Chapter 8 - Configuring SMTP Scan Jobs
Applies to: Microsoft Antigen
The Antigen SMTP Scan Job (also known as the Internet Scan Job) runs on a Microsoft® Exchange Server that is running an SMTP stack for Microsoft Server Exchange 2000 or Microsoft Exchange Server 2003. It can scan, in real time, all MIME and uuencode-based e-mail that is inbound or outbound via the SMTP stack of an Exchange site or organization. The SMTP scanner scans for viruses in attachments and for embedded and HTML viruses in the message body.
Antigen scans mail on all SMTP virtual servers when the SMTP Scan Job is enabled (it is enabled by default). If you do not want Antigen to scan all enabled SMTP virtual servers, you can create a string registry value named DisableSMTPVS. When the registry value is created, you must populate it with a comma delimited list of numbers 1 through 10 representing the virtual servers that you would like Antigen to skip during scanning.
Example: If you have four virtual servers and want to scan only on Virtual Server 1 (VS1) and VS3, the string value would be: 2,4 (Do not use any spaces in the string.)
Do not place anything other than the numbers 1 through 10 in the string or it will cause unpredictable results. The SMTP service must be recycled for the registry changes to take effect.
When running Microsoft Exchange 2000 Server pre-SP3, outgoing messages may not be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.
About multiple Internet processes
Two Internet Scan Jobs (processes) are created during installation, but administrators can create additional Internet Scan Jobs by changing the value of the General Option setting Internet Process Count to represent the number of Antigen Internet Scan Jobs that they want running on the SMTP stack. The maximum is 10.
When you run multiple Internet processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file will be scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes increase the load on the server at startup when they are being loaded and whenever they are called upon to scan a file. More than two Internet processes should not be necessary, except in high-volume environments that need the additional redundancy provided by three or four processes. As a general rule, it is recommended to enable only two Internet processes per processor on each server.
Configuring the SMTP Scan Job
When configuring the SMTP Scan Job settings, select the SMTP messages (Inbound, Outbound, or Internal) and optional features, such as Deletion Text and Tag Text.
To configure the SMTP Scan Job
Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right.
Click SMTP Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs.
Select the type of message that you would like to scan: Inbound, Outbound, or Internal messages.
- Selecting the Inbound check box configures Antigen to scan all e-mail messages entering the Internet Mail Service or the Internet Mail Connector (IMS or IMC). Messages are designated as inbound if the message originated from. or was relayed through, an external server. If the Exchange servers within that site or organization are not running Antigen, this is an effective way to protect them from infected e-mail messages coming from the Internet.
- Selecting the Outbound check box configures Antigen to scan all outgoing e-mail that leaves your Exchange site or Exchange organization via the IMS/IMC. Messages are designated as Outbound if at least one recipient has an external address.
- Selecting the Internal check box configures Antigen to scan all e-mail that is being routed from one location inside your domain to another location inside your domain. Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain.
Optionally, if you are installing both Microsoft Antigen for Exchange and the Microsoft Antigen Spam Manager on a server running Exchange Server 2003, you can set the Store Action Threshold. The Store Action Threshold designates when Exchange 2003 will divert a suspected spam e-mail message to a Junk Mail folder based on the spam confidence level (SCL) rating of the message.
For this feature to function properly, administrators must use the Identify: Tag Message Action to configure the Antigen Spam Manager to include the SCL rating. (For more information, see Chapter 17 - Antigen Spam Manager overview.) By default, the Store Action Threshold is set to 8 so that any message with an SCL rating higher than 8 will be diverted to the Junk Mail folder. When Antigen identifies a message as spam, it sets the SCL rating to 9.
Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.
Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.
Optionally, if the Advanced Spam Manager is installed, you can specify Tag Text. When you click the Tag Text button, a text box appears. This text is used by Antigen for Exchange to tag the subject line or MIME header of a message when the Action for a filter is set to Identify: Tag Message. (For more information about this Action, see Chapter 17 - Antigen Spam Manager overview.) A custom message can be used by modifying this text box.
Optionally, if you would like to append a disclaimer to all outbound messages, select the Add Outbound Disclaimer check box. Fore more information about this feature, see Adding outbound disclaimers.
Adding outbound disclaimers
The Add Disclaimer feature of Antigen enables administrators to append a disclaimer to outbound messages flowing through the SMTP stack. If the Add Outbound Disclaimer button is selected during configuration of the SMTP Scan Job, the Disclaimer Text button is enabled.
Click the Disclaimer Text button to display a text input dialog box. The default disclaimer text appears.
You may customize the disclaimer text by entering the message you would like to include in all outgoing messages. When enabled, the disclaimer text will be appended to the message body of all outbound messages.
The disclaimer text can also be entered by using HTML tags to format the text. For example, you can create a disclaimer such as: “<DIV><FONT size=”4”>This is a test disclaimer</FONT></DIV>”
If the e-mail message is sent in HTML form, the HTML formatted disclaimer is appended and is displayed properly provided the recipient is using an e-mail client that supports HTML formatted messages. If the recipient's e-mail client supports only plain text, the recipient will see the entire HTML formatted disclaimer text, which includes the HTML tags. This is also the case if the sender is sending the message in plain text.
The disclaimer setting, along with the disclaimer text, is saved in the SMTP Scan Job, and is disabled by default.
When upgrading from previous versions of Antigen, the SMTP Scan Job will be updated to include this setting.
To avoid having disclaimers appended to mail destined for addresses within your internal domain, you must enter your e-mail domains into the General Option setting Internal Address. Enter your local domain name (DomainName.com). You can also enter multiple domain names by separating each name with a semicolon (;)—no space is required. For more information about the Internal Address General Option, see Chapter 4 - Using the Antigen Administrator.
Antigen supports multiple SMTP disclaimers for outgoing e-mail messages. For more information about this feature, see Appendix F - Using multiple disclaimers.
Configuring the antivirus scanners and job action
After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
To configure antivirus settings
Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right.
Select the SMTP Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.
In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the SMTP Scan Job.
Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines.
Select the Action that you want Antigen for Exchange to perform when a virus is detected:
- Skip: detect only – Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
- Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
- Delete: remove infection – Delete the attachment without attempting to clean. The infected file is removed from the attachment and a text file is inserted in its place. By default, the text file contains the following string: "Microsoft Antigen for Exchange removed %File% since it was found to be infected with %Virus% virus."
Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default.
Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, enabling you to recover them. However, worm-purged messages are not recoverable.
Controlling the SMTP Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the SMTP Scan Job.
To control the SMTP Scan Job
Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right.
The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, and whether they are performing scanning or filtering operations.
Select the SMTP Scan Job.
If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job.
Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, Content Filtering, Keyword Filtering, and Mailhost Filtering. If the Antigen Spam Manager is installed, you can also select or clear Spam Scanning. Any change to these settings is performed immediately, even if the scan job is currently running.
Checking results and status
The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
About SMTP Scan recovery
If the SMTP Scan Job takes longer than a specified amount of time to scan a message (the default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, SMTP scanning resumes and a notification is sent to the administrator stating that the SMTP Scan Job stopped and recovered.
When the new Internet scan process starts, the message that caused it to terminate is reprocessed according to the Action set in the General Option setting Internet Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the SMTP Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the SMTP Scan job stopped. In this event, SMTP scanning will not function and the mail stream will not be scanned.
If you continue to have time-out problems, you can try increasing the time specified in the InternetTimeout registry value. Because this is a hidden registry value, you will have to create a new DWORD registry value called InternetTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information on registry values, see Appendix B - Setting registry values.
Scanning nested compressed files
Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the General Option Max Nested Compressed Files is set to 5 by default. This setting enables Antigen to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.
You may change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.
Scanning files by type
By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)