background image

352

F.5.2

 Scenario 2: F-Secure Anti-Virus for Internet Mail as 
Interim Mail Transfer Agent

Figure F-9  F-Secure Anti-Virus for Internet Mail deployed as an Interim Mail 
Transfer Agent

Summary of Contents for INTERNET GATEKEEPER WINDOWS 2000-2003 SERVER 6.61...

Page 1: ...F Secure Internet Gatekeeper Windows 2000 2003 Server Administrator s Guide...

Page 2: ...d or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of F Secure Corporation Copyright 1993 2006 F Secure Corporation All rights...

Page 3: ...for Internet Mail 19 1 2 3 F Secure Content Scanner Server 21 1 3 Features 21 1 4 F Secure Anti Virus Mail Server and Gateway Products 24 Chapter 2 Deployment 26 2 1 Overview 27 2 2 Network Requireme...

Page 4: ...sing F Secure Policy Manager 79 4 2 1 F Secure Anti Virus for Internet Gateways Settings 80 4 2 2 F Secure Anti Virus for Internet Mail Settings 80 4 2 3 F Secure Content Scanner Server Settings 80 4...

Page 5: ...Administering F Secure Anti Virus for Internet Mail 140 6 1 Overview SMTP Scanning 141 6 2 Configuring F Secure Anti Virus for Internet Mail 142 6 2 1 SMTP Settings 143 6 2 2 SMTP Connections 146 6 2...

Page 6: ...atistics 226 7 4 1 Configuring Virus Statistics 226 7 4 2 Viewing Virus and Spam Statistics with F Secure Internet Gatekeeper Web Console227 7 4 3 Viewing Virus and Spam Statistics with F Secure Polic...

Page 7: ...y and Performance 275 11 1 Introduction 276 11 2 Optimizing Security 276 11 2 1 Virus Scanning 276 11 2 2 Access Control 277 11 2 3 Data Trickling 277 11 3 Optimizing Performance 277 11 3 1 Virus Scan...

Page 8: ...reak Notification Messages 299 Appendix B Specifying Hosts 300 B 1 Introduction 301 B 2 Domain 301 B 3 Subnet 301 B 4 IP Address 302 B 5 Hostname 302 Appendix C Access Log Variables 304 C 1 List of Ac...

Page 9: ...g Up Network Load Balancing Services 340 F 5 Deployment Scenarios for Environments with Multiple Sub domains 349 F 5 1 Scenario 1 F Secure Anti Virus for Internet Mail as an Upstream Mail Transfer Age...

Page 10: ...10 ABOUT THIS GUIDE How This Guide is Organized 11 Conventions Used in F Secure Guides 13...

Page 11: ...s for Internet Gateways Instructions on how to configure F Secure Anti Virus for Internet Gateways general settings before you start using it It also contains instructions how to configure HTTP and FT...

Page 12: ...g Hosts Instructions on how to specify hosts in F Secure Anti Virus for Internet Gateways Appendix C Access Log Variables Lists variables that can be used in the access log Appendix D Mail Log Variabl...

Page 13: ...s black is used for file and folder names for figure and table captions and for directory tree names Courier New is used for messages on your computer screen WARNING The warning symbol indicates a sit...

Page 14: ...used for online viewing and printing using Adobe Acrobat Reader When printing the manual please print the entire manual including the copyright and disclaimer statements For More Information Visit F...

Page 15: ...15 1 INTRODUCTION Overview 16 How the Product Works 17 Features 21 F Secure Anti Virus Mail Server and Gateway Products 24...

Page 16: ...re Anti Virus Mail Server and Gateway products are designed to protect your company s mail and groupware servers and to shield the company network from any malicious code that travels in HTTP FTP over...

Page 17: ...Secure Anti Virus for Internet Gateways is an HTTP proxy server which acts as a gateway between the corporate network and the Internet If a client computer requests a file from a Web server it asks t...

Page 18: ...owing Deny access to specified Web sites Block files by content types filenames and extensions Block files that exceed a specified file size Scan files by content types filenames and extensions and Au...

Page 19: ...attachments can be stripped from e mail messages by their filenames or extensions and messages that contain malformed or suspicious headers can be blocked After F Secure Anti Virus for Internet Mail h...

Page 20: ...s for Internet Mail finds an infected attachment or other malicious content it can do any of the following Block the whole e mail message Strip the infected attachment Send a customizable virus warnin...

Page 21: ...Secure Internet Gatekeeper has found Powerful and Always Up to date F Secure Internet Gatekeeper uses the award winning F Secure Anti Virus scanners to ensure the highest possible detection rate and d...

Page 22: ...sts Superior detection rate with multiple scanning engines Unparalleled malicious code detection and disinfection F Secure Internet Gatekeeper detects all known viruses worms and Trojans including Jav...

Page 23: ...configure Can be administered centrally with F Secure Policy Manager Can be monitored with the convenient F Secure Internet Gatekeeper Web Console Contains new quarantine management features you can m...

Page 24: ...s transparently and scans files in the Exchange Server Information Store in real time Manual and scheduled scanning of user mailboxes and Public Folders is also supported F Secure Anti Virus for MIMEs...

Page 25: ...the installation and configuration of the product F Secure Messaging Security Gateway delivers the industry s most complete and effective security for e mail It combines a robust enterprise class mess...

Page 26: ...26 2 DEPLOYMENT Overview 27 Deployment Scenarios 29...

Page 27: ...ure Internet Gatekeeper in the corporate network use the one that best fits your needs and your own network design strategy Although the scenarios are given separately for web traffic and e mail scann...

Page 28: ...ontent Scanner Server ProgramFiles F Secure Content Scanner Server fsavsd exe 18971 TCP 1024 65536 TCP only with F Secure Anti Virus for Internet Mail on a separate host DNS 53 UDP TCP HTTP 80 or othe...

Page 29: ...ifferent deployment scenarios for F Secure Anti Virus for Internet Gateways Scenario 1 On a Dedicated Machine Figure 2 1 F Secure Anti Virus for Internet Gateways deployed on a dedicated machine Advan...

Page 30: ...nfiguration No changes are required Scenario 2 As a Downstream Proxy Figure 2 2 F Secure Anti Virus for Internet Gateways deployed as a downstream proxy Advantages End users do not have to change the...

Page 31: ...more information see Proxy Chaining 98 HTTP Proxy or Cache Server Configuration Configure the HTTP proxy or cache server to accept incoming requests only from F Secure Anti Virus for Internet Gateways...

Page 32: ...e is a risk of malicious code getting to the cache server and HTTP clients accessing it there Configuration on End User Workstations Web browser proxy settings do not have to be changed F Secure Anti...

Page 33: ...ernet Gateways DNS Configuration No changes are required Scenario 4 Transparent Deployment with a Firewall or a Router Figure 2 4 F Secure Anti Virus for Internet Gateways deployed transparently with...

Page 34: ...ts which are allowed to connect to F Secure Anti Virus for Internet Gateways For more information see Connections to F Secure Anti Virus for Internet Gateways 123 Internal Firewall or Router Configura...

Page 35: ...ails are scanned The overall performance is better as the virus scanning is performed on a dedicated machine Disadvantages The network configuration has to be changed DNS Configuration If the mail ser...

Page 36: ...tranet Hosts list are treated as outbound For more information see Intranet Hosts 164 Specify the existing mail server address as the inbound and outbound mail server for F Secure Anti Virus for Inter...

Page 37: ...n additional server E mail clients DNS and firewall configurations do not have to be changed Disadvantages This type of deployment may cause extra load on the server The mail server port needs to be c...

Page 38: ...tion see Intranet Hosts 164 Specify localhost and the new port number of the mail server as the inbound and outbound mail server for F Secure Anti Virus for Internet Mail For more information see Mail...

Page 39: ...ternal mail server F Secure Anti Virus for Internet Mail Configuration Configure F Secure Anti Virus for Internet Mail to send inbound mails to the internal mail server For more information see Mail D...

Page 40: ...of F Secure Anti Virus for Internet Mail deployed with centralized quarantine management SQL Server Used for the Centralized Quarantine Database There is a common SQL server where the quarantine data...

Page 41: ...antine configuration for all F Secure Internet Gatekeeper instances Advanced Deployment Scenarios in Environments with Multiple Sub domains For information on advanced deployment scenarios see Deploym...

Page 42: ...LATION Recommended System Requirements 43 Centrally Administered or Stand alone Installation 47 Installation Instructions 50 After the Installation 69 Upgrading F Secure Internet Gatekeeper 72 Uninsta...

Page 43: ...3 Standard Edition with latest service pack Microsoft Windows Server 2003 Enterprise Edition with latest service pack Microsoft Windows Server 2003 R2 Standard Edition Microsoft Windows Server 2003 R2...

Page 44: ...for processing 10 GB or more Network 100Mbps Fast Ethernet NIC switched network connection SQL server for quarantine database Microsoft SQL Server 2000 Enterprise Standard or Workgroup edition with S...

Page 45: ...tabase size is limited to 2 GB MSDE includes a concurrent workload governor that limits the scalability of MSDE For more information see http msdn microsoft com library url library en us architec 8_ar...

Page 46: ...antine database should be configured to use Mixed Mode authentication 3 1 2 Web Browser Software Requirements In order to administer the product with F Secure Internet Gatekeeper Web Console one of th...

Page 47: ...ny potentially conflicting products such as anti virus file encryption and disk encryption software that employ low level device drivers Close all Windows applications before starting the installation...

Page 48: ...ee the chapter Installing F Secure Policy Manager Console in F Secure Policy Manager Administrator s Guide For instructions on how to create the policy domain see section Managing Domains and Hosts in...

Page 49: ...stalled in stand alone mode some of the screens included in these installation instructions will not be displayed 2 Check and configure settings for F Secure Content Scanner Server F Secure Anti Virus...

Page 50: ...dministration mode you are going to use The administration modes are explained in Centrally Administered or Stand alone Installation 47 Step 1 Download and execute the installation package If you have...

Page 51: ...CHAPTER3 51 Installation Step 3 Read the License Agreement If you accept the agreement select the I accept this agreement check box and click Next to continue...

Page 52: ...52 Step 4 Enter the product keycode and click Next to continue If you are installing the evaluation version this screen is not displayed...

Page 53: ...may vary depending on the keycode you entered in the previous step Select the components to install and click Next to continue If you are installing only F Secure Anti Virus for Internet Gateways or...

Page 54: ...54 Step 6 Select the destination folder where you want to install F Secure Internet Gatekeeper components Click Next to continue...

Page 55: ...Centralized administration through network to use F Secure Policy Manager Console to remotely manage all F Secure Internet Gatekeeper components For more information see Basics of Using F Secure Inter...

Page 56: ...56 Step 8 Enter the path or click Browse to locate the management key This is the key that you created during the F Secure Policy Manager Console Setup Click Next to continue...

Page 57: ...R3 57 Installation Step 9 Select the network communication method If you are using F Secure Policy Manager to manage F Secure Internet Gatekeeper select F Secure Policy Manager Server Click Next to co...

Page 58: ...58 Step 10 Enter the IP address of the F Secure Policy Manager Server Click Next to continue...

Page 59: ...The administration port is used because the Setup program needs to upload new MIB files to F Secure Policy Manager Server Click Next to continue If the product MIB files cannot be uploaded to F Secur...

Page 60: ...select the default option Local quarantine management If you have multiple installations and you want to manage quarantined e mails centrally select Centralized quarantine management Centralized quara...

Page 61: ...you select this option the MSDE Installation Directory page will be displayed next If you already have Microsoft SQL Server or Microsoft SQL Server Desktop Engine MSDE installed select the second opt...

Page 62: ...am and data files will be installed Then enter a password for the database server administrator account Do not leave the password empty Re enter the password in the Confirm password field F Secure Int...

Page 63: ...where the quarantine database will reside Step 15 If you selected to install Microsoft SQL Server Desktop Engine MSDE in Step 13 61 the Setup installs it now Wait until the installation is complete I...

Page 64: ...64 Step 16 The setup wizard displays a list of components to be installed Click Start to install the components to your computer...

Page 65: ...CHAPTER3 65 Installation Step 17 The setup wizard displays the progress of the installation Wait until the installation is ready...

Page 66: ...66 Step 18 The setup wizard displays the installation result for each component after the installation is completed Click Next to continue...

Page 67: ...tion Step 19 Click Finish to complete the installation If you were doing an upgrade installation and are prompted to restart your computer select Restart now The new software version will be operation...

Page 68: ...after the installation F Secure Spam Control database updates are always downloaded directly from F Secure s update servers even in centrally administered installations The product connects to the thr...

Page 69: ...en them blocking access to Policy Manager s administrative port 8080 F Secure Policy Manager Server has been configured so that administrative connections from anywhere else than the localhost are blo...

Page 70: ...information see SMTP Connections 146 3 Configure the virus scanning to specify the type of traffic you want to scan For mail traffic scanning see Configuring SMTP Traffic Scanning 166 Make sure that y...

Page 71: ...107 Make sure that you specify which hosts are allowed to connect to F Secure Anti Virus for Internet Gateways For more information see Connections to F Secure Anti Virus for Internet Gateways 123 F...

Page 72: ...s that are installed on the system already the setup suggests upgrading several or all components Select the components you want to upgrade 3 Specify how the inbound mail routing is to be handled The...

Page 73: ...other setting defined during the installation needs to be changed later on the setting must be defined as Final in the F Secure Policy Manager Console before distributing the policies This applies onl...

Page 74: ...omain IP address and port number information read from the previous version s configuration see the example in the figure below You can also add the information for a new outbound mail server Figure 3...

Page 75: ...r Servers where F Secure Anti Virus for Internet Mail sends files to be scanned when it cannot connect to primary servers 7 After the components have been upgraded select Restart now to restart the co...

Page 76: ...e Quarantine 151 Notification settings and messages for virus scanning and stripped and suspicious attachments see Blocking 172 and Virus Scanning 177 Spam Control settings see Spam Control Settings 2...

Page 77: ...F Secure Anti Virus for Internet Gateways F Secure Spam Control if it was installed F Secure Automatic Update Agent if it was installed F Secure Content Scanner Server Microsoft SQL Server Desktop En...

Page 78: ...78 4 BASICS OF USING F SECURE INTERNET GATEKEEPER Introduction 79 Using F Secure Policy Manager 79 Using F Secure Internet Gatekeeper Web Console 82...

Page 79: ...used to change settings and view statistics of the F Secure Internet Gatekeeper In the centralized administration mode you can open F Secure Internet Gatekeeper components from the Windows Start menu...

Page 80: ...define settings for the F Secure Anti Virus for Internet Gateways For detailed descriptions of F Secure Anti Virus for Internet Gateways settings see Configuring F Secure Anti Virus for Internet Gate...

Page 81: ...during installation or upgrade you need to mark the setting as Final in the restriction editor The settings descriptions in this manual indicate the settings for which you need to use the Final restri...

Page 82: ...Policy Manager for this instead 4 3 1 Logging in the F Secure Internet Gatekeeper Web Console for the First Time Before you log in the F Secure Internet Gatekeeper Web Console for the first time chec...

Page 83: ...that will be issued to all local IP addresses and restarts the F Secure Internet Gatekeeper Web Console service to take the certificate into use Wait until the utility completes and the window closes...

Page 84: ...Certificate Import Wizard If you are using Internet Explorer 7 in the Place all certificates in the following store selection select the Trusted Root Certification Authorities store If you are using...

Page 85: ...page opens enter the user name and the password Note that you must have administrator rights to the host Then click Log In Figure 4 1 F Secure Internet Gatekeeper Web Console Login page 8 You will be...

Page 86: ...rall product status on the Home page The Home page displays a summary of the component statuses and most important statistics From the Home page you can also open the product logs and proceed to confi...

Page 87: ...Configuring F Secure Anti Virus for Internet Mail 142 Click Show Mail Log to view the mail log F Secure Anti Virus for Internet Gateways The Home page displays the status the F Secure Anti Virus for...

Page 88: ...atus of F Secure Content Scanner Server Last time virus definition databases updated Shows the date and time when the virus signature databases were last updated Database update version Shows the vers...

Page 89: ...us of F Secure Automatic Update Agent Last update check Shows the last date and time when F Secure Automatic Update Agent polled the F Secure Update Server for new updates Next update check Shows the...

Page 90: ...n specify settings for connections to the server You can also open the F Secure Internet Gatekeeper Web Console access log from this page Click Show Access Log to view the F Secure Internet Gatekeeper...

Page 91: ...CHAPTER4 91 Basics of Using F Secure Internet Gatekeeper To add a new host in the list click Add to add new a new line in the table and then enter the IP address of the host...

Page 92: ...NTI VIRUS FOR INTERNET GATEWAYS Overview HTTP Scanning 93 Configuring F Secure Anti Virus for Internet Gateways 94 Configuring Web Traffic Scanning 107 Monitoring Logs 127 Viewing Statistics 130 Examp...

Page 93: ...ure Anti Virus for Internet Gateways works properly You should modify the general settings when your network infrastructure changes or when you want to optimize the security or the performance of F Se...

Page 94: ...m 5 2 1 Network Configuration You can configure the network settings in F Secure Anti Virus for Internet Gateways Settings Network Configuration Binding You can define how F Secure Anti Virus for Inte...

Page 95: ...ers must have this port configured in the web browser proxy settings By default the listen port is 3128 If the product is running on a multi homed host you can also specify the IP address it should li...

Page 96: ...proxy CONNECT method is used when a web browser requests an HTTPS connection through an HTTP proxy By default the CONNECT method is allowed to port 443 HTTPS port For more detailed information about...

Page 97: ...responses Keep alive Specify whether persistent connections are allowed or not If you allow persistent connections connections from clients to F Secure Anti Virus for Internet Gateways are not automa...

Page 98: ...r performance Max connections per host Specify the maximum number of simultaneous connections that F Secure Anti Virus for Internet Gateways accepts from a particular host Should there be more incomin...

Page 99: ...P addresses subnets hosts and domains A request to a host which matches one or more of these is always served directly without forwarding to the configured remote proxy server For more information see...

Page 100: ...Gateways unchanged On For each reply and request that passes through F Secure Anti Virus for Internet Gateways via information is appended to the Via header line Full For each reply and request that p...

Page 101: ...nload may timeout the web browser if the file is scanned completely before it is sent to the requesting client You can configure the Data Trickling settings from F Secure Anti Virus for Internet Gatew...

Page 102: ...ed before it has been downloaded to F Secure Gatekeeper completely It may be unsafe to keep the packet size large as potential malware may trickle through byte by byte before it is detected by F Secur...

Page 103: ...r Internet Gateways Connection timeout Specify the time in seconds that F Secure Anti Virus for Internet Gateways waits for response from F Secure Content Scanner Server before timing out Restore conn...

Page 104: ...he logging directory in the field Path to the logging directory Specify the logging directory Enter the complete path to the field or click Browse to browse to the path you want to set as the new logg...

Page 105: ...conditions Warning Warning conditions Notice Normal but significant messages Informational Informational messages Debug Debug level messages everything is logged For more information and examples of w...

Page 106: ...Clear table to clear all except the default Access log format Restoring default log formats deletes all other log formats from the table Rotate logs every Specify how often F Secure Anti Virus for Int...

Page 107: ...and FTP over HTTP should be scanned or blocked and what to do with the infected content 5 3 1 Content Control You can configure the Content Control settings from F Secure Anti Virus for Internet Gate...

Page 108: ...Select whether FTP over HTTP traffic should be excluded from virus scanning FTP over HTTP traffic includes all FTP transfers initiated through web browsers when the FTP proxy setting in the browser ha...

Page 109: ...want to edit and click Edit Enter a new MIME type to Content type field and filename extensions to the Extension s field and click Add to add the new type to the list A content type includes both the...

Page 110: ...nfect the infected file If the disinfection succeeds F Secure Anti Virus for Internet Gateways sends the disinfected file to the requesting client instead of the original infected file If the disinfec...

Page 111: ...r Internet Gateways cannot scan Pass Let all files that F Secure Anti Virus for Internet Gateways cannot scan pass through to the requesting client Using this option is not recommended WARNING Letting...

Page 112: ...nt types Select the content types to be blocked on the gateway The options available are Disabled Content is not blocked based on the content type All Content Types All content types are blocked Only...

Page 113: ...content in both HTTP and FTP over HTTP downloads will be blocked according to content blocking rules Included content types and Excluded content types lists Define the content types which will be bloc...

Page 114: ...l File Type Recognition Figure 5 9 Content Control File Type Recognition settings Allow content ranges The HTTP 1 1 protocol allows a client to request only a part a range of the content from the serv...

Page 115: ...ontent types the File Type Recognition analyzes the content which could reveal the real content type to be application octet stream and so the file will be scanned File Type Recognition does not check...

Page 116: ...gure 5 10 Notifications settings Send virus alerts to administrator Specify whether the product should send virus warning messages to the administrator if it finds malicious code in the downloaded con...

Page 117: ...ock warning messages to the administrator if it blocks any downloaded content Disabled Do not send block warning messages Enabled Send a block warning message every time F Secure Anti Virus for Intern...

Page 118: ...e 2 Virus warning message Enter the virus warning message that is shown to users when they try to download a file that contains malicious code The warning message should be in HTML format For more inf...

Page 119: ...not cache scanned files it just stores a unique identifier for each file The content is verified with a cryptographic hash function MD5 to ensure that only exactly the same files may pass without sca...

Page 120: ...net Gateways uses one thread to serve one HTTP request so the number of threads affects the number of requests that can be served at the same time For more information see Threads Per Child Process 27...

Page 121: ...automatically reset when any F Secure Anti Virus for Internet Gateways or F Secure Content Scanner Server settings are changed or when virus definition databases are updated F Secure Anti Virus for In...

Page 122: ...on Figure 5 12 Administration settings Working directory Specify the Working Directory Enter the complete path in the field If the path does not begin with a slash then it is assumed to be relative to...

Page 123: ...r Internet Gateways Furthermore you can specify hosts and sites which are never scanned for viruses and sites which the users are not allowed to access Connections to F Secure Anti Virus for Internet...

Page 124: ...ions or to deny specific hosts from connecting and allow all other connections Allow Deny By default the access is denied F Secure Anti Virus for Internet Gateways accepts connections only from hosts...

Page 125: ...information see Specifying Hosts 300 Denied hosts Specify hosts and subnets that cannot connect to F Secure Anti Virus for Internet Gateways For more information see Specifying Hosts 300 By default o...

Page 126: ...sts 300 Trusted sites The content of trusted sites is never scanned for viruses and downloads from trusted sites are never blocked Click Add to add a new trusted site in the table To modify an existin...

Page 127: ...rror messages Access Log logs HTTP requests that have passed through F Secure Anti Virus for Internet Gateways For more information see Logging 104 F Secure Management Agent maintains a log called Log...

Page 128: ...etting You can open the error log from the F Secure Internet Gatekeeper Web Console by selecting the Anti Virus for Internet Gateways tab and clicking the Show Error Log button Level Examples Emergenc...

Page 129: ...Secure Internet Gatekeeper Web Console by selecting the Anti Virus for Internet Gateways tab and clicking the Show Access Log button For more information on the Logging settings see Logging 104 5 4 3...

Page 130: ...installed in centralized administration mode For instructions on how to log in the F Secure Internet Gatekeeper Web Console see Logging in the F Secure Internet Gatekeeper Web Console for the First T...

Page 131: ...statistics the number of scanned files the last virus found and the last time a virus was found Figure 5 15 HTTP scanning statistics in F Secure Internet Gatekeeper Web Console Status Status Displays...

Page 132: ...umber of infected files that have been found Blocked files Displays the total number of files that have been blocked Disinfected files Displays the total number of files that have been disinfected Las...

Page 133: ...f files and kilobytes processed and the number of blocked infected and disinfected files Figure 5 16 Content Control statistics in F Secure Internet Gatekeeper Web Console Processed files Displays the...

Page 134: ...y have been delivered to the requesting client Disinfected files Displays the total number of infected files that have been disinfected Last time infection found Displays the date and time the last vi...

Page 135: ...Secure Policy Manager Console select the Status tab in the Properties pane and then select the F Secure Anti Virus for Internet Gateways Statistics Status and F Secure Anti Virus for Internet Gateway...

Page 136: ...sages in the Notifications page For more information see Notifications 115 Copy all images and other page elements that you want to use to the htdocs directory located under the F Secure Anti Virus fo...

Page 137: ...Secure Anti Virus for Internet Gateways 5 6 1 Virus Warning Message The virus warning message is displayed to users when they try to download a file that contains malicious code Figure 5 18 An exampl...

Page 138: ...138 5 6 2 Block Warning Message The block warning message is displayed to users when they try to download a file that has been blocked Figure 5 19 An example of a block warning message...

Page 139: ...Virus for Internet Gateways 5 6 3 Banned Site Warning Message The banned site warning message is displayed to users when they try to access a site which they are not allowed to access Figure 5 20 An...

Page 140: ...NISTERING F SECURE ANTI VIRUS FOR INTERNET MAIL Overview SMTP Scanning 141 Configuring F Secure Anti Virus for Internet Mail 142 Configuring SMTP Traffic Scanning 166 Monitoring Logs 195 Viewing Stati...

Page 141: ...SMTP server for further processing and delivery Change the F Secure Anti Virus for Internet Mail settings to set up the e mail quarantine spool and logging directories connection settings alerting an...

Page 142: ...ner settings also have an effect on how the SMTP traffic is scanned The default settings apply in most system configurations but it might be a good idea to check that they are valid for your system Af...

Page 143: ...addresses that F Secure Anti Virus for Internet Mail should listen to for incoming connections Separate each address with a comma or a space You can leave the field empty if you want the agent to list...

Page 144: ...ecure Anti Virus for Internet Mail and the mail server are installed on the same host they must use different port numbers for incoming SMTP connections In these cases F Secure Anti Virus for Internet...

Page 145: ...dded to the received header field of the messages which are scanned Select No to add the following received field to the header Received from xxx xxx xxx xxx xxxx EHLO mail example com by fsavim examp...

Page 146: ...hen sending bounce and non delivery notification messages This address will be visible to the receiver of the notification message as the sender of the e mail If left empty default the address set in...

Page 147: ...ous connections that are accepted from a particular host The excess connections are temporarily rejected If there is only one mail server in use in the company network use a high value for this settin...

Page 148: ...72 16 4 4 172 16 1 172 16 4 10 110 100 120 1 240 For more information see Specifying Hosts 300 You can import a list of host addresses to the Allowed Hosts and Denied Hosts tables from a CSV file When...

Page 149: ...F Secure Anti Virus for Internet Mail Settings Common Content Scanner Servers Figure 6 3 Common Content Scanner Servers settings Addresses Primary servers Specify the F Secure Content Scanner Servers...

Page 150: ...es are distributed Otherwise the setting will not be changed in the product Connection timeout Specify how long F Secure Anti Virus for Internet Mail waits for a response from F Secure Content Scanner...

Page 151: ...ntine related settings are configured through F Secure Policy Manager and the quarantined files are managed through F Secure Internet Gatekeeper Web Console Enabled Data is transferred via local tempo...

Page 152: ...nt as separate files into the Quarantine Storage a directory specified in the Quarantine settings and inserts an entry to the Quarantine Database with information about the quarantined content For mor...

Page 153: ...i Virus for Internet Mail For information on how to manage and search quarantined content see Quarantine Management 258 Figure 6 5 Common Quarantine settings that are used for configuring the quaranti...

Page 154: ...154 Figure 6 6 Quarantine Options settings in the Web Console that are used for configuring the quarantining in stand alone installations...

Page 155: ...distributed Otherwise the setting will not be changed in the product Retain items in quarantine Specify how long quarantined items should be retained in the quarantine before they are deleted Use the...

Page 156: ...interval for the selected quarantine category Quarantine size threshold Specify the critical size in megabytes of the quarantine folder If the specified value is reached the product sends an alert The...

Page 157: ...o alert is sent if both thresholds are set to zero 0 The options available are Send informational alert Send warning alert Send error alert Send security alert Quarantine worms Specify whether the pro...

Page 158: ...if the message is retained in the quarantine after the maximum attempts Final Action on Unsafe Messages Specify the action to unsafe messages after the maximum number of reprocesses have been attepte...

Page 159: ...ke sure that the spool directory is on a local hard disk to ensure the best possible performance of F Secure Anti Virus for Internet Mail WARNING During the setup access rights are adjusted so that on...

Page 160: ...the messages are scanned and sent at once Low spool warning threshold Specify the amount of free disk space in megabytes that the disk where the Spool Directory is should have The default value is 50...

Page 161: ...Notify when mails in spool above threshold Specify whether an alert is sent to the administrator when the total number of mails in the spool exceeds the threshold specified in the Total Number of Spo...

Page 162: ...keep log of all the e mails that pass through it The Logging settings are located under the F Secure Anti Virus for Internet Mail Settings Common Logging branch For more information on the content of...

Page 163: ...ging Directory If you make changes to the Logging Directory settings make sure that the new Logging Directory has the same rights Logging type Specify how F Secure Anti Virus for Internet Mail creates...

Page 164: ...from hosts outside of your network are considered inbound mail Scanning settings for these e mail messages are under the Inbound branch The Intranet Hosts table is located under F Secure Anti Virus fo...

Page 165: ...e following entries are valid 172 16 4 4 172 16 1 172 16 4 0 16 172 16 250 255 For more information see Specifying Hosts 300 You can import a list of host addresses to the Intranet Hosts table from a...

Page 166: ...ion in both the Inbound Mail and Outbound Mail branches An exception to this is the Spam Control feature which exists only in the Inbound Mail branch if you have F Secure Spam Control installed 6 3 1...

Page 167: ...the SMTP reply code 521 which instructs the sending mail server to stop trying to send the message again E mail messages which were accepted before changing this setting are processed normally Reject...

Page 168: ...and sends them when the connection is restored Max message size Specify the maximum size in kilobytes of the e mail message that the product accepts Set the value to zero 0 to have no limit on the mes...

Page 169: ...ses Denied recipients Specify recipients who are specifically denied from receiving any e mail messages By default F Secure Anti Virus for Internet Mail is set to verify recipients and no Allowed Reci...

Page 170: ...pients per message Verify senders Specify if senders of inbound mail messages are checked against the Allowed Senders and Denied Senders tables on receiving Enabled Inbound mail messages are accepted...

Page 171: ...line If you want to include a comment for an address use a delimiter character for example a semi colon to separate the data to be entered in the different columns Leave the Active field empty as in t...

Page 172: ...log opens you can change the delimiter character by clicking the Options button 6 3 3 Spam Control For information on configuring Spam Control see Administering F Secure Spam Control 240 6 3 4 Blockin...

Page 173: ...example txt pdf vcf Disallowed attachments Specify a comma separated list of file names and or file extensions which are not allowed For example vb i love you kiss_me The default disallowed attachment...

Page 174: ...he stripped attachment Stop the Whole Message The message is stopped If sender notification is enabled the sender is notified about the message being stopped If sender notification is disabled no noti...

Page 175: ...icious code in multipart messages Due to security reasons multipart messages are blocked by default Enabled The multipart message is blocked and bounced back to the sender Disabled The multipart messa...

Page 176: ...suspicious attachment has been found Recipient notification message Specify the body of the notification message that is sent to the recipient when a disallowed or suspicious attachment has been foun...

Page 177: ...e body of the notification message that is sent to the sender when a disallowed or suspicious attachment has been found Do not notify on these attachments Specify a comma separated list of file names...

Page 178: ...These extensions are listed in the Included Extensions setting Scan all attachments except excluded extensions All attachments are scanned except for the ones with specified extensions These extension...

Page 179: ...ntain malicious code Drop Attachment Remove the infected attachment from the message If the Quarantine Infected Attachments setting is enabled the infected attachment is placed into the Quarantine fol...

Page 180: ...fication message is sent to the recipient when a virus or other malicious code has been found The notification message text is added to the original message Recipient virus notification subject Specif...

Page 181: ...virus and worm names If the product finds an e mail message infected with a virus worm matching one of these keywords the whole e mail message is blocked and no virus warning message is sent to the s...

Page 182: ...ages 157 When proactive virus threat detection is disabled inbound mails are only scanned by antivirus engines Send Virus Outbreak Notification Specify whether a notification message is sent to Virus...

Page 183: ...a picture file with a DOC extension The File Type Recognition setting has no effect and it is not used when the Scan for Viruses and the Strip Attachments settings are set to All Attachments Figure 6...

Page 184: ...recognition is enabled or disabled Enabled The product attempts to determine the real file type of the attachment and use the correct extension while processing the file Disabled The product does not...

Page 185: ...disclaimer should be added to e mail messages that have been processed and found clean Since malware and virus writers often use spoofing techniques to forge e mail disclaimers it is not recommended t...

Page 186: ...This e mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed If you have received this e mail in error please...

Page 187: ...Specify how the traffic for certain domains will be routed When delivering mail the product will first look up the domain mail server in the mail routing table If no domain mail server is found it wi...

Page 188: ...ails addressed to this domain will be delivered directly to the specified relay mail server Wildcards and can be used when specifying the domain Primary mail server Specify the primary mail server whe...

Page 189: ...f the product will find the domain mail server for inbound mail in DNS MX records To resolve the IP address of the domain mail server the product will use the DNS server s defined in the TCP IP option...

Page 190: ...r Internet Mail attempts to deliver inbound mail before giving up When the time is over undeliverable mail is bounced back to the sender and removed from the Spool directory The default value is 5 day...

Page 191: ...s incorrect format arrives Because of the malformed structure the product cannot reliably parse the e mail message and thus there is a risk that malicious code will pass undetected Drop The malformed...

Page 192: ...of Nested Messages setting Drop E mail messages with exceeding nesting levels are not delivered to the recipient s The nested message is moved to the the quarantine folder if Quarantine Problematic M...

Page 193: ...ontent Transfer Encoding quoted printable Content Disposition attachment filename ghost exe Action on mails with long lines Select the action to take if an e mail message contains lines exceeding the...

Page 194: ...ferent attachments name This is a multi part message in MIME format _NextPart_000_007B_01C19931 61582B60 Content Type application octet stream Content Transfer Encoding base64 Content Disposition atta...

Page 195: ...onsole by selecting the F Secure Anti Virus for Internet Mail tab and clicking Show Mail Log button on the Summary page The mail log contains information about received scanned sent trashed rejected a...

Page 196: ...1 58 45 scanned job smtp40BC454400 msg id example eml localhost result clean size 696 msize n a Sent Entry The Sent Entry is added to the log when the mail has been successfully sent to another mail t...

Page 197: ...the to field from SMTP envelope An example of a Trashed Entry 2007 06 01 11 59 56 trashed job smtp40BC458C00 msg id example eml localhost from sender example com to recipient example com Rejected Entr...

Page 198: ...f the spool file the message ID and the reason for the error 2007 06 01 14 48 06 error job smtp40BC6CE300 msg id example eml localhost reason Scan failed due to unrecoverable error giving up For infor...

Page 199: ...b Console for the First Time 82 6 5 1 Viewing Statistics with F Secure Internet Gatekeeper Web Console In F Secure Internet Gatekeeper Web Console the statistics are displayed on the Summary Inbound M...

Page 200: ...200 Figure 6 17 Summary of SMTP scanning statistics in F Secure Internet Gatekeeper Web Console...

Page 201: ...rder Processed messages Displays the total number of messages that have been processed Infected messages Displays the total number of infected messages High Medium virus risk messages Displays the num...

Page 202: ...MTP traffic scanning statistics The Outbound Mail Statistics page displays the outbound SMTP traffic statistics The Statistics pages show the following the number of messages that have been processed...

Page 203: ...CHAPTER6 203 Administering F Secure Anti Virus for Internet Mail Figure 6 18 Inbound Mail statistics in F Secure Internet Gatekeeper Web Console...

Page 204: ...otal size of messages that have been scanned for viruses Infected messages Displays the amount of messages that have been infected with viruses Size of infected messages Displays the total size of mes...

Page 205: ...rus for Internet Mail Size of spam messages Displays the total size of spam messages received Last infection found Displays the name of the last infection in inbound mail Last infection found on Displ...

Page 206: ...sole you can see the F Secure Anti Virus for Internet Mail statistics on the Status tab under the F Secure Anti Virus for Internet Mail Statistics Total branch For explanations see above Figure 6 19 T...

Page 207: ...Mail Inbound mail statistics on the Status tab under the F Secure Anti Virus for Internet Mail Statistics Inbound Mail branch and the Outbound mail statistics under the F Secure Anti Virus for Intern...

Page 208: ...rmore F Secure Anti Virus for Internet Mail can add a disclaimer to mail messages that have been processed and found clean You can change the virus notification settings from F Secure Anti Virus for I...

Page 209: ...7 ADMINISTERING F SECURE CONTENT SCANNER SERVER Overview 210 Configuring F Secure Content Scanner Server 211 Configuring Scanning Settings 216 Configuring and Viewing Statistics 226 Monitoring Logs 2...

Page 210: ...nner Server settings to set up the working directory set the virus definition database update notifications and scan engines In centrally managed mode you can configure F Secure Content Scanner Server...

Page 211: ...erver This section explains how you can configure the 7 2 1 Service Connections You can specify how F Secure Content Scanner Server should interact with F Secure for Internet Gateways and F Secure for...

Page 212: ...r Internet Mail uses the same configuration To change F Secure Anti Virus for Internet Mail settings see Content Scanner Servers 149 Accept connections Specify a comma separated list of F Secure Anti...

Page 213: ...anner Server accepts If you do not want to limit the number of connections per host set the value to zero 0 However using 0 or a very high value might increase the risk of a denial of service attack S...

Page 214: ...cations Protocols X Incoming Packages Polling Interval where X is File Sharing or HTTP This setting is used in the centrally managed installations only Verify integrity of downloaded databases Specify...

Page 215: ...Send security alert Notify when databases become older than Specify the number of days after which the databases are considered outdated An alert will be sent to the administrator when the latest dat...

Page 216: ...how password protected archives are handled 7 3 1 Virus Scanning Go to F Secure Content Scanner Server Settings Virus Scanning and to change the archive scanning and scanning engine settings These set...

Page 217: ...s inside the archives for possible infections The supported archive formats are ARJ BZ2 CAB GZ JAR LZH MSI RAR TAR TGZ Z and ZIP The archive itself is scanned if that is configured with the other scan...

Page 218: ...Password protected archives cannot be scanned Select whether to treat them as safe or unsafe As password protected archives cannot be inspected without knowing the password the user who receives a pas...

Page 219: ...ked size of an archive file exceeds this threshold the server will consider the archive suspicious and corresponding action will be taken Scan extensions inside archives Specify a list of files separa...

Page 220: ...ure 7 4 Spam Filtering settings Number of spam scanner instances Specify the number of Spam Scanner instances to be created and used for spam analysis As one instance of the spam scanner is capable of...

Page 221: ...imizing F Secure Spam Control Performance 250 The server must be restarted after this setting has been changed For instructions see Starting and Stopping F Secure Internet Gatekeeper Components 294 IM...

Page 222: ...patterns to cache for spam detection service By default the cache size is 10000 cached patterns Increasing cache sizes may increase the threat detection performance but it requires more disk space and...

Page 223: ...can be trusted not to be operated by spammers and do not have open relays or open proxies Define the network as a network netmask pair 10 1 0 0 255 255 0 0 with the network nnn CIDR specification 10...

Page 224: ...ettings Advanced Figure 7 5 Advanced settings Working directory Specify the path to the working directory where the product will create temporary files IMPORTANT This setting must be defined as Final...

Page 225: ...fy how often the Working Directory is cleaned of all files that may be left there By default files are cleaned every 30 minutes Free space threshold Set the free space threshold in megabytes for the d...

Page 226: ...s for storing this information as well as the maximum number of viruses to be displayed on the list Figure 7 6 Virus Statistics settings In F Secure Policy Manager you can see the list of most active...

Page 227: ...et Gatekeeper Web Console For instructions on how to log in the F Secure Internet Gatekeeper Web Console see Logging in the F Secure Internet Gatekeeper Web Console for the First Time 82 Summary The F...

Page 228: ...er Server is currently running or not Start time Displays the start date and time of F Secure Content Scanner Server Scanned files Shows the number of files the server has scanned for viruses Note tha...

Page 229: ...splayed on this page Database update version Displays the version of the virus definition database update The version is shown in YYYY MM DD_NN format where YYYY MM DD is the release date of the updat...

Page 230: ...e Summary Virus Statistics page in F Secure Internet Gatekeeper Web Console Figure 7 8 Virus Statistics in F Secure Internet Gatekeeper Web Console Most active viruses Top 10 Displays a Top 10 listing...

Page 231: ...Spam Scanner Statistics On the Summary Spam Scanner Statistics page in F Secure Internet Gatekeeper Web Console you can see the Spam Control status database update information spam scanning results a...

Page 232: ...You can see the status of all scan engines on the Scan Engines Properties page of F Secure Internet Gatekeeper Web Console Figure 7 10 Scan engine statuses and statistics in F Secure Internet Gatekee...

Page 233: ...scan engine should be disabled for troubleshooting purposes only because disabling one of the scan engines significantly reduces the chances of finding malware Not loaded This status is displayed when...

Page 234: ...ion found Displays the name of the latest infection that was found with the selected scan engine Last time infection found Displays the date and time of the last infection Engine excluded extensions S...

Page 235: ...Console Total Scanning Statistics In F Secure Policy Manager you can see a summary of the scanning statistics under F Secure Content Scanner Server Statistics Server branch For explanations see above...

Page 236: ...n see the list of most active viruses under the F Secure Content Scanner Server Statistics Virus Statistics Most Active Viruses branch Figure 7 12 Virus Statistics in F Secure Policy Manager Console F...

Page 237: ...In F Secure Policy Manager Console you can see the spam statistics under the F Secure Content Scanner Server Statistics Spam Control branch Figure 7 13 Spam Control statistics in F Secure Policy Mana...

Page 238: ...can see the status of the scan engines under the F Secure Content Scanner Server Statistics Scan Engines branch Figure 7 14 Scan engine statuses and statistics in F Secure Policy Manager Console For...

Page 239: ...is maintained by F Secure Management Agent and it contains all the alerts generated by the F Secure components installed on the host Logfile log can be found on all hosts running F Secure Management A...

Page 240: ...240 8 ADMINISTERING F SECURE SPAM CONTROL Introduction 241 Spam Control Settings 242 Realtime Blackhole List Configuration 248...

Page 241: ...spam flag header into a junk mail folder F Secure Spam Control spam definition databases can be updated with F Secure Automatic Update Agent In order to update the spam definition databases F Secure A...

Page 242: ...h the product Otherwise they will be ignored Figure 8 1 Common Spam Control settings Spam filtering Specify whether inbound mails should be scanned for spam Realtime Blackhole List RBL spam filtering...

Page 243: ...l allows more spam to pass but a smaller number of regular e mail messages will be falsely identified as spam For example if the spam filtering level is set to 3 more spam is filtered but also more re...

Page 244: ...l Address setting instead of being delivered to the original recipient s The messages are marked as specified by the Add X Header and Modify Spam Message Subject settings Delete messages with this lev...

Page 245: ...lowing format X Spam Status flag hits scr required sfl tests tests where flag is Yes or No scr is the spam confidence rating returned by the spam scanner sfl is the current spam filtering level tests...

Page 246: ...eeds the specified maximum size the message will not be scanned for spam The bigger the maximum size of mails to be scanned for spam is the more resources the product will use Since all spam messages...

Page 247: ...nts whose incoming messages are always treated as spam When specifying sender and recipient addresses use the username example com format You can use wildcards The match is not case sensitive The prod...

Page 248: ...queries DNS protocol is used to make the DNSBL RBL queries 2 Make sure you do not have a firewall preventing DNS access from the host where F Secure Spam Control is running 3 Test the DNS functionali...

Page 249: ...g correctly you should see this kind of headers in messages classified as spam X Spam Status YES database version 2005 04 06_1 hits 9 required 5 tests RCVD_IN_DSBL RCVD_IN_NJABL_PROXY RCVD_IN_SORBS_DU...

Page 250: ...ses when DNS queries are made If needed the performance can be improved by increasing the number of mails being processed concurrently by F Secure Spam Control By default the product processes a maxim...

Page 251: ...251 9 ADMINISTERING F SECURE MANAGEMENT AGENT F Secure Management Agent Settings 252 Configuring Alert Forwarding 254...

Page 252: ...s are at least sometimes connected through a network or a temporary link Active protocol Sets the active protocol Protocols A subdirectory containing the settings for the File Sharing and the HTTP pro...

Page 253: ...es such as Base Policy files or virus definition databases from the F Secure Policy Manager Server Outgoing packages update interval Defines how often the host tries to transmit periodically updated i...

Page 254: ...y Manager Console Incoming packages polling interval Defines how often the host tries to fetch incoming packages such as Base Policy files or new virus definition databases from the F Secure Managemen...

Page 255: ...ou can further configure the alert target by setting the policy variables under target specific branches For example F Secure Management Agent Settings Alerting F Secure Policy Manager Retry Send Inte...

Page 256: ...ings and Statistics icon in the Windows system tray Select F Secure Management Agent and click Properties Go to the Alerting tab to configure the alert forwarding Figure 9 3 Alert Forwarding table in...

Page 257: ...you choose to forward alerts to an e mail address SMTP you have to specify the e mail address of the recipient and the mail server you want to use Select E Mail SMTP and click Properties to specify SM...

Page 258: ...Query Results Page 265 Viewing Details of a Quarantined Message 267 Reprocessing the Quarantined Content 268 Releasing the Quarantined Content 269 Removing the Quarantined Content 271 Deleting Old Qu...

Page 259: ...installations with Centralized Quarantine Management 40 and Scenario 3 F Secure Anti Virus for Internet Mail for each Sub domain 356 The quarantine consists of quarantine database quarantine storage...

Page 260: ...10 2 Configuring Quarantine Options In stand alone installations all the quarantine settings can be configured on the Quarantine page in F Secure Internet Gatekeeper Web Console For more information o...

Page 261: ...CHAPTER10 261 Quarantine Management Figure 10 1 Quarantine Query page...

Page 262: ...and malformed messages Disallowed content Includes blocked messages Spam Includes messages considered spam Scan failure A scan failure can occur for example if the file is severely corrupted Unsafe In...

Page 263: ...teria Host IP address Enter the host IP address to be used as search criteria Show only You can use this option to view the current status of messages that you have set to be reprocessed released or d...

Page 264: ...Exact start and end dates to specify the date and time year month day hour minute when the data has been quarantined Sort Results Specify how the search results are sorted by selecting one of the opti...

Page 265: ...ne Query Results Page The Quarantine Query Results page displays a list of e mails that were found in the query To view detailed information about a quarantined e mail click the View link in the Detai...

Page 266: ...ined Content 271 The Query Results page also displays status icons of the e mails that were found in the search If there are reprocessing release or delete operations that have not completed yet the i...

Page 267: ...e View link in the details column 2 The Quarantined Content Details page opens Figure 10 3 Quarantined Content Details page This is a quarantined e mail that the administrator has set to be deleted Th...

Page 268: ...d details The message status icon near the upper right corner of the page For a complete list of the icons see Query Results Page 265 The Download link can be used to download the quarantined attachme...

Page 269: ...have been reprocessed and found clean are delivered to the intended recipients They are also automatically deleted from the quarantine The progress of the reprocessing operation is displayed in the W...

Page 270: ...e Release Quarantined Content dialog opens 5 Specify whether you want to release the content to the original recipient or specify an address where the content is to be forwarded 6 Specify what happens...

Page 271: ...ssages that have been classified as spam Click the Delete All button to delete all the displayed quarantined content 5 You are prompted to confirm the deletion Click OK The content is now removed from...

Page 272: ...enu 4 Specify a retention period that is shorter than the default value for example 1 day in the Retention Period column 5 Specify a cleanup interval that is shorter than the default value for example...

Page 273: ...or Internet Mail tab in the Web Console and go to the Quarantine page Then click the Show Log File button 10 12 Quarantine Statistics The Quarantine statistics page displays the number of quarantined...

Page 274: ...attachments are stored and counted as separate items in the quarantine storage For example if a message has three attachments and only one of them has been found infected two items will be created in...

Page 275: ...275 11 SECURITY AND PERFORMANCE Introduction 276 Optimizing Security 276 Optimizing Performance 277...

Page 276: ...ss them If you make changes to file locations and directories make sure that the new directory has the same rights as the old one 11 2 1 Virus Scanning Make sure that F Secure Internet Gatekeeper is c...

Page 277: ...values for optimized security For more information see Data Trickling 101 11 3 Optimizing Performance For the best performance you should keep all working directories on a local hard disk and make sur...

Page 278: ...can Result Cache does not weaken the security as F Secure Internet Gatekeeper verifies that only exactly the same files may pass without scanning that have been scanned already For more information se...

Page 279: ...transactions For more information see Service Connections 211 Number of Ports in Use If necessary you can enhance the performance of F Secure Anti Virus for Internet Gateways by increasing the number...

Page 280: ...280 12 UPDATING VIRUS AND SPAM DEFINITION DATABASES Overview 281 Automatic Updates 281 Configuring Automatic Updates 282...

Page 281: ...irus is found F Secure provides a new virus definition database update F Secure Internet Gatekeeper uses an intelligent UDP based polite protocol BWTP or HTTP protocol to fetch this update F Secure s...

Page 282: ...ccess the F Secure Automatic Update Agent user interface open the F Secure Internet Gatekeeper Web Console and select the Automatic Update Agent tab In centrally managed installations you can use the...

Page 283: ...CHAPTER12 283 Updating Virus and Spam Definition Databases 12 3 1 Summary Figure 12 1 Automatic Update Agent summary in F Secure Internet Gatekeeper Web Console...

Page 284: ...version and name of the latest installed update Last check time The date and time when the last update check was done Last check result The result of the last update check Next check time The date an...

Page 285: ...Updating Virus and Spam Definition Databases Downloads Figure 12 2 Automatic Update Agent downloads in F Secure Internet Gatekeeper Web Console The Downloads page displays downloaded and installed up...

Page 286: ...286 12 3 2 Automatic Updates Figure 12 3 Automatic update settings in F Secure Internet Gatekeeper Web Console Specify the how the product connects to F Secure Update Server...

Page 287: ...for a usable Internet connection before trying to connect to the Update Server Use HTTP Proxy Select whether HTTP proxy should be used No HTTP proxy is not used From browser settings Use the same HTT...

Page 288: ...product cannot connect to any user specified update server during the failover time it retrieves the latest virus definition updates from F Secure Update Server if Allow fetching updates from F Secure...

Page 289: ...ure Internet Gatekeeper Web Console Edit the list of virus definition database update sources and F Secure Policy Manager proxies If no update servers are configured the product retrieves the latest v...

Page 290: ...host tries to connect servers Virus definition updates are downloaded from the primary sources first secondary update sources can be used as a backup The product connects to the source with the smalle...

Page 291: ...291 13 TROUBLESHOOTING Testing the Connections 292 Starting and Stopping F Secure Internet Gatekeeper Components 294 Frequently Asked Questions 295...

Page 292: ...the connection to F Secure Anti Virus for Internet Gateways is working For more information see Network Configuration 94 13 1 2 Checking that F Secure Anti Virus for Internet Mail is Up and Running Y...

Page 293: ...essage or if the cursor does not appear in the upper left corner it means that the connection was unsuccessful To test the network connection at the same time it is recommended to run telnet from the...

Page 294: ...cure Internet Gatekeeper Web Console and select the Anti Virus for Internet Mail tab Click Stop to stop F Secure Anti Virus for Internet Mail and click Start to start the service or Open Windows Contr...

Page 295: ...ubleshooting 13 3 Frequently Asked Questions All support issues frequently asked questions and hotfixes can be found under the support pages at http support f secure com For more information see Techn...

Page 296: ...296 A APPENDIX Warning Messages HTTP Warning Messages 297 SMTP Warning Messages 298...

Page 297: ...iable is replaced with Unknown Variable Description DATE The date and time METHOD The HTTP request method GET POST CONNECT etc URL The requested URL CONTENT TYPE The HTTP Content Type header in the re...

Page 298: ...ng variable is replaced with Unknown Variable Description NAME OF SENDER The sender of the mail message NAME OF RECIPIENT The recipient s of the mail message SUBJECT The subject of the mail message AN...

Page 299: ...e Description AFFECTED FILENAME The name of the original file or attachment AFFECTED FILESIZE The size of the original file or attachment THREAT The name of the threat that was found in the content TA...

Page 300: ...300 B APPENDIX Specifying Hosts Introduction 301 Domain 301 Subnet 301 IP Address 302 Hostname 302...

Page 301: ...et is a partially qualified Internet address in numeric dotted quad form optionally followed by a slash and the netmask which is specified as the number of significant bits in the subnet It is used to...

Page 302: ...qualified internet address in numeric dotted quad form Usually this address represents a host but the address does not necessarily have to have a DNS domain name Example 192 168 123 7 B 5 Hostname A h...

Page 303: ...re always assumed to be anchored in the root of the DNS tree Therefore hosts WWW example com and www example com note the trailing period are considered to be equal Usually it is more effective to spe...

Page 304: ...304 C APPENDIX Access Log Variables List of Access Log Variables 305...

Page 305: ...mat excluding HTTP headers When no bytes are sent the value is Example C The contents of cookie Example in the request sent to the server D The time taken to serve the request in microseconds EXAMPLE...

Page 306: ...se an empty string is used r The first line of the request s The status of the request For internally redirected requests the value is the status of the original request t The time in standard English...

Page 307: ...ontent is safe or not Cured The file was disinfected by the scanner Replaced The content was infected and the server replaced the original content Block The content was blocked Error An error occurred...

Page 308: ...the file is clean or not scanned the value is FSFILTER scansrc The value displays whether the Scan Result Cache was used Scan The file was scanned Cache The scan result for the file was found from the...

Page 309: ...309 D APPENDIX Mail Log Variables List of Mail Log Variables 310...

Page 310: ...address of the host that the mail message was received from FROM Received Scanned Sent Trashed The complete mail sender address as given in the mail envelope i e SMTP MAIL FROM command TO Received Sc...

Page 311: ...ct dns space name ip address RECVTIME Received The time in milliseconds taken to receive the mail message SCANTIME Scanned The time in milliseconds taken to scan the mail message SENDTIME Sent The tim...

Page 312: ...312 E APPENDIX Configuring Mail Servers Configuring the Network 313 Configuring Mail Servers 314...

Page 313: ...Server Configuration Inbound e mail must be routed to F Secure Internet Gatekeeper E mail Client Configuration Mail clients must send outgoing SMTP e mail to F Secure Internet Gatekeeper No settings...

Page 314: ...elay features enabled enable and configure anti relay on F Secure Anti Virus for Internet Mail as well Receiving 166 E 2 Configuring Mail Servers E 2 1 Lotus Domino If you are installing F Secure Inte...

Page 315: ...ange the SMTP port number of Microsoft Exchange 5 5 and use the standard SMTP TCP port number 25 for F Secure Internet Gatekeeper To change the SMTP port number in MS Exchange 5 5 1 On the MS Exchange...

Page 316: ...316 To change the SMTP port number in MS Exchange 2000 1 Start the Exchange System Manager from the Start Menu 2 Open the Servers Current Server Protocols SMTP branch...

Page 317: ...APPENDIX E 317 Configuring Mail Servers 3 Open the Properties window of Default SMTP Virtual Server 4 Click Advanced 5 Select the line that has SMTP port number 25 and click Edit...

Page 318: ...318 6 Change the TCP port to some other unused port for example 26 7 Click OK for all the windows and reboot the server...

Page 319: ...anced Deployment Options Introduction 320 Transparent Proxy 320 HTTP Load Balancing 329 Load Balancing With Windows Network Load Balancing Service 339 Deployment Scenarios for Environments with Multip...

Page 320: ...a cluster communicate among themselves and provide high availability load balancing and scalability The service is included in any version of Windows 2003 server If you want to deploy F Secure Intern...

Page 321: ...ing a transparent proxy is the best way to provide a reliable and easy HTTP scanning service with F Secure Internet Gatekeeper However configuring a transparent proxy may require some modifications in...

Page 322: ...ddress 192 168 0 1 port 3128 For information on how to configure F Secure Internet Gatekeeper see sections Configuring F Secure Anti Virus for Internet Gateways 94 Configuring F Secure Anti Virus for...

Page 323: ...ick OK Step 2 1 Open the ISA Management console 2 Open Servers and Arrays Extensions Application Filters 3 Right click HTTP Redirector Filter and select Properties 4 Select Options and make sure that...

Page 324: ...Click OK Step 3 1 Open the ISA Management console 2 Open Servers and Arrays Network Configuration Routing 3 Right click Default rule and select Action 4 Enable Routing them to a specified upstream se...

Page 325: ...ent Options 5 For the Primary route set the IP address and the port number that F Secure Internet Gatekeeper is configured to listen for incoming connections For the Backup route select the one which...

Page 326: ...e Web Chaining tab 4 Right click the Last Default rule and select Properties 5 Select the Action tab Enable the Redirecting them to a specified upstream server option F Secure Internet Gatekeeper requ...

Page 327: ...figuration setting is deselected 8 Click OK Additional information http www microsoft com isaserver http www isaserver org http www toolzz com F 2 2 Transparent Proxy with Linux and Unix Based Systems...

Page 328: ...ables t nat A PREROUTING p tcp d 0 0 0 0 0 dport 80 j DNAT to 192 168 0 1 3128 An example using ipfilter FreeBSD 2 2 or later NetBSD 1 2 or later OpenBSD IPF 3 1 echo rdr ed0 0 0 0 0 0 port 80 192 168...

Page 329: ...co com http www nortelnetworks com http www lucent com F 3 HTTP Load Balancing If you want to ensure that the speed of the communication does not slow down and is not interrupted when scanning the tra...

Page 330: ...HTTP proxy A Domain Name Server DNS server resolves the name of the proxy server to its IP address so that clients know how to connect to it When a client connects to a proxy server site that has mult...

Page 331: ...ince all servers are treated equally proper load balancing is not possible The requested content type is not taken into consideration F 3 2 Load Balancing with Proxy Auto Configuration PAC or Web Prox...

Page 332: ...auto configuration scripts you can distribute the load between different caching proxies http naragw sharp co jp sps Benefits Easy and inexpensive to implement Drawbacks Automatic proxy configuration...

Page 333: ...n Using round robin or some other load sharing model the upstream proxy redirects requests to proxy peers specified in its configuration file Benefits Fairly easy to implement If a company already has...

Page 334: ...3 5 http wp netscape com proxy v3 5 evalguide advantages html Check Point FireWall 1 and Check Point NG Check Point FireWall 1 and Check Point NG have connect control modules which can be used to bala...

Page 335: ...are Load balancing Solutions Network Address Translation NAT Figure F 5 F Secure Anti Virus for Internet Gateways deployed with Network Address Translation NAT Direct Path Routing Figure F 6 F Secure...

Page 336: ...ing servers which offer various services such as e mail service Web service FTP service and DNS service Each of these services and their corresponding servers can be grouped and managed separately Lay...

Page 337: ...or Internet Gateways deployed with clustering Clients access a cluster a virtual server Nodes in a cluster communicate among themselves and provide high availability load balancing and scalability Sys...

Page 338: ...ure and deploy For detailed information on how to deploy a cluster for load balancing see Load Balancing With Windows Network Load Balancing Service 339 Windows 2000 Server Windows 2000 Server Cluster...

Page 339: ...er we set up network load balancing for 500 users in the local network with 4 MB connection You should use at least two servers with the following hardware configuration Both servers do not have to be...

Page 340: ...led and configured before it can be used Configuring TCP IP and Network Load Balancing Settings All settings should be identical for all servers in the cluster except the IP address which should be un...

Page 341: ...168 0 231 Netmask 255 255 255 0 Gateway 192 168 0 1 DNS server 192 168 0 10 All other computers connected to the local area network connect to the cluster with address 192 168 0 233 In networks that...

Page 342: ...342 4 Add the cluster address as the second IP address in the Advanced options In our case 192 168 0 233 5 Use the following settings in Network Load Balancing...

Page 343: ...t Options Use the multicast communication mode 6 The remote control is not necessary and it can be disabled 7 Use an individual IP address for each different server Each server should have a different...

Page 344: ...erwise the default settings are fine 9 You can use different settings just make sure that all settings are identical on all servers 10 After you have configured TCP IP and Network Load Balancing setti...

Page 345: ...ment Options Checking The Status of the Cluster 1 Open the Network Load Balancing Manager from the Administrative tools to administer the cluster and individual nodes 2 Select Cluster Connect to Exist...

Page 346: ...or s Guide Install F Secure Internet Gatekeeper on all servers on same paths and with same initial settings 2 After you have installed F Secure Internet Gatekeeper you should change the HTML error and...

Page 347: ...ow which server in the cluster sent the page to the browser For example Change files on other servers in the same way but use a different IP address Checking The Status Of The Cluster After you have i...

Page 348: ...e proxy address of the web browser n 2 Enter http 192 168 0 233 3128 in the web browser and open the page 3 Refresh the page several times and if everything is working properly you can see that each s...

Page 349: ...Deployment Scenarios for Environments with Multiple Sub domains F 5 1 Scenario 1 F Secure Anti Virus for Internet Mail as an Upstream Mail Transfer Agent Figure F 8 F Secure Anti Virus for Internet Ma...

Page 350: ...rewall Incoming and outgoing SMTP connections are allowed to from smtp my intranet host No changes are needed on mail servers and end user workstations in sub domain networks F Secure Anti Virus for I...

Page 351: ...sed to scan all inbound and outbound e mail traffic for viruses and malicious code Inbound messages to all sub domains are scanned for spam No changes on firewall mail servers and end user workstation...

Page 352: ...352 F 5 2 Scenario 2 F Secure Anti Virus for Internet Mail as Interim Mail Transfer Agent Figure F 9 F Secure Anti Virus for Internet Mail deployed as an Interim Mail Transfer Agent...

Page 353: ...domain to the smtp my intranet host All inbound mails come to the Mail Transfer Agent running on the mx my intranet host Firewall rules are changed to enable incoming and outgoing SMTP connections to...

Page 354: ...very is disabled The Mail Routing Table contains the following entries Benefits One F Secure Anti Virus for Internet Mail installation is used to scan all inbound and outbound e mail traffic for virus...

Page 355: ...on virus scanning and spam filtering policies for all sub domains It is possible to install F Secure Anti Virus for Internet Mail on the same host that runs upstream Mail Transfer Agent provided that...

Page 356: ...356 F 5 3 Scenario 3 F Secure Anti Virus for Internet Mail for each Sub domain Figure F 10 F Secure Anti Virus for Internet Mail installed on a separate computer for each sub domain...

Page 357: ...ains remain on the original machines DNS configuration for sub domains is changed so that F Secure Anti Virus for Internet Mail host is resolved as smtp my sub intranet and the mail server host is res...

Page 358: ...d as outbound In both inbound and outbound mail delivery settings disable the Use DNS MX records setting and specify the Mail Routing Table as follows Benefits No changes needed in firewall and the or...

Page 359: ...ole Configuration of sub domain mail servers needs to be changed It is possible to install F Secure Anti Virus for Internet Mail to the same host running the sub domain mail server provided that they...

Page 360: ...360 G APPENDIX Services and Processes List of Services and Processes 361...

Page 361: ...gent starts and controls the service automatically httpscan exe The process acts as a HTTP proxy and processes files downloaded through the proxy via HTTP 1 0 and HTTP 1 1 protocols rotatelogs exe The...

Page 362: ...The Database Update Handler process verifies and checks the integrity of virus definition and spam control database updates Service Process Description F Secure Quarantine Manager fqm exe The service...

Page 363: ...ss communication interface for integrated services and applications fch32 exe F Secure Configuration Handler that works with F Secure Policy Manager driver and enables other components to read base po...

Page 364: ...364 F Secure Automatic Update Agent Service Process Description F Secure Automatic Update Agent fsaua exe The service retrieves updates from F Secure Policy Manager or F Secure Update server...

Page 365: ...365 H APPENDIX Error Codes Introduction 366 F Secure Anti Virus for Internet Gateways 366 F Secure Anti Virus for Internet Mail 374 F Secure Content Scanner Server 391...

Page 366: ...duct operation The Log or installation directory can t be accessed Make sure that the product has sufficient rights to access the folder in question Check free disk space Consider restoring the defaul...

Page 367: ...If the problem persists contact F Secure Technical Support 106 Error Stopping Module Failed Module 1 could not be stopped The alert is not used in this version The alert is not used in this version 1...

Page 368: ...ssage Pump Quit Quit the message pump with error 1 Unexpected problem during product operation Normally the alert can be ignored However if the alert is continuously reported try to restart the produc...

Page 369: ...and act accordingly 123 Error Unable to Remove File The file 1 cannot be removed due to error 2 If the product cannot remove the file in question The alert contains the reason for the failure Check th...

Page 370: ...error description Restarting the product or rebooting the system might help solve this problem If the problem persists consider re installing the product 133 Warning Invalid Setting The entry 1 in th...

Page 371: ...t is not used in this version The alert is not used in this version 301 Security Virus Alert Infected Malicious code has been found in the following file page Request 1 Source 2 Destination 3 File siz...

Page 372: ...virus No actions are required If you do not want to receive scan summary reports you can disable it by setting 0 zero in the Send scan summary interval setting 400 Security Evaluation license expired...

Page 373: ...partner for purchasing the product or renew your license online If you wish to stop using the product you need to uninstall it 600 Error Unhandled Exception An unhandled exception occurred in 1 A sys...

Page 374: ...pool quarantine or installation directory cannot be accessed Make sure that the product has sufficient rights to access the directory in question Check that there is enough free disk space and conside...

Page 375: ...rt can be ignored if it happens only occasionally at the product or system shutdown However if the failure is reported often please contact F Secure Technical support for assistance 108 Error Unexpect...

Page 376: ...nt Agent is up and running Restarting the product or rebooting the system might solve this problem 125 Error Policy Read Failed Reading the policy variable 1 was unsuccessful due to 2 The product fail...

Page 377: ...Database The magic database file 1 is invalid or corrupted Intelligent File Type Recognition is disabled The magic database signature check failed Either the file has been forged or it has been change...

Page 378: ...its threshold The current number of items in the quarantine database is 1 The total number of quarantined items has reached its threshold Increase the threshold value or adjust the quarantine retenti...

Page 379: ...eck IP address and port number that F Secure Anti Virus for Internet Mail and Content Scanner Server use to communicate to each other 214 Error No Servers Available The agent cannot connect to any of...

Page 380: ...il to it No actions are required 240 Error Mail Server Unreachable Cannot connect to the Mail Server on 1 2 Mail messages will be spooled F Secure Anti Virus for Internet Mail has failed to contact th...

Page 381: ...ed e mail 244 Warning Mail Exceeds Max Size Mail message exceeds the specified maximum message size and was rejected Sender host 1 Sender 2 Recipient 3 Subject 4 Message ID 5 Mail size 6 Max size 7 F...

Page 382: ...pool ID 5 Scan result 6 Reason 7 The message in question was bounced The reason for the bounce is included in the alert Check the reason for the failure and act accordingly 249 Security Message Blocke...

Page 383: ...1 Error Cannot Send Content Sending content to the 1 F Secure Content Scanner Server on 2 was unsuccessful while processing spool job 3 attachment 4 Error occurred 5 F Secure Anti Virus for Internet M...

Page 384: ...270 Warning Low Spool Warning The size of the spool directory has reached its warning level threshold Volume containing the spool directory has 1 megabytes available at the moment The disk is getting...

Page 385: ...tachment could not be extracted from the mail Sender 1 Recipient 2 Subject 3 Message ID 4 Spool ID 5 Attachment name 6 Attachment size 7 Action 8 Quarantined 9 The attachment in question is apparently...

Page 386: ...File name 5 File size 6 bytes Scan result 7 Action Disinfected When a file is found infected and successfully disinfected on scanning See below 320 Security Virus Alert Malicious code found in the mai...

Page 387: ...hanging e mail blocking settings if the attachment in question should not have been blocked 360 Security Unable to Scan Attachment cannot be scanned Sender 1 Recipient 2 Subject 3 Message ID 4 Spool I...

Page 388: ...ity Evaluation License Expires Soon The evaluation license will expire in 1 days Your network remains protected against viruses and other malicious code The evaluation period will end soon To continue...

Page 389: ...e For example if there is not enough disk space free some etc 481 Error Cannot Quarantine Mail The e mail message cannot be quarantined due to error 1 Check the quarantine log for more details The mes...

Page 390: ...eption was caught Check the log files to find out which mail caused an exception Restarting the product or rebooting the system might solve the problem Contact F Secure Technical Support if the produc...

Page 391: ...nfo Settings Changed The following settings have been changed 1 Product settings changed from F Secure Policy Manager Console or Web Console No actions required 70 Error Cannot Read Settings Cannot re...

Page 392: ...and stop the product again If the alert appears again reboot the system 141 Warning Module Not Running Attempted to stop the module 1 that is not running On shutdown No actions required 142 Error Modu...

Page 393: ...em 210 Error Process Scan Request Failed Cannot process scan request Failed to connect F Secure Anti Virus due to error 1 Alert not used in this version Alert not used in this version 220 Error Scan R...

Page 394: ...that holds the quarantine directory is low on disk space Free some disk space You might consider deleting old quarantined files 300 Warning Missing Database File Virus definition database file 1 is mi...

Page 395: ...sion Alert not used in this version 307 Info Database Files Updated The following virus definition databases have been successfully updated 1 Virus definition databases have been manually or automatic...

Page 396: ...tection secure database files need to be updated Alert not used in this version Alert not used in this version 345 Error System Clock Changed The system time was apparently changed and the program can...

Page 397: ...re 402 Error Database Rejected The database update 1 was rejected New virus definition or spam scanner databases have been rejected as they did not pass integrity verification Check the alerts that pr...

Page 398: ...m F Secure Make sure that only authorized personnel have access rights to F Secure Policy Manager product installation and database update files directories 413 Error Database Verification No Manifest...

Page 399: ...or missing database publisher s certificate 1 The publisher s certificate is invalid or missing from the database update package Check that the product downloads database updates from F Secure Make su...

Page 400: ...rror Database Verification No Revocation File Bad or missing revocation file 1 The revocation file is missing or invalid See above 450 Fatal error Database Verification Not Enough Memory There was not...

Page 401: ...ed by any component if there are problems with F Secure Configuration Handler a component of F Secure Management Agent Reboot the system If the problem persists after reboot contact F Secure Technical...

Page 402: ...e 1 cannot be removed due to error 2 If a component cannot remove the file in question The alert contans the reason for the failure Check the reason for the failure and act accordingly 575 Error Unabl...

Page 403: ...ion mode work properly See the manual for detailed instructions 1002 Info Started Listening Authenticated Mode 1 has started listening for incoming connections on address 2 port 3 Authenticated mode w...

Page 404: ...and the protocol version it is supposed to communicate over Consider updating the product and applying all latest service packs and hotfixes 1203 Warning Undefined Request The received data is not a r...

Page 405: ...agent See above ID 1206 1208 Error Unable to Send Content Cannot send content to the agent due to error 1 If the content provider cannot send the content processed data back to the agent See above ID...

Page 406: ...ion does not respond and or cannot process the content within the timeout period Make sure the content processor is up and running Restart the product if the problem persists 1213 Error Processor Inte...

Page 407: ...on 1 Protocol 2 Source 3 Destination 4 File name 5 File size 6 bytes Scan result 7Action Disinfected When a file is found infected and successfully disinfected on scanning See above ID 2001 2004 Error...

Page 408: ...2 Source 3 Destination 4 File name 5 File size 6 bytes When the product fails to disassemble a file to be scanned The format of the file question may be invalid or malformed Get the file from the qua...

Page 409: ...409 Technical Support Introduction 410 F Secure Online Support Resources 410 Web Club 412 Virus Descriptions on the Web 412...

Page 410: ...f secure com Example Anti Virus Norway f secure com If there is no authorized F Secure Anti Virus Business Partner in your country you can submit a support request directly to F Secure There is an onl...

Page 411: ...for File Servers if it is installed on the same computer and possibly the version numbers of F Secure Policy Manager Server and F Secure Policy Manager Console if you use centralized administration I...

Page 412: ...age Alternatively right click on the F Secure icon in the Window taskbar and choose the Web Club command To connect to the Web Club directly from within your Web browser go to http www f secure com sm...

Page 413: ...all with intrusion prevention antispam and antispyware solutions Founded in 1988 F Secure has been listed on the Helsinki Exchanges since 1999 and has been consistently growing faster than all its pub...

Page 414: ...414...

Reviews: