Beruflich Dokumente
Kultur Dokumente
Information in this document, including U ! and other Internet "eb site references, is sub#ect to change $ithout notice% Unless other$ise noted, the e&le companies, organi'ations, products, domain names, e(mail addresses, logos, people, places, and e)ents depicted herein are fictitious, and no association $ith any real company, organi'ation, product, domain name, e(mail address, logo, person, place, or e)ent is intended or should be inferred% Complying $ith all applicable copyright la$s is the responsibility of the user% "ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrie)al system, or transmitted in any form or by any means *electronic, mechanical, photocopying, recording, or other$ise+, or for any purpose, $ithout the e&press $ritten permission of Microsoft Corporation% Microsoft Corporation may ha)e patents, patent applications, trademar,s, copyrights, or other intellectual property rights co)ering sub#ect matter in this document% -&cept as e&pressly pro)ided in any $ritten license agreement from Microsoft Corporation, the furnishing of this document does not gi)e you any license to these patents, trademar,s, copyrights, or other intellectual property% . 200/ Microsoft Corporation% 0ll rights reser)ed% Microsoft, Forefront, "indo$s, and "indo$s 1er)er are either registered trademar,s or trademar,s of Microsoft Corporation in the United 1tates and2or other countries% 0ll other trademar,s are property of their respecti)e o$ners% e)ie$ the Microsoft Forefront 1er)er 1ecurity Pri)acy 1tatement at the Microsoft Forefront 1er)er 1ecurity "eb site%
Contents
Microsoft Forefront 1ecurity for -&change 1er)er 3uic, 1tart 4uide%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 Contents%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6 Introduction to Forefront 1ecurity for -&change 1er)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/ 7hird(party file(le)el anti)irus programs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/ Installing Forefront 1ecurity for -&change 1er)er 200/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 Forefront 1ecurity for -&change 1er)er system re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 Minimum ser)er re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 Minimum $or,station re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 Installing Forefront 1ecurity on a local ser)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 50 :ther installations%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 1er)ices%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 F1CController%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 1ecuring the ser)ice from unauthori'ed use%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%56 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 56 Using the Forefront 1er)er 1ecurity 0dministrator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5; 1tarting the Forefront 1er)er 1ecurity 0dministrator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5; Connecting to a local ser)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5; Forefront 1er)er 1ecurity 0dministration user interface%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5< 1huttle =a)igator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5< Forefront 1ecurity for -&change 1er)er 4eneral :ptions%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5< Forefront 1ecurity file scanner updating%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5/ Configuring the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5/ Configuring anti)irus settings for the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%59 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 59
Controlling the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 20 Configuring the ealtime 1can >ob ( 31%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%25 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 25 Configuring the anti)irus settings for the ealtime 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%22 Controlling the ealtime 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2;
Configuring and running the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2; Configuring the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2; Configuring anti)irus settings for the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< unning the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< 1cheduled bac,ground and on(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< 1cheduled bac,ground scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2? Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2? :n(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2/ @eightened security on(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2/ Aac,ground scanning on engine update%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2/ Filtering files%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Mechanics of file filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by file type%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by e&tension%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by name%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Filtering by file si'e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Configuring the file filter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 File filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 60 Filtering content%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 1ender(domains filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 1ub#ect line filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 62 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 62 Content filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 66
Filtering ,ey$ords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; Creating ne$ ,ey$ord lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; -nabling ,ey$ord filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6< Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6< Bey$ord filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6? 0llo$ed senders lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6/ Filter lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 68 1ending e(mail notifications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 68 Configuring e(mail notifications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 eporting and statistics features%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 Incidents database%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0 3uarantine%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0 :ther database tas,s%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0
Fistributed protection on all storage and transport -&change ser)er roles, including -dge 7ransport, @ub 7ransport, and Mailbo& or Public Folder ser)ers% File filtering by file name, e&tension, or si'e%
Comprehensi)e notifications for the administrator and the message sender and recipient% Forefront 1ecurity for -&change 1er)er pro)ides po$erful protection for your messaging ser)ers and is the anti)irus solution for -&change 200/ en)ironments% 7his 3uic, 1tart 4uide $ill help you install and start using Microsoft Forefront 1ecurity for -&change 1er)er in a basic en)ironment% For more detailed information about the included topics and for additional topics not co)ered in this guide, see the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
*or $hate)er folder in $hich you installed F1-+ HFri)e:IJProgram FilesJMicrosoftJ-&change 1er)er
7he file(le)el anti)irus scan can also cause a conflict $hen F1- tries to scan e(mail messages%
Intel Neon or Intel Pentium Family processor that supports Intel -&tended Memory ?; 7echnology *Intel -M?;7+ 0MF :pteron or 0MF 0thlon ?; processor that supports 0MF?; platform
1er)er soft$are: Microsoft "indo$s 1er)erC 2006, "indo$s 1mall Ausiness 1er)er 2006, or Microsoft "indo$s 1er)er G!onghornG Microsoft -&change 1er)er 200/ *1tandard or -nterprise+
5 gigabyte *4A+ of free memory, in addition to that re9uired to run -&change 200/ *2 4A recommended+% 'ote( "ith each additional licensed scan engine, more memory is needed per scanning process% 2 4A of a)ailable dis, space% 7his is in addition to the dis, space re9uired for Microsoft -&change 1er)er 200/% 5 gigahert' *4@'+ Intel processor%
*rocedures
To insta"" Forefront Security for Exchange Server on a "oca" server 5% un the 1etup%e&e file, $hich is a)ailable on your CF image or from the self( e&tracting pac,age a)ailable at the Microsoft Eolume !icensing Fo$nload Center% 2% 7he initial setup screen is +e"co#e% Clic, 'ext to continue% 6% ead the license at the ,icense -gree#ent screen and clic, .es to accept it%
;% :n the Custo#er Infor#ation screen, enter /ser 'a#e and Co#!any 'a#e, if needed% <% :n the Insta""ation ,ocation screen, select ,oca" Insta""ation% ?% :n the Insta""ation Ty!e screen, select Fu"" Insta""ation% /% 1etup chec,s to see if you ha)e the correct )ersion of the "indo$s Update 0gent% If you do not ha)e the correct )ersion, at the end of the installation you are directed to the Microsoft Update "eb site to do the opt(in manually% If you do ha)e the correct )ersion, 1etup then chec,s if Microsoft Update is enabled% If it is not, the /se Microsoft /!date dialog bo& appears, permitting you to enable it% 8% :n the Quarantine Security Settings screen, select the desired setting% Secure Mode causes all messages and attachments deli)ered from 3uarantine to be re(scanned for )iruses and filter matches% 7his is the default% Co#!ati0i"ity Mode permits messages and attachments to be deli)ered from 3uarantine $ithout being scanned for filter matches% *Messages and attachments are al$ays scanned for )iruses%+ Forefront 1ecurity for -&change 1er)er identifies these messages by placing special tag te&t in the sub#ect line of all messages that are deli)ered from 3uarantine% 9% :n the Engine /!dates 1e&uired screen, read the $arning about engine updates% 50% If you use a pro&y ser)er for scanner updates, select Use Pro&y 1ettings and enter its name or IP address and its port on the Pro&y Information screen% 7his ensures that your pro&y ser)er is correctly configured from the start% If you are doing a fresh install, you may enter the pro&y information% If this is an upgrade, and pro&y data is a)ailable in the registry, this screen does not appear and the e&isting data is preser)ed% 0ny changes to e&isting pro&y information can be made in Genera" 2!tions% 'ote( If a username and pass$ord are re9uired for the pro&y ser)er, they must be entered through 4eneral :ptions once F1- has been installed% 7his must be
50
done immediately, other$ise engine updates $ill fail% 55% If the ser)er you are installing to is an -dge or 7ransport ser)er, you may be as,ed if you $ant F1- to enable 0nti(1pam Updates% If you ha)e ne)er made any change to the 0nti(1pam Updates setting on the -&change Management Console *that is, the setting is in its default state+, you are offered this choice% If you ha)e made a change to that setting, you do not see this option% If you do not enable 0nti( 1pam Updates during F1- installation, you can turn on updates by clic,ing Ena0"e -nti s!a# /!dates in the -ction section of the -&change Management Console% 'ote( If you enable 0nti(1pam Updates during the installation and subse9uently uninstall F1-, updates $ill be disabled% 52% :n the Choose 3estination ,ocation screen, either accept the default destination folder for the product, or clic, 4ro)se to select a different one% Fefault: Program Files*&8?+JMicrosoft Forefront 1ecurityJ-&change 1er)er 56% :n the Se"ect *rogra# Fo"der screen, choose a program folder for Forefront% 0t this point, 1etup chec,s for running ser)ices% Fefault: Microsoft Forefront 1er)er 1ecurityJ-&change 1er)er 5;% :n the Start Co!ying Fi"es screen, re)ie$ the data presented to you% If any changes ha)e to be made, use the 4ack button to na)igate to the screen to be changed% :ther$ise, clic, 'ext to begin the installation% 0 progress bar indicates that the files are being copied% 5<% 0fter installation is complete, you can start or restart the -&change 7ransport 1er)ice, depending on $hether it $as stopped or running $hen the installation began% For a clean install, the ser)ice $as probably still running and needs to be recycled% If you are reinstalling the product, the ser)ice had to be stopped before F1could be uninstalled% If the ser)ice $as running, the 1estart Exchange Trans!ort Service screen appearsO if the ser)ice $as stopped, the Start Exchange Trans!ort Service screen appears% In either case, you can start the 7ransport ser)ice automatically so that Forefront 1ecurity for -&change 1er)er can become acti)e% Clic, 'ext to ha)e 1etup perform this step or clic, Ski! to manually perform this step at a later time% Until the ser)ice has been started or restarted, F1- cannot scan mail being sent or recei)ed% 5?% Fepending on $hether the -&change 7ransport 1er)ice is being started or restarted *that is, you clic,ed 'ext on the prior screen+, the Starting Exchange Trans!ort Service screen or the 1ecyc"ing Exchange Trans!ort Service screen appears% "ait until the status changes to -"" services started, before clic,ing 'ext to continue% 5/% If the Information 1tore 1er)ice $as stopped $hen the install began, the Start
55
Exchange Infor#ation Store screen appears% Mou can start the Information 1tore ser)ice automatically so that Forefront 1ecurity for -&change 1er)er can become acti)e% Clic, 'ext to ha)e 1etup perform this step or clic, Ski! to manually perform this step at a later time% Until the ser)ice has been started, F1- cannot scan mail on the 1tore% If the Information 1tore $as running $hen the installation began, this screen does not appear% 58% If the Information 1tore 1er)ice is being started *that is, you clic,ed 'ext on the prior screen+, the Starting Exchange Services screen appears% "ait until the status changes to -"" services started, before clic,ing 'ext to continue% 59% :n the Insta""Shie"d +i5ard Co#!"ete screen, you are ad)ised to )ie$ the eadme file *recommended+% If you opted to use Microsoft Update and you do not ha)e the correct )ersion of the "indo$s Update 0gent, you are directed to a site to obtain it% Clic, Finish to complete the installation%
2ther insta""ations
If you are installing on a remote ser)er or performing an 0dministrator(only installation follo$ the instructions in the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G If you are installing Forefront 1ecurity for -&change 1er)er in a clustered -&change en)ironment, see the GMicrosoft Forefront 1ecurity for -&change 1er)er Cluster Installation 4uideG%
Services
7he MicrosoftC ForefrontD 1ecurity for -&change 1er)er ser)ices are the components that run on the -&change ser)er and control all bac,(end functionality of F1-% 7hey ser)ice re9uests from the Microsoft Forefront 1er)er 1ecurity 0dministrator, control the scanning processes, generate e(mail notifications, and store )irus incident data to dis, *$hich can be )ie$ed using the Forefront 1er)er 1ecurity 0dministrator+% 0n 0dministrator(only installation does not install the Forefront 1ecurity for -&change 1er)er ser)ices%
FSCContro""er
F1CController acts as the ser)er component that Forefront 1er)er 1ecurity 0dministrator connects to for configuration and monitoring% F1CController coordinates all ealtime, Manual, and 7ransport scanning acti)ities% 7he F1CController startup type defaults to manual%
52
'ote( Changing the startup type to anything other than GmanualG may cause F1- to not scan properly% 'ote( "hen you install Forefront 1ecurity for -&change 1er)er, it is configured to permit e)eryone access to F1CController% 7o change the security settings to restrict access to F1CController, you must use FC:MC=F4 to modify the security settings%
*rocedures
To 0ui"d an access "ist of authori5ed users 5% :pen a command prompt $indo$% 2% 7ype 3C2MC'FG and press E'TE1% 7he Component 1er)ices dialog bo& appears% 6% In the Conso"e 1oot section, e&pand Co#!onent Services% ;% -&pand Co#!uters% <% -&pand My Co#!uter% ?% -&pand 3C2M Config% /% In the -!!"ications list, right(clic, FSCContro""er, and then select *ro!erties% 7he F1CController property dialog appears% 8% Clic, the Identity tab and configure your user accounts% 9% Clic, the Security tab and use the permissions lists to control $hich user accounts ha)e rights to launch and acti)ate the F1CController, access the F1CController, or change the FC:M configuration% 50% Clic, 26 to close the *ro!erties dialog% 7o learn more about ser)ices, including information about F1CMonitor, F1-IMC,
56
F1C ealtime1canner, F1C7ransport1canner, and F1C1tatistics1er)ice, see the Forefront Security for Exchange Server Services chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
5;
Shutt"e 'avigator
7he 1huttle =a)igator is di)ided into se)eral areas, each of $hich has icons that enable you to access )arious $or, panes: SETTI'GS 7he SETTI'GS area enables you to configure scan #obs, anti)irus settings, scanner updates, templates, and general options% FI,TE1I'G 7he FI,TE1I'G area enables you to configure content filtering, ,ey$ord filtering, file filtering, allo$ed senders lists, and filter lists% 2*E1-TE 7he 2*E1-TE area enables you to control )irus scanning and filter options, schedule and run scan #obs, and perform 9uic, scans% 1E*21T 7he 1E*21T area enables you to configure notifications, )ie$ and manage incidents, and )ie$ and manage 9uarantined files% For detailed information about the areas of the 1huttle =a)igator and their )arious configuration settings, see the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
5<
Indicates the e(mail addresses of administrators and others $ho should be notified in the e)ent that the -&change store starts and Forefront 1ecurity for -&change 1er)er is not hoo,ed in or if the Forefront 1ecurity store shuts do$n% Multiple e(mail addresses are separated by semicolons% For e&le: adminPmicrosoft%comOadmin2Pmicrosoft%c om% Indicates that this ser)er is acting as the central hub to distribute scanner updates to other ser)ers% Indicates that pro&y settings are to be used $hen retrie)ing anti)irus scanner updates% *For more information, see the GUpdating the File 1canner 7hrough a Pro&yG section in GFile 1canner UpdatingG in the User 4uide%+ Indicates that Uni)ersal =aming Con)ention *U=C+ credentials are needed $hen retrie)ing scanner updates from a file share% *For more information, see GFile 1canner UpdatingG in the User 4uide%+ Credentials are not supported if you are using the Microsoft Forefront 1er)er 1ecurity Management Console *F11MC+ for redistribution% 7herefore, be sure to clear this setting if you are using F11MC to manage anti)irus engine updates% 7he name or IP address of the pro&y ser)er% e9uired, if using pro&y settings% Indicates the port number of the pro&y ser)er% e9uired, if using pro&y settings% 7he default is port 80% 7he name of a user $ith access rights to the pro&y ser)er, if necessary% :ptional field%
1edistri0ution Server
*roxy /serna#e
5?
7he appropriate pass$ord for the pro&y user name, if necessary% :ptional field% 7he name of a user $ith access rights to the U=C path, if necessary% :ptional field% 7he appropriate pass$ord for the U=C user name, if necessary% :ptional field%
*rocedures
To configure the Trans!ort Scan 8o0 5% In the SETTI'GS section of the 1huttle =a)igator, select Scan 8o0% 7he Scan
5/
8o0 Settings $or, pane appears% 2% In the #ob list in the upper pane, select the Trans!ort Scan 8o0% 6% In the 7ransport Messages section of the $or, pane, indicate the combination of In0ound, 2ut0ound, and Interna" messages to be scanned: 1electing the In0ound chec, bo& $ithin the Scan 8o0 Settings $or, pane configures Forefront 1ecurity for -&change 1er)er to scan all e(mail messages entering the -dge 7ransport ser)er or @ub 7ransport ser)er% Messages are designated as inbound if the message originated from or $as relayed through an e&ternal ser)er% If the e&ternal ser)er is not running F1-, this is an effecti)e $ay to protect your installation from infected e(mail messages coming from the Internet% 1electing the 2ut0ound chec, bo& $ithin the Scan 8o0 Settings $or, pane configures F1- to scan all outgoing e(mail messages that lea)e your -&change site or -&change organi'ation )ia the -dge 7ransport ser)er or @ub 7ransport ser)er% Messages are designated as outbound if at least one recipient has an e&ternal address% 1electing the Interna" chec, bo& $ithin the Scan 8o0 Settings $or, pane configures F1- to scan all mail that is being routed from one location inside your domain to another location inside your domain% Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain% ;% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the )irus found% 7o create your o$n custom message, clic, Feletion 7e&t% <% :ptionally, you can specify Tag Text% 7his te&t is used by Forefront 1ecurity for -&change 1er)er to KtagL the sub#ect line or MIM- header of messages that meet filter criteria so that they can be identified later for routing into specific user inbo&es or for other purposes identified by the Forefront 1er)er 1ecurity 0dministrator% 7he action for a filter must set to Identify( Tag Message in order for the tag to be used% 7o modify the te&t, clic, the Tag Text button on the Scan 8o0 Settings $or, pane% 7he 7ag 7e&t dialog bo& appears% 7here are t$o fields, each of $hich has a default that can be changed% 7he sub#ect line tag te&t defaults to K1U1P-C7:L and the message header tag te&t *$hich cannot ha)e any spaces+ defaults to K>un,(MailL% Clic, 26% ?% Clic, the Save button to sa)e your 7ransport 1can >ob settings% 'ote( "hen editing the 7ransport 1can >ob, if no changes are made to the 7ransport 1can >ob configuration, the Save and Cance" buttons are inacti)e%
58
Ma,ing any change to the configuration acti)ates these buttons% If you ma,e a change to the 7ransport 1can >ob and try mo)ing to another scan #ob or shuttle icon, you are prompted to sa)e or discard your changes%
*rocedures
To configure antivirus settings 5% In the SETTI'GS section of the 1huttle =a)igator, clic, -ntivirus% 7he -ntivirus Settings $or, pane appears% 2% From the list in the upper pane, select the Trans!ort Scan 8o0% 6% From the list of a)ailable third(party scanners in the Fi"e Scanners section, choose the file scanning engines% 7he fi)e engines you chose at installation are initially selected by default% *0lthough you may only use a ma&imum of fi)e engines, you may use any fi)e% Mou are not limited to the ones you selected during the installation%+ 7o disable )irus scanning $hile retaining the ability to run File Filtering and Bey$ord Filtering, clear the Virus Scanning chec, bo& in the 1un 8o0 $or, pane of the 2*E1-TE section of the 1huttle =a)igator for the 7ransport 1can >ob% 'ote( If you ha)e the ma&imum of fi)e engines selected and you $ant to change the ones used, clear the chec, bo&es of un$anted engines before selecting ne$ ones% Mou may only ha)e a ma&imum of fi)e engines selected at a time% ;% In the 4ias field, select a bias setting for the scan #ob% Aias controls ho$ many engines to use to pro)ide you $ith an acceptable probability that your system is protected% 7he more engines you use, the greater the probability that all )iruses $ill be caught% @o$e)er, the more engines you use, the greater the impact on your systemQs performance% 'ote( Aecause the 7ransport 1can >ob is your first line of defense against un$anted and malicious messages and attachments, consider setting the
59
4ias to Max Certainty or Favor Certainty% Favor Certainty is the default setting% For more information about 4ias settings, see the Mu"ti!"e Scan Engines chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G <% In the -ction field, select the action that you $ant Forefront 1ecurity for -&change 1er)er to perform $hen a )irus is detected: Ski!( detect on"y Ma,e no attempt to clean or delete the infection% Eiruses are reported, but the files remain infected% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions $ill cause the item to be deleted% C"ean( re!air attach#ent 0ttempt to clean the )irus% If successful, the infected attachment or message body is replaced $ith the clean )ersion% If cleaning is not possible, the attachment or message body is replaced $ith the Feletion 7e&t% 7his is the default setting% 3e"ete( re#ove infection Felete the attachment or message body $ithout attempting to clean it% 7he detected attachment is remo)ed from the message and the Feletion 7e&t is inserted in its place% Ay default, the te&t file contains the follo$ing string $hen )ie$ed: Microsoft Forefront 1ecurity for -&change 1er)er remo)ed RFileR since it $as found to be infected $ith REirusR )irus% ?% -nable e(mail notifications by using the Send 'otifications field% 7his setting does not affect reporting to the Eirus Incidents log% In addition, you must also configure the notifications *see 1ending e(mail notifications+% =otifications are disabled by default% /% -nable or disable sa)ing infected attachments detected by the file scanning engines by using the Quarantine Fi"es field% 3uarantining is enabled by default% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 8% Clic, the Save button to sa)e your anti)irus settings%
20
1elect the Trans!ort Scan 8o0 in the list at the top of the 1un 8o0 $or, pane% 7he bottom portion of the 1un 8o0 $or, pane sho$s the status and results of the currently selected scan #ob% "ith the 7ransport 1can >ob selected, the Ena0"e and 4y!ass buttons control the operation of the #ob% 7he 7ransport 1can >ob can scan for )iruses, perform file filtering or ,ey$ord filtering, or a combination of the three tas,s% Use the Virus Scanning, Fi"e Fi"tering, and 6ey)ord Fi"tering chec, bo&es to ma,e the appropriate selections% 0ny change to these settings is immediate, e)en if the #ob is currently running% 7he lo$er portion of the 1un 8o0 $or, pane sho$s the detection results of the currently selected scan #ob%
*rocedures
To configure the 1ea"ti#e Scan 8o0 5% In the SETTI'GS section of the 1huttle =a)igator, select Scan 8o0% 7he Scan 8o0 Settings $or, pane appears% 2% In the top portion of the $or, pane, select the 1ea"ti#e Scan 8o0% 6% In the Scan portion of the $or, pane, select the mailbo&es and public folders to be protected% 7here are three options for ma,ing mailbo& or public folders selections: -"" 1can all e&isting and ne$ly created mailbo&es or public folders% 'one Fo not scan any mailbo&es or public folders%
25
Se"ected 1can specific mailbo&es or public folders% "hen you choose Se"ected, the icon underneath the options becomes acti)e% Clic, this icon to change to the listing of mailbo&es or public folders on the ser)er% Mou can choose each mailbo& or public folder to be scanned by clic,ing its name% Mou can use the accompanying buttons to select all or none of the mailbo&es or public folders% 7he 97 button in)erts the current selection% 'ote( Choosing all mailbo&es or public folders in the selection $indo$ is not the same as choosing the -"" option in the pre)ious $indo$% 0n inclusion list is built from the selections made in this $indo$% =e$ mailbo&es or public folders added after ma,ing this selection are not automatically included% 7o return to the main scan selection $indo$, clic, the arro$ in the upper(right corner of the mailbo& or public folder selection $indo$% ;% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the )irus found% 7o create your o$n custom message, clic, 3e"etion Text% <% Clic, the Save button to sa)e your scan #ob settings%
22
$or, pane of the 2*E1-TE section of the 1huttle =a)igator for the 1ea"ti#e Scan 8o0% 'ote( If you ha)e the ma&imum of fi)e engines selected and you $ant to change the ones used, clear the chec, bo&es of un$anted engines before selecting ne$ ones% Mou may only ha)e a ma&imum of fi)e engines selected at a time% ;% In the 4ias field, select a bias setting for the scan #ob% Aias controls ho$ many engines to use to pro)ide you $ith an acceptable probability that your system is protected% 7he more engines you use, the greater the probability that all )iruses $ill be caught% @o$e)er, the more engines you use, the greater the impact on your systemQs performance% 'ote( Consider setting the 4ias to Favor Certainty% For more information about 4ias settings, see the Mu"ti!"e Scan Engines chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G <% In the -ction field, select the action that you $ant Forefront 1ecurity for -&change 1er)er to perform $hen a )irus is detected% 7he action choices are: Ski!( detect on"y Ma,e no attempt to clean or delete the infection% Eiruses are reported, but the files remain infected% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions causes the item to be deleted% C"ean( re!air attach#ent 0ttempt to clean the )irus% If successful, the infected attachment or message body is replaced $ith the clean )ersion% If cleaning is not possible, the attachment or message body is replaced $ith the 3e"etion Text% 7his is the default setting% 3e"ete( re#ove infection Felete the attachment $ithout attempting to clean it% 7he detected attachment is remo)ed from the message and the Feletion 7e&t is inserted in its place% ?% -nable e(mail notifications by using the Send 'otifications field% 7his setting does not affect reporting to the Incidents log% In addition, you must also configure the notifications *see 1ending e(mail notifications+% =otifications are disabled by default% /% -nable or disable the sa)ing of attachments detected by the file scanning engines by using the Quarantine Fi"es field% 3uarantining is enabled by default% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable%
26
8% Clic, Save%
2;
7he lo$er portion of the $or, pane permits you to select the mailbo&es and public folders to be protected and edit the deletion te&t that is used $hen the contents of an infected file are deleted% 7o configure Manual 1can >ob settings for scanning mailbo&es and public folders, and to specify deletion te&t, you can follo$ the procedures in the Configuring the ealtime 1can >ob ( 31 chapter%
2<
*rocedures
To schedu"e 0ackground scanning 5% 1elect the date, time, and fre9uency of your scheduled bac,ground scan% 2% If the #ob is disabled, clic, Ena0"e to enable it% 6% Clic, Save% 7he Schedu"e 8o0 $or, pane displays the status of the bac,ground scan% To sto! or disa0"e 0ackground scanning 5% Clic, 1E*21T in the 1huttle =a)igator, and then clic, Schedu"e 8o0% 2% 0t the top of the Schedu"e 8o0 $or, pane, select the 4ackground Scan 8o0% 6% Clic, the Sto! button on the Schedu"e 8o0 $or, pane% 'ote( 0fter a Aac,ground 1can >ob has been stopped, it restarts after the ne&t signature update if the Genera" 2!tions settings Scan on Scanner /!date and Ena0"e 4ackground Scan if :Scan on Scanner /!date: Ena0"ed are selected *both are disabled by default+% If you do not $ant the Aac,ground 1can >ob to start after the ne&t signature update, you can disable the schedule scan in t$o $ays: Clear the Genera" 2!tions settings Scan on Scanner /!date and Ena0"e
2?
4ackground Scan if :Scan on Scanner /!date: Ena0"ed% Clic, the 3isa0"e button on the Schedu"e 8o0 $or, pane%
2n access scanning
Ay default, -&change 200/ on(access scanning ensures that all files being accessed ha)e been scanned at least once by Forefront 1ecurity for -&change 1er)er%
*rocedures
To ena0"e heightened security on access scanning @eightened security on(access scanning is controlled by the Genera" 2!tions setting: Scan on Scanner /!date% Follo$ing a scanner update, pre)iously scanned files are re(scanned $hen accessed if this option is enabled%
2/
information about enabling bac,ground scanning on engine update, see the 4ackground Scanning and 2n -ccess Scanning chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
Fi"tering fi"es
7he Forefront 1ecurity for -&change 1er)er file filter feature gi)es administrators the ability to search for attachments $ith a specific name, type, e&tension, and si'e $ithin an e(mail message% If it finds a match, the file filter can be configured to perform actions on the attachment such as delete, 9uarantine, notify, and report the detected file% 7he file filter offers a fle&ible means to detect file attachments $ithin e(mail messages and other :utloo, items, including 7as,s and 1chedules *such as meetings and appointments+%
Fi"tering 0y extension
If you $ant to filter any file that has a certain e&tension, you can create a generic filter for the e&tension and set the Fi"e Ty!es selection to -"" Ty!es% Filter matching is not case(sensiti)e% For e&le: Create the filter >?exe> and set the Fi"e Ty!es selection to -"" Ty!es% 7his ensures that all files $ith an ?exe e&tension are filtered%
28
Fi"tering 0y na#e
If you $ant to filter all files $ith a certain name, you can create a filter using the file name and set the Fi"e Ty!es selection to -"" Ty!es% Filter matching is not case(sensiti)e% For e&le: If a )irus uses an attached file named !ay"oad?doc, you can create the filter !ay"oad?doc and set the Fi"e Ty!es selection to -"" Ty!es% 7his ensures that any file named payload%doc is filtered no matter $hat the file type%
*rocedures
To configure the fi"e fi"ter 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% Clic, the Fi"e icon% 7he Fi"e Fi"tering pane appears% 6% 1elect the scan #ob for $hich you $ant to add a file filter% ;% Create the file filter by clic,ing the -dd button and entering the proper synta&% 7here are a number of $ays you can enter a file filter% File filters $or, by a combination of file name and file type% Mou must select both elements to complete the filter% <% Use the Fi"e Fi"ter field to set the filter to Ena0"ed% ?% In the -ction field, indicate the action that should be ta,en $hen a file filter is matched% 7he options are described in File filtering action%
29
/% 1elect if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 8% 1elect if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 9% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the filter% 7o create your o$n custom message, clic, 3e"etion Text% 50% Clic, the Save button to sa)e the ne$ file filter% 'ote( Mou can also put your filters in Filter lists%
60
Identify( tag #essage 7he sub#ect line or message header of the detected message can be tagged $ith a customi'able $ord or phrase% 7his tag can be modified for each scan #ob by clic,ing the Tag Text button on the Scan 8o0 Settings $or, pane and modifying the te&t% 7his tag is used for all filters associated $ith the particular scan #ob% For more information about setting file filters, including using $ildcard characters and creating filters only for inbound or outbound messages, see the Fi"e Fi"tering chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
Fi"tering content
Content filtering permits administrators to filter messages using a )ariety of filtering tools, including sender(domains filtering and sub#ect line filtering% Content filtering pro)ides another tool to help manage the flo$ of messages entering and e&iting your enterprise mail stream% 'ote( Content filtering is only a)ailable for ealtime and Manual 1can >obs% Mou can only select the Ski!( detect on"y action for Manual 1can >obs%
*rocedures
To configure sender do#ains fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% 1elect the Content icon% 7he Content Fi"tering pane appears% 6% In the upper $or, pane, select the 1ea"ti#e Scan 8o0 or the Manua" Scan 8o0% ;% In the Content Fie"ds pane in the lo$er(left corner, select 1ender(Fomains, and then clic, the -dd button in the Content Fi"ters pane%
65
<% 0 te&t bo& appears% 7ype the sender or domain to filter% If you $ant to use a generic domain name filter, you must use an asteris, *S+ $ildcard character before the domain name% For e&le: S@domain.com ?% Press -=7- $hen you ha)e typed the sender or domain% Mou may add as many entries as you li,e% /% -nable the filter $ith the Fi"ter field% 8% In the -ction field, indicate the action that should be ta,en $hen the filter is matched% 7he options are described in Content filtering action% 9% Indicate if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 50% Indicate if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 55% Clic, the Save button to sa)e the ne$ file filter% 7he scan #ob loo,s at both the display name and the e(mail address of the sender to match against sender(domains filters% If either matches, the filter action $ill be ta,en% 'ote( Mou can also ha)e 0llo$ed senders lists%
*rocedures
To configure su0Bect "ine fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% In the upper $or, pane, select the 1ea"ti#e Scan 8o0 or the Manua" Scan 8o0% 6% 1elect the Content icon% 7he Content Fi"tering pane appears%
62
;% In the Content Fie"ds pane in the lo$er(left corner select Su0Bect ,ines, and then clic, the -dd button in the Content Fi"ters pane% <% 0 te&t bo& appears% 7ype the content you $ould li,e to filter% ?% Press E'TE1 after you ha)e typed the content% Mou may add as many entries as you li,e% If you are entering a partial sub#ect line as a filter, it is recommended that you use asteris, *S+ $ildcard characters at the beginning and the end of the phrase to ensure proper detection% /% -nable the filter $ith the Fi"ter field% 8% In the -ction field, indicate the action that should be ta,en $hen the filter is matched% 7he options are described in Content filtering action% 9% Indicate if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 50% Indicate if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 55% Clic, the Save button to sa)e the ne$ file filter%
66
*urge( e"i#inate #essage 7his setting deletes the message from your mail system% "hen you select this option, a $arning appears, informing you that if there is a filter match, the message $ill be purged and unreco)erable% Clic, .es to continue%
Fi"tering key)ords
Bey$ord filtering is intended to identify un$anted e(mail messages by analy'ing the contents of the message body as messages are transported by the 7ransport 1can >ob% Ay creating ,ey$ord lists, you can filter messages based on a )ariety of $ords, phrases, and sentences% 0dditionally, ,ey$ord filter lists help you to organi'e your ,ey$ord filters%
*rocedures
To create a ne) key)ord "ist 5% In the 1huttle =a)igator, clic, FI,TE1I'G, and then clic, the Fi"ter ,ists icon% 2% 1elect 6ey)ords in the ,ist Ty!e pane% 6% In the ,ist 'a#es section, clic, the -dd button% ;% 7ype a name for the ne$ list, and then press Enter% 7he empty list appears in the ,ist 'a#es section% <% "ith the ne$ list name selected, clic, the Edit button% 7he Edit Fi"ter ,ist dialog bo& appears% Use it to add content to your filter list% ?% In the Inc"ude In Fi"ter section, clic, the -dd button% /% 7ype a $ord or phrase to be included in the filter list% Press Enter $hen you are finished typing% Mou may ha)e as many $ords or phrases as you $ant, but each must be entered separately% 7he Exc"ude fro# I#!ort field is used to enter ,ey$ords or phrases that should ne)er be included in the ,ey$ord list% 7his pre)ents these $ords and phrases from accidentally being added $hen importing a list from a te&t file% For information about importing ne$ items into a filter list and for detailed information about ,ey$ord filter synta&, see the GBey$ord !istsG chapter of the GMicrosoft
6;
Forefront 1ecurity for -&change 1er)er User 4uide%G 8% "hen you are finished adding items, clic, 26% 9% Clic, Save%
*rocedures
To ena0"e key)ord fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% Clic, the 6ey)ord icon% 7he 6ey)ord Fi"tering $or, pane appears% 6% 1elect the Trans!ort Scan 8o0% *Bey$ord filtering only $or,s $ith the 7ransport 1can >ob%+ ;% In the 6ey)ord Fie"ds section, select Message 4ody% <% 1elect one of the filter lists you ha)e created% ?% Using the Fi"ter field, set the filter to Ena0"ed% /% 1et the Bey$ord filtering action% 8% Indicate $hether you $ould li,e to send notifications *for the procedures to configure notifications, see 1ending e(mail notifications+, 9uarantine identified files, and scan inbound, outbound, or internal mail% 9% Indicate if you $ould li,e to 3uarantine identified files% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 50% Indicate $hat combination of Inbound, :utbound, and Internal mail should be scanned% 55% Indicate the Minimum Uni9ue Bey$ord @its% 7his setting enables you to specify ho$ many uni9ue ,ey$ords must be matched for the action to be ta,en% 7he default is one 5% For e&le, you ha)e set the minimum uni9ue ,ey$ord hits )alue to 6% 7he $ord K$onderfulL, $hich is in the list, appears three times in the message% @o$e)er, no other $ord in the list appears at all% 7he ,ey$ord filter has not been matched, because only one term in the list $as matched%
6<
'ote( Forefront 1ecurity for -&change 1er)er ,ey$ord filtering scans both plain te&t and @7M! message body content% If Forefront 1ecurity for -&change 1er)er finds a
6?
match in both the @7M! and the plain te&t, it reports t$o detections in the Eirus Incidents log and the 3uarantine database%
*rocedures
To create an a""o)ed senders "ist 5% In the FI,TE1I'G section of the 1huttle =a)igator, select Fi"ter ,ists% 2% In the ,ist Ty!e section, select -""o)ed Senders% 6% In the ,ist 'a#es section, clic, the -dd button, type a name for the ne$ list in the te&t bo& pro)ided, and then press E'TE1 to sa)e the list% ;% "ith the ne$ list name selected, clic, the Edit button% 7he Edit Fi"ter ,ist dialog bo& appears% Use it to enter e(mail addresses or e(mail domains to include in the allo$ed sender list% <% In the Inc"ude In Fi"ter section, clic, the -dd button% 7ype the e(mail address or domain in the te&t bo&, and press Enter% User addresses should be entered in the format: userPdomain% -(mail domain names should be entered in the format: Sdomain% ?% -nter each address or domain indi)idually% /% "hen you are finished adding items, clic, 26% 8% Clic, Save to sa)e the list% 9% 7o enable the list, clic, -""o)ed Senders in the FI!7- I=4 section of the 1huttle =a)igator, select the 7ransport 1can >ob, select the list name in the Sender ,ists $or, pane, and set the ,ist State to Ena0"ed% 50% In the Ski! Scanning for section, indicate if the allo$ed senders list should
6/
apply to 6ey)ord Fi"tering, Fi"e Fi"tering, or both% Mou can clic, -"" Ty!es to ha)e all the choices selected% If you ma,e no choice, the filter is effecti)ely disabled% 55% Clic, Save%
Fi"ter "ists
7he Filter list functionality in Forefront 1ecurity for -&change 1er)er also permits you to create filter lists for use $ith content and file filtering% Ay using filter lists for File Filters, 1ub#ect !ines Filters, or 1ender(Fomains Filters, you can maintain indi)idual lists of filters for use by different scan #obs or simply organi'e your filters% 7o create a ne$ file or content filter list, select Fi"es, Bey$ords, Su0Bect ,ines, Sender 3o#ains, or 0llo$ed 1enders in the ,ist Ty!es pane of the Fi"ter ,ists )ie$ *of the FI,TE1I'G section of the 1huttle =a)igator+ and clic, the -dd button% 7ype a name for the filter list and then press Enter% 7he ne$ filter list no$ appears in the ,ist 'a#es section% 0fter you create a ne$ list, clic, the Edit button% 7he $indo$ described in 0llo$ed senders lists appears to permit you to add items to the list *or to edit it+% Clic, the -dd button to add file names and types, $ords and phrases, or domain names% 7he type of items you add depends on the type of filter list you selected: Fi"es *add file names+, 6ey)ords *add $ords that might appear in the message+, Su0Bect ,ines *add te&t that might appear in the sub#ect line of a message+, Sender 3o#ains *add specific senders or generali'ed domains+, or -""o)ed Senders *add safe addresses or domains+% 7he Exc"ude fro# I#!ort field is used to enter file names, $ords and phrases, or domain names that should ne)er be included on the rele)ant list% 7his pre)ents these entries from accidentally being added $hen importing a list from a te&t file% For information about importing ne$ items into a filter list, see the GBey$ord FilteringG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G 'ote( Mou can change the name of a list by selecting the list in the ,ist 'a#es bo& and pressing F2%
68
administrators $ho prefer to ha)e information deli)ered directly to their mailbo& instead of continually chec,ing logs for acti)ity%
*rocedures
To configure notifications 5% In the 1E*21T section of the 1huttle =a)igator, select 'otification% 7he 'otification Setu! $or, pane appears% 7he top pane of the 'otification Setu! $or, pane lists the default notification roles% -ach role can be customi'ed, as $ell as enabled or disabled% For details about each of the default notification roles, see the G-(Mail =otificationsG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G 2% -nable the notifications that are to be in effect% 7he Ena0"e and 3isa0"e buttons in the 'otification Setu! $or, pane permit you to selecti)ely enable or disable any selected notification% 7he current status of each notification is displayed in the list in the top pane, under the State column% 0 change made to the status of a notification ta,es effect as soon as you clic, Save% 'ote( 1can #ob configurations control $hether a scan #ob sends any enabled notifications% 6% Ma,e the desired changes to the notifications that are enabled% ;% Clic, Save to sa)e your $or,%
69
Incidents data0ase
7he Incidents database *Incidents%mdb+ stores all )irus detections or filter operations for a MicrosoftC -&change 1er)er, regardless of the scan #ob that caught the infection or performed the filtering% 7he results are stored to dis, in the Incidents database by the F1CController and are not dependent on the Forefront 1er)er 1ecurity 0dministrator remaining open% 7o )ie$ the Incidents database, select Incidents in the 1E*21T section of the 1huttle =a)igator% 7he Incidents $or, pane appears% For details about the information that Forefront 1ecurity for -&change 1er)er reports for each incident, see the G eporting and 1tatisticsG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G
Quarantine
Forefront 1ecurity for -&change 1er)er, by default, creates a copy of e)ery detected file before a clean, delete, or s,ip action occurs% 7hese files are stored in an encoded format in the 3uarantine folder under the Forefront 1ecurity for -&change 1er)er FatabasePath folder *$hich defaults to the Installation folder+% Forefront 1ecurity for -&change 1er)er performs t$o different 9uarantine operations: 9uarantine of entire messages or 9uarantine of attachments only% -ntire messages are 9uarantined only for content filters and file filters that are set to *urge $hen 9uarantine is enabled% 0n administrator can access the Quarantine pane to delete or e&tract stored detected file attachments% 7o )ie$ the 3uarantine log, clic, 1E*21T in the 1huttle =a)igator, and then clic, the Quarantine icon% 7he Quarantine pane appears% 7he 9uarantine list reports the date the file $as 9uarantined, the name of the file, the type of incident that triggered the 9uarantine *such as )irus or filter match+, the name of the infecting )irus or the filter name, the sub#ect field of the message, the sender name, the sender address, the recipient names, and the recipient addresses%
;0