2 Creating a Content Filtering rule Step 1: Configuring basic rule settings 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Content Filtering node and click Add Rule…. Screenshot 28 - Content Filtering: General Tab 2. Specify a name for the rule in the Rule name text box. 3. Select which emails to scan.
4. To block emails encrypted using PGP technology, select Block PGP encrypted emails. NOTE: PGP encryption is a public-key cryptosystem often used to encrypt emails. Step 2: Configuring terms to block 1. Select the Body tab to specify the keywords in the email body to block. 2. Select Block emails if content is found matching these conditions checkbox to enable scanning of body for keywords. Screenshot 29 - Content Filtering: Body Tab- setting conditions 3.
Screenshot 30 - Content Filtering: Body Tab- configuring other options 5. From the Options area, configure other settings: Match whole words only Block emails when the keywords specified match whole words. Apply above conditions to attachments Select this option to apply this rule also to text in attachments. In the Attachment filtering area specify the attachments to apply or exclude from this rule. 6. Select the Subject tab to specify keywords to block in the email subject.
Screenshot 31 - Content Filtering: Subject Tab 7. Select Enable subject content filtering to enable scanning for keywords in the email subject. 8. In the Enter phrase text box, specify keywords to block, and click Add. NOTE: To remove an added keyword, select it from the Phrases box and click Remove Selected. 9. From the Options area, configure how keywords are matched. Select Match whole words only to block emails where the keywords specified match whole words in the subject.
Quarantine email Stores emails containing the keyword(s) in the Quarantine Store. You can subsequently review (approve/delete) all the quarantined emails. For more information about Quarantine refer to the Quarantine chapter in this manual. Delete email Deletes emails containing the blocked keyword(s). Move to folder Moves the email to a folder on disk. Key in the full folder path where to store blocked emails.
Screenshot 32 - Content Filtering: Users/Folders Tab 2. Specify the users to apply this rule to. Only this list Apply this rule to a custom list of email users, groups or public folders. All except this list Apply this rule to all email users except for the users, groups or public folders specified in the list. 3. To add email users, user groups and/or public folders to the list, click Add. Screenshot 33 - Add users to a Content Filtering rule 4.
NOTE: You do not need to input the full name of the users, groups or public folder. It is enough to enter part of the name. GFI MailSecurity will list all the names that contain the specified characters. For example, if you input „sco‟, GFI MailSecurity will return names like „Scott Adams‟ and „Freeman Prescott„, if they are available. 5. Select the check box next to the name(s) that you want to add to the list and click OK.
Deleted rules are not recoverable. 1. Navigate to the GFI MailSecurity ► Scanning & Filtering ► Content Filtering node. 2. From the Content Filtering page, select the checkbox of the rule(s) that you want to remove. 3. Click Remove Selected. 6.1.5 Modifying an existing rule 1. Click the GFI MailSecurity ► Scanning & Filtering ► Content Filtering node. 2. From the Content Filtering page, click the name of the rule to modify. 3.
Screenshot 35 - Attachment Filtering page To configure attachment rules, navigate to GFI MailSecurity ► Scanning & Filtering ► Attachment Filtering. This page allows you to view, create, enable, disable or delete rules.
6.2.2 Creating an Attachment Filtering rule 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Attachment Filtering node. 2. Click Add Rule…. Screenshot 36 - Attachment Filtering: General Tab 3. Specify a name for the rule in the Rule name text box.
4. Select whether to scan inbound and/or outbound emails. Check inbound emails Select this option to scan incoming emails Check outbound emails Select this option to scan outgoing emails Check internal emails Select this option to scan internal emails. NOTE: This option is only available when GFI MailSecurity is installed on the Microsoft Exchange server 5. In the Attachment Blocking area, specify the types of attachments to block: Block all Block all email attachments of any type.
Screenshot 37 - Attachment Filtering: Actions Tab 7. Click the Actions tab to configure what happens when this rule is triggered. 8. To block an email that matches the rule conditions from being delivered to recipients, select Block attachment and perform this action and select one of the following options: Quarantine email Stores emails containing blocked attachments in the Quarantine Store. You can subsequently review (approve/delete) all the quarantined emails.
NOTE: When GFI MailSecurity is installed on same machine as Microsoft Exchange 2003, GFI MailSecurity may not be able to block outbound emails, but instead replaces the blocked content (e.g. the attachment) with a threat report. 9. Select Send a sanitized copy of the original email to recipient(s) to choose whether to forward a copy of the blocked email to the recipients but with the malicious content removed. 10.
14. To add email users, user groups and/or public folders to the list, click Add. Screenshot 39 - Add users to an attachment Filtering rule 15. In the User Lookups window, specify the name of the email user/user group or public folder that you wish to add to the list and click Check Names. Matching users, groups or public folders are listed below. NOTE: You do not need to input the full name of the users, groups or public folder. It is enough to enter part of the name.
6.2.4 Removing attachment rules Screenshot 40 - Selecting an attachment Filtering rule for removal Deleted rules are not recoverable. 1. Navigate to the GFI MailSecurity ► Scanning & Filtering ► Attachment Filtering node. 2. From the Attachment Filtering page, select the checkbox of the rule(s) that you want to remove. 3. Click Remove Selected to delete the selected rules. 6.2.5 Modifying an existing rule 1. Click the GFI MailSecurity ► Scanning & Filtering ► Attachment Filtering node. 2.
6.2.6 Changing the rule priority Attachment Filtering rules are applied in the same order, from top to bottom as they are listed in the Attachment Filtering page (that is, rule with priority value 1 is checked first). To change the sequence/priority of rules: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Attachment Filtering. 2. From the Attachment Filtering page, click the (up) increase or decrease the priority of the rule. or (down) arrows to respectively 3.
6.3.2 Configuring the decompression engine filters To configure any decompression engine filter: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Decompression. 2. Click the decompression filter to configure. Check password protected archives Screenshot 42 - Configuring password protected archives options This filter allows you to quarantine or delete emails that contain password-protected archives. To configure this filter: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Decompression.
Notify administrator Notify the administrator whenever this engine blocks an email. To configure the administrator‟s email address refer to chapter Configuring the administrator‟s email address. Notify local user Notify the email local recipients about the blocked email. 8. To log the occurrence of this activity to a log file select the Log occurrence to this file check box. In the text box specify: Path and file name (including .
The file name only (including .txt extension). The log file will be stored in the following default location: \ContentSecurity\MailSecurity\Logs\.txt 9. Click Apply. Check for recursive archives Screenshot 43 - Configuring recursive archives options This filter allows you to quarantine or delete emails that contain recursive archives.
NOTE: When GFI MailSecurity is installed on same machine as Microsoft Exchange 2003, GFI MailSecurity may not be able to block outbound emails, but instead replaces the blocked content with a threat report. 3. Select Send a sanitized copy of the original email to recipient(s) to choose whether to forward a copy of the blocked email to the recipients but with the malicious content removed. 7. Click the Actions tab to configure further actions. 8.
This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack by sending an archive that can be uncompressed to a very large file that crashes content security or anti-virus software. To configure this filter: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Decompression. 2. From the list of available filters, click Check size of uncompressed files in archives. 3.
Screenshot 45 - Configuring the amount of files in archive check This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter. To configure this filter: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Decompression. 2. From the list of available filters, click Check for amount of files in archives. 3.
address. Notify local user Notify the email local recipients about the blocked email. 9. To log the occurrence of this activity to a log file select the Log occurrence to this file check box. In the text box specify: Path and file name (including .txt extension) to a custom location on disk where to store the log file, or The file name only (including .txt extension).
6.3.3 Enable/disable decompression filters Screenshot 46 -Disabling Decompression tool filters To enable or disable decompression filters: 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► Decompression. 2. From the Decompression engine page, select the checkbox of the filters to enable or disable. 3. Click Enable Selected or Disable Selected accordingly. 6.4 The Trojan & Executable Scanner 6.4.
of the executable to a database of malicious actions and rates the risk level of the file. With the Trojan & Executable scanner, you can detect and block potentially dangerous, unknown or one-off Trojans before they compromise your network. 6.4.2 Configuring the Trojan & Executable Scanner This section describes how to customize the GFI MailSecurity Trojan & Executable Scanner. Screenshot 47 - Trojan and Executable Scanner: General Tab 1.
Check outbound emails scan outgoing emails for Trojans and malicious executable files. 4. From the Security settings area, choose the required level of security: High Security Blocks all executables that contain any known malicious signatures Medium Security Blocks suspicious executables. Emails are blocked if an executable contains one highrisk signature or a combination of high-risk and low-risk signatures. Low Security Blocks only malicious executables.
Path and file name (including .txt extension) to a custom location on disk where to store the log file, or The file name only (including .txt extension). The log file will be stored in the following default location: \ContentSecurity\MailSecurity\Logs\.txt 8. Select Updates tab to configure GFI MailSecurity to download Trojan & Executable Scanner updates automatically or to notify the administrator whenever new updates are available.
11. In Download/check after the specified number of hours text box, specify how often you want GFI MailSecurity to check for updates, by typing an hourly interval. 12. In the Update options area, select Enable email notifications upon successful updates to send an email notification to the administrator whenever Trojan & Executable Scanner is updated successfully. NOTE: An email notification is always sent when an update fails. 13. To check for and download updates immediately, click Download updates. 14.
Screenshot 50 - Email Exploit Engine: General Tab 3. From the General tab, select whether to scan inbound and/or outbound emails. Check inbound emails Select this option to scan incoming emails Check outbound emails Select this option to scan outgoing emails 3. Click the Actions tab to configure what should be done when an email is blocked by the Email Exploit Engine.
Screenshot 51 - Email Exploit Engine: Actions Tab 4. In the Actions area select one of the following options: Quarantine email Stores blocked emails in the Quarantine Store. Delete email Deletes blocked emails NOTE: Actions always affect the whole email containing the blocked attachment, even if there are other attachments that do not contain exploits. 5. When an email exploit is detected, you can also inform the administrator and/or user by sending email notifications.
7. You can configure GFI MailSecurity to download Email Exploit Engine updates automatically or to notify the administrator whenever new updates are available. To configure updates, click the Updates tab. Screenshot 52 - Email Exploit Engine: Updates Tab 8. To enable the automatic updating of Email Exploit Engine, select Automatically check for updates check box. 9.
10. In Download/check after the specified number of hours text box, specify how often you want GFI MailSecurity to check for updates by typing an hourly interval. 11. In the Update options area, select Enable email notifications upon successful updates to send an email notification to the administrator whenever Trojan & Executable Scanner is updated successfully. NOTE: An email notification is always sent when an update fails. 12. To check for and download updates immediately, click Download updates. 13.
Screenshot 53 - Email Exploit list 2. Select the check box of the exploit(s) that you want to enable or disable. 3. Click Enable Selected or Disable Selected accordingly. 6.6 The HTML Sanitizer 6.6.1 Introduction The HTML Sanitizer scans and removes scripting code within: the email body of emails that have the MIME type set to “text/html” all attachments of type “.htm” or “.html”.
Why remove HTML scripts? The introduction of HTML email has allowed senders to include scripts in email that can be triggered automatically upon opening an email. HTML scripts are used both in a number of common viruses and in one-off attacks directed towards particular users/companies. In addition, HTML scripts are rarely used in legitimate emails. 6.6.2 Configuring the HTML Sanitizer 1. Navigate to GFI MailSecurity ► Scanning & Filtering ► HTML Sanitizer.
Screenshot 55 - HTML Sanitizer Whitelist page The list of whitelisted senders is displayed in the Whitelist area. Adding an HTML Sanitizer Whitelist entry 1. In the Whitelist entry text box, key in an email address, an email domain (for example, *@domain.com) or an email sub-domains (for example, *@*.domain.com) and click Add. 2. Click Apply. Deleting an HTML Sanitizer Whitelist entry 1. Select the entry to delete from the Whitelist area and click Remove. 2. Click Apply.
7 Quarantine 7.1 Introduction The GFI MailSecurity Quarantine is a central repository where all emails that fail any of the content policy or content security checks are stored. This ensures that users do not receive malicious email in their mailbox and that no email is lost. This chapter describes the three methods how administrators can manage quarantined emails: Via the GFI MailSecurity web interface - for more information refer to The Quarantine Store.
Screenshot 56 - Quarantine Store status page Content search From the Quick Search area of the Quarantine page, specify any of the following search criteria and click Search to display matching quarantined emails: SEARCH CRITERIA DESCRIPTION Search in sender/recipients Specify a name or email address of a sender or recipient to find quarantined emails sent from or addressed to that user. You can also specify part of the name or email address and GFI MailSecurity returns all matching senders/recipients.
text in the subject. Search in quarantine reason Specify a keyword or phrase to find quarantined emails that contain that specific text in the quarantine reason. Search by date From the Quarantined Items area of the Quarantine page select one of the preconfigured folders that return quarantined emails depending on the date when the email was quarantined. NOTE: These folders can also be accessed from the GFI MailSecurity tree as sub-nodes of the Quarantine node.
Screenshot 58 - New Search Folder - selecting the source 4. If GFI MailSecurity is installed on the Microsoft Exchange Server machine, you can limit the emails in this search folder to those blocked from a particular source. From the Item source area, select one of the following sources: Information Store (VSAPI) Quarantined items forming part of the Information Store. Information Store (Transport) Quarantined items forming part of the Information Store that were scanned through the Hub Transport Agent.
Screenshot 60 - New Search Folder - searching by keywords 6. In the Keywords search area specify the search criteria that will determine the contents of this folder. You can select any of the following options: Quarantine reason Search for emails containing specific text in the quarantine reason. Item subject Search for emails containing specific text in the email subject. Sender Search for emails sent from a particular email address. Recipient Search for emails sent to a particular email address.
Screenshot 62 - New Search Folder - filtering by date 8. A search folder can also filter emails by date. From the Date filter area select the Date checkbox and specify: Specific date Filters emails by a specific date. Key in or select a date in the Day text box. You can also search by a specific email time. To do this, select the Time check box and input a time value. Date Range Filters emails by a range of dates. Specify a start date in the Day from box and an end date in the Day to box.
2. Click Edit search folder and make the required changes to the search folder properties. 3. Click Save folder to apply changes. Deleting Search Folders 1. Navigate to GFI MailSecurity ► Quarantine ► Search Folders ► . 2. Click Delete search folder. 3. Click OK to confirm deletion of the folder. NOTE: When deleting a search folder, no emails are deleted from the quarantine store. 7.2.
Screenshot 64 - List of Quarantined Emails in Search Folder 2. Select the checkbox next to the quarantined email(s) to approve and click Approve. NOTE: Alternatively, click Approve all to approve all emails in the list. Sanitize and Approve GFI MailSecurity also allows you to remove malicious html scripts in the email body or in html attachments before approving. NOTE: Emails quarantined by the Information Store (VSAPI) source cannot be sanitized. To sanitize and approve a quarantined email: 1.
Screenshot 65 - List of Quarantined Emails in selected Search Folder 2. Select the checkbox next to the quarantined email(s) to approve and click Delete items. NOTE: Alternatively, click Delete all to approve all emails in the list. Delete and Notify You can also notify the intended recipients when you delete an email from quarantine. 1. Use the search features described in the previous sections to return a list of quarantined emails. 2. Click on the email to view the email contents. 3.
7.2.6 Viewing the full security threat report of an email To view the full security threat report of a quarantined email: 1. Use the search features described in the previous sections to return a list of quarantined emails. 2. Click on the email to view the full security threat report. Screenshot 66 - Viewing the full security threat report of a quarantined email 3. Click Back to return to the list of quarantined emails.
7.2.7 Downloading quarantined email Emails in Quarantine Store may contain malicious content. Use this feature with caution. 1. Use the search features described in the previous sections to return a list of quarantined emails. 2. Click on the email to download. 3. Click Download Item. 4. Click OK in the confirmation dialog. 5. Select to open or save the email in .eml format. 7.
Screenshot 67 - Quarantine Options configuration page 2. In the Quarantine mode page, select Send quarantine approval forms by email checkbox to enable the sending of Quarantine Action Forms. 3. From the Select recipient area, specify the recipient of the Quarantine Action Forms: Send to administrator Sends Quarantine Action Forms to the administrator. To configure the administrator‟s email address refer to chapter Configuring the administrator‟s email address.
Screenshot 68 - The Quarantine Action Form When a Quarantine Action Form is received, review it and select one of the following actions directly from the Quarantine Action Form‟s body: More details Launches the Quarantine Store page containing further information about this email. Approve Release the email from the Quarantine Store and deliver it to its intended recipients.
7.3.3 Logging quarantine actions GFI MailSecurity provides the option to store a log of actions taken on quarantined emails. Use this feature, for example, in environments where multiple administrators are assigned the task to review quarantined emails. Each quarantine action is displayed in the following format: Date, Time, User, Operation, Sender, Recipients, Subject For example: "2010-09-28", "9:25:05", "Administrator", "Approve", "malicious@external.com", "bob.jones@mydomain.
7.4.1 Enabling Quarantine RSS Feeds 1. Navigate to GFI MailSecurity ► Quarantine ► Quarantine RSS Feeds. Screenshot 70 - Quarantine RSS feeds 2. Select the Enable Quarantine RSS Feeds checkbox. 3. From the RSS Feeds area, click Edit to the right of the quarantine search folder for which to enable RSS feeds.
Screenshot 71 - Quarantine folder RSS feed 4. Select Enable Quarantine RSS feeds on this folder checkbox. 5. Specify the refresh interval in minutes in the Refresh feed content every text box. The default value is 10 minutes. 6. Specify the maximum number of items you want the feed to include in the Feed should contain at most text box. The default value is 100 items. NOTE: You can change the URL of an RSS feed by clicking Reset Feed URL.
Subscribing to a search folder Quarantine RSS feed To subscribe to an RSS feed of a default or custom search folder: 1. Navigate to GFI MailSecurity ► Quarantine ► Quarantine RSS Feeds. 2. In the RSS Feeds area, right-click on icon next to the search folder to subscribe to and click Copy Shortcut to copy the RSS feed URL. 3. Use the copied URL in your RSS Feed Reader application to create a new RSS feed subscription. 7.4.
Screenshot 73 - Quarantine RSS feeds Access Control Lists 3. In the IIS mode access control list dialog box you can configure who can subscribe to the quarantine RSS feeds. Click Add or Remove buttons to add or remove users or groups from the list. For each entry, select Allow or Deny checkboxes to allow or deny access. 4. Click OK to finalize access permissions. 5. Click OK and wait while applying the new settings. 6. When the process completes, click OK. 7.
Screenshot 74 - Directory Harvesting filter 3. Select Enable directory harvesting protection checkbox. 4. Select the user lookups method to use: Use native Active Directory lookups Select this option if GFI MailSecurity is installed in Active Directory mode and has access to ALL users on Active Directory. Skip to step 9. NOTE 1: When GFI MailSecurity is installed in Active Directory user mode on a DMZ, the AD of a DMZ usually does not include all the network users (email recipients).
NOTE 2: When GFI MailSecurity is behind a firewall, the Directory Harvesting feature might not be able to connect directly to the internal Active Directory because of Firewall settings. Use LDAP lookups to connect to the internal Active Directory of your network and ensure to enable default port 389 on your Firewall. Use LDAP lookups Select this option when GFI MailSecurity is installed in SMTP mode and/or when GFI MailSecurity does not have direct access to the full list of users. 5.
8 8.1 Reporting Introduction Use the GFI MailSecurity Reporting option to configure logging of statistical data, such as the amount of emails being processed and quarantined, into a database. You can then install the GFI MailSecurity ReportPack add-on, to generate reports based on the data collected in the database. For more information about the GFI MailSecurity ReportPack navigate to GFI MailSecurity ► Reporting ► GFI MailSecurity ReportPack. NOTE: Reporting is enabled by default. 8.
Configuring a Microsoft Access database backend Screenshot 76 - Configuring a Microsoft Access database backend 1. Navigate to GFI MailSecurity ► Reporting ► Configure Database. 2. Select MS Access. 3. Key in the complete path including filename (and .mdb extension) of the database file. If you only specify a filename, the database file is created in the following default path: \ContentSecurity\MailSecurity\data\ 4. Click Apply. 8.3.
NOTE 2: For information how to create a new database in Microsoft SQL Server refer to http://kbase.gfi.com/showarticle.asp?id=KBID003379. 2. Navigate to GFI MailSecurity ► Reporting ► Configure Database. Screenshot 77 - Configuring SQL Server Database backend 3. Select SQL Server. 4. Select Detected server and select the automatically detected SQL Server from the list. If the server is not detected, select Manually specified server and key in the IP address or server name of the Microsoft SQL Server. 5.
9 9.1 Miscellaneous Patch Checking The Patch Checking feature verifies if there are any software patches available for your version of GFI MailSecurity by directly connecting to the GFI Update Servers. NOTE: It is highly recommended to check for patches periodically to keep GFI MailSecurity running efficiently. 1. Navigate to GFI MailSecurity ► General ► Patch Checking. Screenshot 78 - List of available patches 2.
9.2 Version Information Screenshot 79 - Version Information page To view the GFI MailSecurity version information, navigate to GFI MailSecurity ► General ► Version Information. The version information page displays the GFI MailSecurity installation version number and the build information. To check whether you have the latest build of GFI MailSecurity installed on your machine, click Check if newer build exists.
Screenshot 80 - Tracing settings 2. Select Enabled next to the feature to enable logging for, or Disable to disable logging. GFI ContentSecurity Attendant Log files related to the viewer application when GFI MailSecurity is loaded in local mode. GFI MailSecurity Scan Engine Log files for the scanning engines and filters. GFI MailSecurity Attendant Log files for all the components (except scanning functions) of GFI MailSecurity such as the Quarantine Store.
9.4.1 Reprocessing legitimate emails that fail If a large number of legitimate emails are being moved to the failedmails folder, it is recommended to contact GFI Support to resolve the issue. When the issue is resolved, emails can be re-scanned by GFI MailSecurity as explained in the following sections, to determine if they are safe to be delivered. NOTE: Files with extension .PROP in the failedmails folder are used for troubleshooting purposes. When reprocessing failed emails, these files can be deleted.
Screenshot 81 - Failed emails notification 2. Select Other tab. 3. Select Send Notifications on Failed Mail. 4. Click Apply. 9.5 Notification templates Notifications GFI MailSecurity sends notification emails to the administrator/user whenever an event that needs attention occurs.
when an email gets quarantined or modified. Templates There are two types of templates: Tag-based templates Use tags (in the form "[TAGNAME]”) to indicate fields which need to be replaced with dynamic data. XSL-based templates An XSL style sheet, used in conjunction with dynamically created XML data to generate the notification message. Notification email messages are generated from templates stored in: \ContentSecurity\MailSecurity\Templates.
VARIABLE DESCRIPTION “itemsenderemailaddress” The sender‟s email address. “itemsubject” The quarantined email subject. “itemdeliverytime” The date and time the message was delivered. “itemrecipients/recipient” The message recipients. Use xsl:for-each to enumerate. “action” Action taken on message by GFI MailSecurity. “shortdate” Date when email was processed. Short date format. “longdate” Date when email was processed. Long date format. “time24” Time when email was processed.
Screenshot 82 - Adding VSAPI performance monitor counters 5. From the Performance object dropdown list, select MSExchangeIS. 6. Click Select counters from list. 7. Select any Virus Scan counter you need to add, as listed in the Performance monitor counters section below. 8. Click Add. 9. Repeat step 7 and 8 to add all the performance counters needed. 10. Click Close. The counters of added processes are now displayed in the Performance Monitor. 9.6.
Screenshot 83 - Adding VSAPI performance monitor counters in Windows 2008 Server 4. From the Select counters from computer dropdown list, select the computer to monitor. 5. From the list of available counters, expand MSExchangeIS. 6. Select any Virus Scan counter you need to add, as listed in the Performance monitor counters section below and click Add. 7. Repeat step 8 for each process to monitor. 8. Click Ok to apply changes.
The counters of added processes are now displayed in the Performance Monitor. Screenshot 84 - Monitoring Virus Scan Files Scanned in Windows Server 2008 Performance Monitor 9.6.3 Performance monitor counters The following VSAPI Performance Monitor counters are available: Virus Scan Messages Processed This is a cumulative value of the total number of top-level messages that are processed by the virus scanner.
Virus Scan Files Scanned The total number of separate files that are processed by the virus scanner. Virus Scan Files Scanned/sec The rate at which separate files are processed by the virus scanner. Virus Scan Files Cleaned The total number of separate files that are cleaned by the virus scanner. Virus Scan Files Cleaned/sec The rate at which separate files are cleaned by the virus scanner.
10 Troubleshooting 10.1 Introduction The troubleshooting chapter explains how you should go about resolving any issues that you might encounter. The main sources of information available to users are: The manual - most issues can be solved by reading this manual. GFI Knowledge Base articles Web forum Contacting GFI Technical Support 10.2 Knowledge Base GFI maintains a Knowledge Base, which includes answers to the most common problems. If you have a problem, consult the Knowledge Base first.
an attachment in category . The file was detected to belong to the category .” http://kbase.gfi.com/showarticle.asp?id=KBID001922. NOTE: The solution to this issue requires changes in the Windows Registry. It is important to follow the steps described in the solution with attention as incorrect configuration can cause serious, system-wide problems. 10.
11 Glossary Active Directory A technology that provides a variety of network services, including LDAP directory services. AD See Active Directory Anti-virus software Software that detects malware such as Trojan horses in emails, files and applications. Botnet A network of infected computers that run autonomously and are controlled by a hacker/cracker. Decompression engine A scanning module that decompresses and analyzes archives attached to an email.
Mail Exchange The DNS record used to identify the IP addresses of the domain‟s mail servers. Malware All malicious types of software that are designed to compromise computer security and which usually spread through malicious methods. Microsoft Message Queuing Services A message queue implementation for Windows Server operating systems.
Index A K Active Directory, 115 Kaspersky, 25, 26 anti-virus, 69, 105 AVG, 22, 23 B BitDefender, 27, 28, 30, 32 L Licensing, 5 M Mailbox, 108 D McAfee, 29, 30 Database, 19, 66, 97, 98, 99 Microsoft Exchange, 3, 37, 80, 107, 108 Decompression engine, 57 Microsoft Exchange Server, 113 DMZ, 115 MIME, 74 Domain, 17, 96 MSMQ, 116 DoS, 60 N E Norman, 32 email, 3, 15, 20, 33, 34, 39, 46, 47, 52, 54, 55, 57, 58, 59, 61, 62, 63, 69, 71, 72, 73, 74, 75, 78, 81, 86, 87, 88, 96, 105, 107, 115 P
T X Trojan, 16, 65, 66, 68, 69, 73 XSL, 106, 107