Professional Documents
Culture Documents
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2007 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Outlook, Visual Basic, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Review the Microsoft Antigen Privacy Statement at the Microsoft Antigen Web site.
Contents
Microsoft Antigen for Exchange Best Practices..........................................................................1 Contents...................................................................................................................................3 Introduction to Microsoft Antigen for Exchange best practices...................................................4 Deployment considerations.......................................................................................................4 During a virus outbreak.............................................................................................................5 General Options........................................................................................................................5 General Options - Important Settings.....................................................................................6 Microsoft Exchange Best Practices Analyzer.............................................................................9 Scanning considerations.........................................................................................................10 Scan on Scanner Update General Option............................................................................10 Store scanning effects.............................................................................................................10 Store scanning when using default settings..........................................................................11 Updating engines....................................................................................................................12 Antivirus settings.....................................................................................................................12 Bias setting..........................................................................................................................12 Action..................................................................................................................................13 Quarantine files....................................................................................................................14 Filtering files by type and by extension....................................................................................14 Filtering by file type..............................................................................................................14 Filtering by file extension......................................................................................................15 Recommended methods for configuring a file filter...............................................................16 Additional topics...................................................................................................................16 Filtering on the SMTP Scan Job..............................................................................................17
Deployment considerations
For global protection throughout the enterprise, it is recommended that Antigen for Exchange be deployed on all Gateway and Mailbox servers. For optimal performance, all Gateway servers should have identical protection settings. Before installing Antigen on a Mailbox server, you should conduct careful capacity planning and performance assessments to ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by antivirus scanning. The Antigen multiple engine architecture helps to maximize antivirus protection through diversity. Studies have shown that scanning with five engines decreases the window of vulnerability from the time that a new threat is encountered to the time that at least one engine vendor has released a protective signature. By default, messages are scanned only once by Antigen. However, it is a best practice to schedule background scanning on the Mailbox server to periodically rescan messages by using the latest available signatures. Note: Because such a configuration is likely to negatively affect system performance, it is recommended that you do not use more then 5 scan engines for any given scan job.
To enable background scanning on engine update 1. Enable the Realtime Scan Job for the Storage Groups that you would like scanned by the Background Scanner. 2. In the Schedule Job pane, enable the Background Scan Job and schedule it to run at a selected date, time, and frequency.
General Options
General Options, which is accessed from the SETTINGS shuttle of the Antigen Administrator, provides access to a variety of system-level settings for Antigen for Exchange. This eliminates the need to directly access the registry to change the settings. Although there are many options that can be controlled through the General Options pane, each of them has a default setting (Enabled, Disabled, or a value) that is probably the correct one for your enterprise. These settings rarely need to be changed.
Delete Corrupted Compressed Files Delete Corrupted Uuencode Files Delete Encrypted Compressed Files
It is recommended that you turn on this option during an outbreak scenario, so that e-mail will be rescanned each time an engine is updated. You will achieve the best protection because scanning is always done with the latest signatures. When the outbreak passes, turn this option off again, because it can negatively affect system performance. To enhance performance, Antigen allows additional processes to be created for the Realtime Scan Job. If the first process is busy scanning a file, the second process begins to scan, and so on. By changing this value, the number of processes can be increased up to ten. The Antigen Service must be recycled for the change to take effect. However, be cautious when increasing the number of processes, because each additional process consumes more server resources. It is best to add processes one at a time, and evaluate the performance at each step. It is recommended that you set the number of processes to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have the Realtime Process Count set to four (the default). If the server contains two processors, each of which is dual core, the recommended setting is eight. These same guidelines apply to the Internet Process Count. Although the default value of Secure Mode is more secure than the other parameter option, Compatibility Mode, Secure Mode can involve considerable administrative overhead. For example, if you have a quarantined file that needs to be released, you must stop the file filter completely before you can release it, and then go back and enable the filter again. Therefore, you may find that Compatibility Mode is more suitable.
It is recommended that you change this value to match your e-mail policy concerning the largest allowable file attachment size. If a filter match or a virus is detected, attachments larger than this value will automatically be deleted. By default, this setting is 26,214,400 bytes. Antigen can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field to indicate who should be sent internal notifications. Domains should be entered as a semicolon-delimited list (for example, microsoft.com;microsoft.net;company.com), with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that subdomains are covered by the entry. For example, domain.com will include subdomain.domain.com and subdomain2.domain.com. Alternate domains, such as domain.net or domain.org, must be entered individually. If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address field blank). Enter all of your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more about this key, see the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library.
Internal Address
Initiates a background scan every time a scan engine is updated, if the General Option setting Scan on Scanner Update is enabled. This setting can be left enabled, even when Scan on Scanner Update is disabled. Background Scanning applies only to Mailbox servers that have Antigen installed.
Scanning considerations
This section discusses the effects of different scanning options on SMTP scanning (SMTP Scan Job) and Store scanning (Realtime or Manual Scan Job). Store scanning includes two General Options that can be enabled as desired: Scan on Scanner Update and Enable Background Scan if 'Scan on Scanner Update' Enabled). Each option affects Store scanning behavior. Generally speaking, as each additional option is enabled, the amount of Store scanning increases, as does the level of protection. Increased scanning, however, potentially affects performance.
10
The following tables show the deviations from the normal mode that occur as you enable the options.
11
Updating engines
It is recommended that you use the UNC method of updating your engines. That is, have one server receive updates from the Microsoft HTTP server, and then share those updates among the other servers in your environment. After one server receives an engine update, it can share that update with any other server whose network update path points to it. This can save significantly on Internet bandwidth and make your updates quicker and more efficient. To use the UNC updating method, see the File scanner updating overview chapter in the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library. Updates should be staggered across an environment so that the Gateway layer updates its engines first, with the back end servers updating their engines later in the hour. Then, if an update causes unexpected behavior, you have whatever time interval that you have specified (for example, 30 minutes) to ensure that the problematic update does not get to the back-end servers. Be aware of the specifics of the engines that you are using. Some virus labs routinely release signatures more frequently than others, although all labs respond to a major outbreak with more frequent updates. The update schedule for any engine that updates more frequently than others should be set accordingly. Even if you are not using a particular engine, you should update the engine once a day, so that if you need to activate it, the signatures will be up-to-date.
Antivirus settings
Configure the scan job with your engine, bias setting, action, and quarantine selections.
Bias setting
The bias setting controls how many engines are used to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be detected. However, the more engines you use, the greater the impact on your systems performance. While Antigen for Exchange uses a very efficient in-memory scanning process, each additional engine adds to scanning time and resource usage. Therefore, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. Generally, it is recommended that you use all available scan engines. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its
12
performance. Then, you can use several engines on your other servers where performance is not as critical. It is recommended that you use the same engines and bias settings on all Gateway servers. This ensures the same degree of scanning on inbound, outbound, and internal mail, and also helps to prevent unnecessary duplicate scanning. When using Maximum Certainty, mail flow is held up whenever a scan engine is being updated because Maximum Certainty requires that every message be scanned by every selected engine. To provide complete scan engine coverage, mail is queued until the scan engine update is finished (typically, less than 30 seconds). To avoid this, you should select Favor Certainty, in which case scanning and mail flow continue via all other selected engines while an engine is being updated.
Action
It is recommended that you set the action setting to Delete: Remove Contents. Attempting to clean and repair an attachment was more useful years ago, when cleanable viruses were more common and valid documents were often infected. The virus world has changed over the years, and the vast majority of viruses today are not cleanable. Also, a valid infected file is much less common. Most of the time, the entire attachment is a virus and has no valid content. Because
13
the attempt to clean the virus requires additional processing resourceswhich, in most cases, are wastedthe Delete option is a better choice.
Quarantine files
The Quarantine feature provides an added level of security because you can retrieve a message that has been incorrectly tagged as a virus. However, there is overhead involved in quarantining files, particularly if many viruses are captured each day. Large organizations can block millions of viruses in a month. Many of these, however, might be worm viruses that are never quarantined. Ideally, you want to quarantine detected viruses, but you might determine that the better course is to simply delete them, even at the risk of losing valid e-mail message content. Not quarantining or sending notifications can greatly simplify your virus management, but this includes the risk of losing e-mail communications that users might want to receive.
This section focuses on the difference between filtering by file type and by file extension. The Microsoft Antigen for Exchange User Guide, available at the Microsoft Antigen TechNet Library, goes into detail about the other ways of filtering files, as well as how to configure all the file filtering options.
14
Note: There is additional information on configuring file type filters for Office 2007 and older files in the Microsoft Antigen for Exchange User Guide.
If you send through an attachment with a .doc extension, for example filename.doc, it will be deleted rather than skipped. The first action listed of Skip: detect only will not be applied but the second (Delete: remove contents) will be. Even though Antigen recognizes the file as a Microsoft Word document, the file extension does not match the first extension filter of *.rtf. Even if you set the first filter to All Types instead of DOC, the attached file still will not match the filter because it does not have a .rtf extension. However, if the file extension matches, the File Type is checked to see if it too matches, and if so, the action is applied, even on renamed files. Example: File Filter 1) *.doc File Type DOCFILE Action Delete: remove contents
If you rename an .exe to a .doc, Antigen will not remove it. Although the file extension matches the filter, Antigen is able to determine that the file is not a valid DOCFILE file; therefore it does not match the file type you configured.
15
Additional topics
The Microsoft Antigen for Exchange User Guide, available at the Microsoft Antigen TechNet Library, describes the following additional topics related to file filtering: Configuring file filters based on their size. Creating filter lists containing multiple file filters.
Using wildcard characters to have your filter match patterns in the file name, rather than a specific file name. Configuring a filter so that it checks only inbound or outbound messages. Filtering container files. Excluding the contents of a container file from being scanned for filter matches. Using file filtering to block some file types and permit others. Importing and exporting items into/from a file filter list.
Creating a filter set template, which can contain a combination of file filters and content filters. Disabling file filtering for specific scan jobs.
16
17
Extension *.cla *.class *.com *.cpl *.crt *.csc *.css *.dll *.drv *.exe *.email *.fon *.hlp *.hta *.htm* *.inf *.ins *.isp *.je *.js *.jse *.lib *.lnk *.mdb *.mde *.mht *.mhtml *.mhtm
Type of file Java class file Java class file Microsoft MS-DOS program Control Panel extension Security certificate Corel script file Cascading style sheet file DLL file Driver file Program Microsoft Office Outlook Express e-mail message Font file Help file HTML program HTML file Setup information Internet Naming Service Internet Communication settings JScript file JScript file Jscript Encoded Script file Program Library Common Object file format Shortcut Access database file MDE database Archived Web page Archived Web page Archived Web page
18
Extension *.msc *.msi *.mso *.msp *.mst *.obj *.ocx *.ov? *.pcd *.pgm *.pif *.prc *.rar *.reg *.scr *.sct *.shb *.shs *.smm *.swf *.sys *.tar *.url *.vb *.vbe *.vbs *.vxd
Type of file Microsoft Common Console document Microsoft Windows Installer package Math script object file Microsoft Windows Installer patch Microsoft Visual Test source file Relocatable object code Object linking and embedding control executable OrgViewer file Photo CD image, Microsoft Visual compiled script CGI program Shortcut to MS-DOS program Palm Pilot resource file Archive file Registration entries Screen saver Windows Script component Shortcut into a document Shell Scrap object AMI Pro macro Macromedia file System device driver Archive file Internet shortcut VBScript file VBScript encoded script file VBScript file Virtual device driver
19
Extension *.wsc *.wsf *.wsh *} 2. Filter these files in any container file.
Type of file Windows Script component Windows Script file Windows Script Host Settings file CLSID Filter
3. Ensure that Delete Corrupted Compressed Files is selected in General Options. 4. Ensure that Delete Encrypted Compressed Files is selected in General Options. 5. Enable the filter. 6. Save the filter.
20