IMSVA 8.5 Administration Guide

March 25, 2018 | Author: artseremis | Category: Email Spam, Computer Virus, Email, Malware, Cloud Computing
Share
Report this link


Comments



Description

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/interscan-messaging-security.aspx Trend Micro, the Trend Micro t-ball logo, Control Manager, eManager, InterScan, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright © 2013. Trend Micro Incorporated. All rights reserved. Document Part No.: MSEM85911/130322 Release Date: April 2013 Protected by U.S. Patent No.: Patents pending This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at the Trend Micro website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Table of Contents Preface Preface ................................................................................................................. xi What’s New ....................................................................................................... xii Audience ........................................................................................................... xix InterScan Messaging Security Virtual Appliance Documentation ........... xix Document Conventions .................................................................................. xx Part I: Getting Started Chapter 1: Introducing InterScan Messaging Security Virtual Appliance About InterScan Messaging Security Virtual Appliance ........................... 1-2 IMSVA Main Features and Benefits ............................................................ 1-2 About Cloud Pre-Filter ................................................................................ 1-10 About Email Encryption ............................................................................. 1-10 About Spyware/Grayware .......................................................................... 1-10 About Trend Micro Control Manager ...................................................... 1-12 About Trend Micro Smart Protection ....................................................... 1-15 About Command & Control (C&C) Contact Alert Services ................. 1-17 Chapter 2: Opening the IMSVA Management Console .............................................. 2-2 Viewing the Management Console Using Secure Socket Layer .............. 2-3 Setting Up a Child Device ............................................................................. 2-5 Using Smart Search ........................................................................................ 2-7 Changing the Management Console Password .......................................... 2-7 i Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring Proxy Settings ........................................................................... 2-8 IMSVA Services ............................................................................................ 2-10 Selecting a Scan Method .............................................................................. 2-11 Chapter 3: Configuring User Accounts Administrator Account Management .......................................................... 3-2 Adding Administrator Accounts .................................................................. 3-2 Editing or Deleting Administrator Accounts ............................................. 3-5 Chapter 4: Using the Configuration Wizard Configuring IMSVA with the Configuration Wizard ............................... 4-2 Chapter 5: Updating Components Updating Engine and Pattern Files .............................................................. 5-2 Specifying an Update Source ........................................................................ 5-3 Performing a Manual Update ....................................................................... 5-4 Rolling Back a Component Update ............................................................. 5-5 Configuring Scheduled Updates ................................................................... 5-6 Updating the System and Application Files ................................................ 5-8 Chapter 6: Getting Started with Cloud Pre-Filter Understanding Cloud Pre-Filter ................................................................... 6-2 Creating a Cloud Pre-Filter Account ........................................................... 6-5 Chapter 7: Advanced Threat Scan Engine and Deep Discovery Advisor Scan Technology ............................................................................................. 7-2 About Advanced Threat Scan Engine ......................................................... 7-2 About Deep Discovery Advisor ................................................................... 7-4 ii Table of Contents Chapter 8: Getting Started with Email Encryption Understanding Email Encryption ................................................................ 8-2 Using Email Encryption ................................................................................ 8-3 Registering for Email Encryption ................................................................ 8-3 Managing Domains ........................................................................................ 8-4 Registering Domains ...................................................................................... 8-5 Part II: Configuring IMSVA and Cloud Pre-filter Chapter 9: Configuring Cloud Pre-Filter Understanding Cloud Pre-Filter Policies .................................................... 9-2 Creating a Cloud Pre-Filter Policy ............................................................... 9-4 Verifying Cloud Pre-Filter Works .............................................................. 9-14 Configuring DNS MX Records .................................................................. 9-14 Suggested IMSVA Settings When Using Cloud Pre-Filter .................... 9-18 Disabling Cloud Pre-Filter .......................................................................... 9-20 Chapter 10: Configuring IP Filtering Settings IP Filtering Service ....................................................................................... 10-2 Using Email Reputation .............................................................................. 10-2 Configuring IP Filtering .............................................................................. 10-8 Displaying Suspicious IP Addresses and Domains ............................... 10-23 Chapter 11: Scanning SMTP Messages Enabling SMTP Connections ..................................................................... 11-2 Configuring SMTP Routing ........................................................................ 11-2 About Message Delivery ........................................................................... 11-10 iii Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Chapter 12: Configuring Transport Layer Security Settings About Transport Layer Security ................................................................. 12-2 Prerequisites for Using TLS with IMSVA ................................................ 12-3 TLS Settings for Messages Entering IMSVA ........................................... 12-4 TLS Settings for Messages Exiting IMSVA ............................................. 12-7 Deploying IMSVA in TLS Environments ................................................ 12-8 Creating and Deploying Certificates in IMSVA .................................... 12-14 Chapter 13: Configuring POP3 Settings Scanning POP3 Messages ........................................................................... 13-2 Enabling POP3 Scanning ............................................................................ 13-3 Configuring POP3 Settings ......................................................................... 13-4 Configuring POP3 Scan Service ................................................................. 13-5 Part III: IMSVA Policies Chapter 14: Managing Policies About Policies ............................................................................................... 14-2 How the Policy Manager Works ................................................................ 14-2 Chapter 15: Common Policy Objects Configuring Common Policy Objects ....................................................... 15-2 Understanding Address Groups ................................................................ 15-2 Using the Keyword & Expression List ................................................... 15-13 Using Compliance Templates ................................................................... 15-26 Using the Notifications List ...................................................................... 15-37 Using Stamps .............................................................................................. 15-41 Using the DKIM Approved List ............................................................. 15-45 iv Table of Contents Using the Web Reputation Approved List ............................................. 15-46 Chapter 16: Internal Addresses Configuring Internal Addresses ................................................................. 16-2 Adding an Address Group .......................................................................... 16-5 Searching for Users or Groups .................................................................. 16-6 Searching for an LDAP User or Group .................................................... 16-7 Chapter 17: Configuring Policies Adding Policies ............................................................................................. 17-2 Specifying a Route ........................................................................................ 17-2 Specifying Scanning Conditions ................................................................. 17-9 Specifying Actions ...................................................................................... 17-35 Finalizing a Policy ....................................................................................... 17-45 Chapter 18: Encryption Settings Configuring Encryption Settings ................................................................ 18-2 Encrypting Message Traffic ........................................................................ 18-3 Configuring Encryption Policies ................................................................ 18-3 Chapter 19: Scanning Exceptions Setting Scan Exceptions .............................................................................. 19-2 Configuring Exceptions for Security Settings Violations ....................... 19-3 Setting Scan Actions for Security Setting Violations .............................. 19-4 Setting Scan Actions for Malformed Messages ........................................ 19-5 Configuring Exceptions for Encrypted Messages ................................... 19-7 Setting Scan Actions for Encrypted Messages ......................................... 19-7 v Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Chapter 20: Existing Policies Modifying Existing Policies ........................................................................ 20-2 Policy Example 1 .......................................................................................... 20-4 Policy Example 2 .......................................................................................... 20-8 Using the Asterisk Wildcard ..................................................................... 20-13 Part IV: Monitoring the Network Chapter 21: Monitoring the Network Monitoring Your Network .......................................................................... 21-2 Viewing System Status ................................................................................. 21-2 Chapter 22: Working with the Dashboard and Widgets Using the Dashboard ................................................................................... 22-2 Understanding Tabs ..................................................................................... 22-2 Understanding Widgets ............................................................................... 22-6 Chapter 23: Reports Generating Reports ...................................................................................... 23-2 Managing One-time Reports ...................................................................... 23-5 Using Scheduled Reports ............................................................................ 23-8 Chapter 24: Logs About Logs .................................................................................................... 24-2 Configuring Log Settings ............................................................................. 24-2 Querying Logs ............................................................................................... 24-4 Chapter 25: Mail Areas and Queues About Mail Areas and Queues ................................................................... 25-2 vi Table of Contents Configuring Quarantine and Archive Settings ......................................... 25-3 Managing Quarantine Areas ....................................................................... 25-5 Managing Archive Areas ............................................................................. 25-8 Querying Messages ..................................................................................... 25-10 Viewing Quarantined Messages ............................................................... 25-17 Viewing Archived Messages ..................................................................... 25-18 Viewing Postponed Messages .................................................................. 25-20 Viewing Deferred Messages ..................................................................... 25-21 Configuring User Quarantine Access ...................................................... 25-22 Using EUQ .................................................................................................. 25-27 Chapter 26: Notifications Event Notifications ...................................................................................... 26-2 Configuring Delivery Settings ..................................................................... 26-3 Configuring Event Criteria and Notification Message ........................... 26-5 EUQ Digest ................................................................................................... 26-8 Editing Notifications ................................................................................. 26-10 Part V: Administering IMSVA Chapter 27: Backing Up, Restoring, and Replicating Settings Importing/Exporting ................................................................................... 27-2 Backing Up IMSVA ..................................................................................... 27-5 Restoring IMSVA by Importing Settings ................................................. 27-7 Replicating Settings ...................................................................................... 27-9 Chapter 28: Using End-User Quarantine About EUQ ................................................................................................... 28-2 vii Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide EUQ Authentication .................................................................................... 28-2 Configuring End-User Quarantine (EUQ) .............................................. 28-2 Distribution List EUQ Management ...................................................... 28-15 Disabling EUQ ........................................................................................... 28-17 Chapter 29: Performing Administrative Tasks Managing Administrator Accounts ............................................................ 29-2 Configuring Connection Settings ............................................................... 29-6 Configuring Database Maintenance Schedule ....................................... 29-19 Managing Product Licenses ...................................................................... 29-20 Activating Products .................................................................................... 29-24 Configuring Smart Protection Network Settings .................................. 29-26 Chapter 30: Using the Command Line Interface Using the CLI ................................................................................................ 30-2 Entering the CLI .......................................................................................... 30-2 CLI Overview ............................................................................................... 30-3 Entering the OS Shell .................................................................................. 30-3 Command Line Interface Commands ....................................................... 30-4 Chapter 31: Modifying IMSVA Deployment Internal Communication Port .................................................................... 31-2 Adding and Removing Devices .................................................................. 31-2 Changing Device Roles ................................................................................ 31-5 Changing the Deployment .......................................................................... 31-6 Changing IP Addresses ................................................................................ 31-7 viii .................................................................................................................... B-2 Appendix C: Creating a New Virtual Machine Under VMware ESX for IMSVA Creating a New Virtual Machine ........................................ and Support Information Troubleshooting ................................................................................................................................................................................. A-4 Appendix B: IMSVA Scripts Using IMSVA Scripts ........................................................................................ A-4 Notification Pickup Folder ............... 33-19 Troubleshooting Cloud Pre-Filter .................................. 32-2 Rescuing IMSVA ....................................... A-4 Temporary Folder ....................................................................... 33-30 Appendices Appendix A: Default Directory Locations Default Mail Queues ........................... 32-4 Chapter 33: Troubleshooting............................................................................................. FAQ.........Table of Contents Chapter 32: Updating and Rescuing the System and Application Updating the System and Application .................................................................... A-2 eManager........................................................... 33-2 Frequently Asked Questions .. C-2 Appendix D: Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA ix .............................................. 33-29 Support Information ....... Virus and Program Logs ............... ................ D-2 Using Para-Virtualization Mode .......................................................................................................Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Understanding Hyper-V Installation ...... D-21 Index Index .............................................................. D-2 Installing IMSVA on Microsoft Hyper-V ............................... IN-1 x ..................... D-18 Using NTP on IMSVA ........................................................................................................................ xi .Preface Preface Welcome to the Trend Micro™ InterScan™ Messaging Security Virtual Appliance Administrator’s Guide. Refer to the IMSVA 8. This manual contains information on InterScan Messaging Security Virtual Appliance (IMSVA) features. as well as instructions on installation and configuring IMSVA settings.5 Installation Guide for information on how to install and upgrade IMSVA. system requirements. 2 Service Pack 2 New Features The following table provides an overview of new features available in IMSVA Service Pack 8.5. Web Reputation enhancement The Web Reputation filter has been enhanced to enable detection of URLs that have not been rated by Trend Micro. This functionality helps increase protection against advanced threats that leverage short-lived malicious websites.2 Service Pack 2 New Features NEW FEATURE Advanced anti-malware protection xii DESCRIPTION The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and aggressive heuristic scanning to detect document exploits and other threats used in targeted attacks.5 New Features The following table provides an overview of new features available in IMSVA 8. SMTP authentication support for End-User Quarantine SMTP authentication provides users another option for enabling the End-User Quarantine feature.2. IMSVA 8. TABLE 2. TABLE 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide What’s New IMSVA 8. IMSVA 8. .5 New Features NEW FEATURE DESCRIPTION Command & Control (C&C) Contact Alert Services Command & Control (C&C) Contact Alert Services provides IMSVA with enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. IMSVA 8. Smart Scan Smart Scan facilitates a more efficient scanning process by offloading a large number of threat signatures previously stored on the IMSVA server to the cloud. Dashboard and widgets Real-Time summaries have been replaced with a dashboard and widgets. This will provide administrators with more flexibility when viewing IMSVA data.Preface NEW FEATURE DESCRIPTION Integration with Deep Discovery Advisor Trend Micro™ Deep Discovery Advisor is a separately licensed product that provides unique security visibility based on Trend Micro’s proprietary threat analysis and recommendation engines. The System Summary has been renamed "System Status" and appears in the left menu. Distribution list End-User Quarantine (EUQ) management The web-based EUQ service also allows end-users to manage the spam quarantine of distribution lists that they belong to. IMSVA 8.2 New Features The following table provides an overview of new features available in IMSVA 8. Multiple LDAP server support IMSVA supports using more than one LDAP server and has support for more LDAP server types. IMSVA 8. EUQ digest inline action links IMSVA enables users to apply actions to quarantined messages through links in the EUQ digest. IMSVA can also scan encrypted messages for threats.2 New Features NEW FEATURE Email encryption DESCRIPTION Trend Micro Email Encryption integrates with IMSVA to protect sensitive email content by encrypting inbound and outbound email messages according to specific policies.2. xiii . TABLE 3. IMSVA provides reports and notifications to monitor encrypted email traffic. IMSVA integrates with the Virtual Analyzer in Deep Discovery Advisor. . New migration Tools New tools have been provided to help customers migrating from previous product versions. TABLE 4. IMSVA 8.5. EUQ enhancement EUQ now supports single sign-on with Kerberos� and synchronized messages with Cloud Pre-Filter.0 New Features NEW FEATURE xiv DESCRIPTION Cloud Pre-Filter Cloud Pre-Filter is a hosted email security service that can filter all of your email messages before they reach your network. Accounts other than the "admin" account can be granted access to Cloud Pre-Filter Expanded Control Manager support IMSVA now supports registering to Control Manager 5. Smart Search Text Box Allows users to quickly navigate to screens on the web console by typing the name of the screen or feature in the Smart Search text field.0 New Features The following table provides an overview of new features available in IMSVA 8. IMSVA 8. Cloud Pre-Filter enhancements Cloud Pre-Filter now supports protection against directory harvest attacks (DHA).Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide NEW FEATURE DESCRIPTION Regulatory compliance support IMSVA provides support for regulatory compliance in policies. Expanded platform support IMSVA can now be installed on Hyper-V platforms.0. Microsoft Hyper-V support IMSVA now supports installation on Microsoft HyperV. Pre-filtering your email messages can save you time and money. NRS Terminology Change Network Reputation Service (NRS) has been changed to Email reputation. Special actions can be taken on encrypted messages or password protected zip files sent/received by specified users or groups. xv . Detection Capability Enhancement Use DomainKeys Identified Mail (DKIM) enforcement. Scan Exception Enhancement IMSVA now supports configuring custom policy settings for encrypted messages and password protected zip attachments. with the DKIM Approved List. BATV Support Bounce Address Tag Validation (BATV) protects your clients from bounced email message attacks. in policies to assist in phishing protection and to reduce the number of false positives regarding domains. Expanded File Scanning Support IMSVA now supports scanning Microsoft® Office 2007 and Adobe® Acrobat® 8 documents.Preface NEW FEATURE Common Policy Objects DESCRIPTION Several information objects that can be used by policies have been removed from policy creation and given their own areas for configuration: • Address Groups • BATV Keys • Keywords & Expressions • Policy Notifications • Stamps • DKIM Approved List • Web Reputation Approved List Web Reputation Protect your clients from malicious URLs embedded in email messages with Web reputation. X-Header Support Insert X-Headers into email messages to track and catalog the messages. Note IMSVA 8. IMSVA 7. IMSVA 7. . Antispoofing filter With this filter. New hard disks Two 250GB raid hard disks.0 New Features The following table provides an overview of new features available in IMSVA 7.0 New Features NEW FEATURE xvi DESCRIPTION Data port redundancy A second data port to connect to your network if a problem arises with the main data port. The second data port has the same IP address as the main data port. IMSVA takes action on the message. and the message does not come from an internal IP address. EUQ Single Sign-on (SSO) IMSVA now allows users to log in once to their domain and then to EUQ without re-entering their domain name and password. but a different MAC address.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide NEW FEATURE DESCRIPTION EUQ Enhancement IMSVA now allows users to review and delete or approve messages that are quarantined by administrator-created content filters and those quarantined by the Spam Prevention Solution. TABLE 5.0. New Migration Tools New tools have been provided to help customers migrating from previous product versions.0 only supports Internet Explorer and Firefox with Windows Active Directory as the LDAP server. a message that has the sender domain that is the same as the recipient(s) domain. Together with EUQ notification. Windows. troubleshooting functions. xvii . IMSVA’s new CLI interface offers stronger console security by preventing unauthorized access to the OS shell. Scalable Web End-User Quarantine (Web EUQ) Multiple Web EUQ services offer end-users the ability to view quarantined email messages that IMSVA detected as spam. A separate operating system. is not required. IMSVA will help lower the cost of helpdesk administrative tasks. detailed report provides top usage statistics and key mail usage data. debugging. Route Configuration Multiple Antivirus and Malware Policies Multiple IMSVA policies with LDAP support help you configure filtering settings that apply to specific senders and receivers based on different criteria. system administration. or Solaris.Preface NEW FEATURE DESCRIPTION Self-contained Installation IMSVA provides a self-contained installation that provides a purpose-built. such as Linux. Command Line Interface IMSVA provides a native Command Line Interface (CLI) to perform system monitoring. The IMSVA CLI is modeled after industry standard CLI syntax and navigation formats to greatly reduce the learning time. through a secure shell or direct console access. Centralized Archive and Quarantine Management IMSVA provides an easy way to search multiple IMSVA quarantine and archive areas for messages. hardened. This dedicated operating system installs with IMSVA to provide a turnkey solution.5. and performance tuned CentOS Linux operating system. Centralized Logging and Reporting A consolidated. IMSVA is fully supported when running on VMware ESX Server 3. Multiple Network Interfaces Support IMSVA supports multiple network interfaces. and provides a user interface to configure the route for users to deploy IMSVA more conveniently. Bare Metal and VMware ESX Support IMSVA can be installed on bare metal server platforms (servers without an operating system) or on VMware virtual platforms. Delegated Administration LDAP-integrated account management allows users to assign administrative rights for different configuration tasks. IntelliTrap IntelliTrap provides heuristic evaluation of compressed files that helps reduce the risk that a virus in a compressed file will enter your network through email. Easy Deployment with Configuration Wizard An easy-to-use configuration wizard to get IMSVA up and running. in addition to other supported features. and other MTA functions help IMSVA handle email efficiently and securely. Mail Auditing and Tracking IMSVA provides detailed logging for all messages to track and identify message flow related issues. IMSS will convert the message from 8 bit MIME to 7 bit MIME. Integration with Trend Micro Control ManagerTM Perform log queries on Email reputation detections from Control Manager.0 Service Pack 1 supports the transformation of 8 bit to 7 bit-MIME according to the standard defined in RFC 1652 SMTP Service Extension for 8bit-MIME transport. . • IP Profiler helps protect the mail server from attacks with smart profiles (SMTP IDS). domain based delivery. Migration Easy upgrade process ensures that settings will be migrated with minimum effort during setup. Advance MTA Functions Opportunistic TLS. Supports 8 bit to 7 bit-MIME transformation IMSVA 7.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide NEW FEATURE Multiple Spam Prevention Technologies xviii DESCRIPTION Three layers of spam protection: • Email reputation filters spam senders at the connection layer. In the event that the next hop of the SMTP server does not support 8 bit MIME. • Trend Micro Anti-spam engine detects and takes action on spam. and provides instructions on how to deploy and upgrade IMSVA in various network environments. open the web management console. system requirements. then click the help icon.. To access the online help. InterScan Messaging Security Virtual Appliance Documentation The IMSVA documentation consists of the following: Installation Guide Contains introductions to IMSVA features. including details related to the following: • SMTP and POP3 protocols • Message transfer agents (MTAs).Preface Audience The IMSVA documentation is written for IT administrators in medium and large enterprises. The documentation assumes that the reader has in-depth knowledge of email messaging networks. Online Help Provides detailed instructions on each field and how to configure all features through the user interface. Administrator’s Guide Helps you get IMSVA up and running with post-installation instructions on how to configure and administer IMSVA. such as Postfix or Microsoft™ Exchange • LDAP • Database management The documentation does not assume that the reader has any knowledge of antivirus or antispam technology. xix . web URLs.com Document Conventions The documentation uses the following conventions: TABLE 6.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Readme File Contain late-breaking product information that might not be found in the other documentation. known issues. Document Conventions CONVENTION DESCRIPTION UPPER CASE Acronyms. click File and then click Save on the interface Note Tip xx Configuration notes Recommendations or suggestions . and options Italics References to other documents Monospace Sample command lines. installation tips. abbreviations. Topics include a description of features. and program output Navigation > Path The navigation path to reach a particular screen For example. The Installation Guide. file names.trendmicro. tabs. program code. Administrator’s Guide and readme file are available at: http://docs. and names of certain commands and keys on the keyboard Bold Menus and menu commands. File > Save means. command buttons. and product release history. Preface CONVENTION Important WARNING! DESCRIPTION Information regarding required or default configuration settings and product limitations Critical actions and configuration options xxi . . Part I Getting Started . . and provides basic information on other Trend Micro products that will enhance your anti-spam capabilities.Chapter 1 Introducing InterScan™ Messaging Security Virtual Appliance This chapter introduces InterScan™ Messaging Security Virtual Appliance (IMSVA) features. capabilities. Topics include: • About InterScan Messaging Security Virtual Appliance on page 1-2 • IMSVA Main Features and Benefits on page 1-2 • About Cloud Pre-Filter on page 1-10 • About Email Encryption on page 1-10 • About Spyware/Grayware on page 1-10 • About Trend Micro Control Manager on page 1-12 • About Trend Micro Smart Protection on page 1-15 • About Command & Control (C&C) Contact Alert Services on page 1-17 1-1 . and technology. . Optimized for high performance and continuous security. Email encryption Trend Micro Email Encryption integrates with IMSVA to encrypt or decrypt all email traffic entering and leaving your network. TABLE 1-1. IMSVA Main Features and Benefits The following table outlines the main features and benefits that IMSVA can provide to your network. providing easy administration. Cloud Pre-Filter can stop significant amounts of spam and malicious messages (up to 90% of your total message traffic) from ever reaching your network. By encrypting all email messages leaving a network administrators can prevent sensitive data from being leaked.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About InterScan Messaging Security Virtual Appliance InterScan Messaging Security Virtual Appliance (IMSVA) integrates multi-tiered spam prevention and anti-phishing with award-winning antivirus and anti-spyware. Content filtering enforces compliance and prevents data leakage. This easy-to-deploy appliance is delivered on a highly scalable platform with centralized management. Trend Micro Email Encryption provides IMSVA the ability to encrypt all email messages leaving your network. Main Features and Benefits FEATURE DESCRIPTIONS BENEFITS Data and system protection 1-2 Cloud-based pre-filtering of messages Cloud Pre-Filter integrates with IMSVA to scan all email traffic before it reaches your network. the appliance provides comprehensive gateway email security. recipients and reply-to addresses in a message's header. Regulatory compliance Administrators can meet government regulatory requirements using the new default policy scanning conditions Compliance templates. as well as URLs in the message body. C&C Contact Alert Services provides IMSVA with enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. protecting your system from new threats that have yet to be added to patterns. to see if any of them matches known C&C objects. real-time security status lookup capabilities in the cloud • Reduce the time necessary to deliver protection against emerging threats • Lower memory consumption on the server 1-3 .Introducing InterScan Messaging Security Virtual Appliance FEATURE DESCRIPTIONS BENEFITS Advanced antimalware protection The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and aggressive heuristic scanning to detect document exploits and other threats used in targeted attacks. ATSE identifies both known and unknown advanced threats. • GLBA • HIPAA • PCI-DSS • SB-1386 • US PII Smart Scan leverages the Smart Protection Network to: • Enable fast. Command & Control (C&C) Contact Alert Services C&C Contact Alert Services allows IMSVA to inspect the sender. Compliance templates provide administrators with regulatory compliance for the following: Smart Scan Smart Scan facilitates a more efficient scanning process by offloading a large number of threat signatures previously stored on the IMSVA server to the cloud. IntelliTrap is turned on as one of the scanning conditions for an antivirus policy. and is configured to quarantine message attachments that may be classified as security risks. Because there is the possibility that IntelliTrap may identify a non-threat file as a security risk.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FEATURE IntelliTrap DESCRIPTIONS BENEFITS Virus writers often attempt to circumvent virus filtering by using different file compression schemes. Real-time Statistics and Monitor Administrators can monitor the scan performance and IP filtering performance of all IMSVA devices (within a group) on the management console. Detailed logging helps administrators proactively manage issues before they become a problem. you may want to disable this feature. Content management IMSVA analyzes email messages and their attachments. IntelliTrap provides heuristic evaluation of these compressed files. By default. for appropriate content. can be blocked or deferred effectively using IMSVA. IntelliTrap helps reduce the risk that a virus compressed using different file compression schemes will enter your network through email. large attachments. In addition. if your users regularly exchange compressed files. Trend Micro recommends quarantining message attachments that fall into this category when IntelliTrap is enabled. and so on. such as personal communication. traveling to and from your network. Protection against other email threats 1-4 . IMSVA provides administrators with an overview of the system that keeps administrators informed on the first sign of mail processing issues. Content that you deem inappropriate. thus reducing the chances of a DoS attack. or sending messages that contain multiple viruses or recursively compressed files. or ActiveX controls can also perform harmful actions. IMSVA allows you to configure the characteristics of messages that you want to stop at the SMTP gateway. or conduct personal business during working hours. such as executable programs and documents with embedded macros. Java applets. Most companies have acceptable usage policies for their messaging system—IMSVA provides tools to enforce and ensure compliance with existing policies. can harbor viruses. IMSVA provides tools for monitoring and blocking content to help reduce the risk that messages containing inappropriate or confidential material will be allowed through your gateway. Employees may engage in sexual or racial harassment. Spam messages consume network bandwidth and affect employee productivity. IMSVA allows you to configure the types of messages that are allowed to pass through the SMTP gateway.Introducing InterScan Messaging Security Virtual Appliance FEATURE DESCRIPTIONS BENEFITS DoS attacks By flooding a mail server with large attachments. Some employees use company messaging systems to send personal messages. 1-5 . individuals with malicious intent can disrupt mail processing. Inappropriate messages that originate from a company’s mail server damage the company’s reputation. even if the opinions expressed in the message are not those of the company. Messages with HTML script files. HTML links. transfer large multimedia files. Malicious email content Many types of file attachments. or other illegal activity. Dishonest employees can use a company messaging system to leak confidential information. Degradation of services Non-business-related email traffic has become a problem in many organizations. Legal liability and business integrity Improper use of email can also put a company at risk of legal liability. . confidentiality. You can save resources. By auto-deleting messages that contain mass-mailing viruses. you can configure the program to quarantine the message instead of deleting the entire message. avoid help desk calls from concerned employees and eliminate post-outbreak cleanup work by choosing to automatically delete these types of viruses and their email containers. your clients are at risk from potential threats such as spyware. quarantine. Integrated anti-spam features 1-6 IMSVA’s ability to protect your environment against spyware and other types of grayware enables you to significantly reduce security. if IMSVA detects a massmailing virus. the action performed against this virus can be different from the actions against other types of viruses. to ensure that important information will not be lost. For more information. However. For example. if IMSVA detects a macro virus in a Microsoft Office document with important information. adware and dialers.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FEATURE Mass mailing virus containment DESCRIPTIONS BENEFITS Email-borne viruses that may automatically spread bogus messages through a company’s messaging system can be expensive to clean up and cause panic among users. you avoid using server resources to scan. the program can automatically delete the entire message. see About Spyware/Grayware on page 1-10. When IMSVA detects a massmailing virus. or process messages and files that have no redeeming value. and legal risks to your organization. Protection from spyware and other types of grayware Spyware and other types of grayware Other than viruses. The identities of known massmailing viruses are in the Mass Mailing Pattern that is updated using the TrendLabs℠ ActiveUpdate Servers. even as spam senders change their techniques. Administration and integration LDAP and domain-based policies You can configure LDAP settings if you are using LDAP directory services such as Lotus Domino™ or Microsoft™ Active Directory™ for user-group definition and administrator privileges. Note Activate SPS before you configure IP Profiler and Email reputation. based on the sender and recipient addresses. With the integration of IP Filtering. content analysis provides highperformance. real-time detection that is highly adaptable. fully configurable feature that proactively blocks IP addresses of computers that send spam and other types of potential threats. 1-7 . To use SPS. obtain an SPS Activation Code. which includes IP Profiler and Email reputation. The detection technology used by Spam Prevention Solution (SPS) is based on sophisticated content processing and statistical analysis. SPS works by using a built-in spam filter that automatically becomes active when you register and activate the SPS license. IMSVA can block spammers at the IP level. For more information. Using LDAP. you can define multiple rules to enforce your company’s email usage guidelines.Introducing InterScan Messaging Security Virtual Appliance FEATURE DESCRIPTIONS BENEFITS Spam Prevention Solution (SPS) Spam Prevention Solution (SPS) is a licensed product from Trend Micro that provides spam detection services to other Trend Micro products. contact your sales representative. Unlike other approaches to identifying spam. Spam Filtering with IP Profiler and Email reputation IP Profiler is a self-learning. You can define rules for individuals or groups. Email reputation blocks IP addresses of known spam senders that Trend Micro maintains in a central database. End-User Quarantine (EUQ) IMSVA provides web-based EUQ to improve spam management. The management console is SSL-compatible. or approve for delivery. weekly. IMSVA also enables users to apply actions to quarantined messages and to add senders to the Approved Senders list through links in the EUQ digest. Centralized reporting Centralized reporting gives you the flexibility of generating one time (on demand) reports or scheduled reports. you can promote the sharing of administrative duties.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FEATURE BENEFITS Web-based management console The management console allows you to conveniently configure IMSVA policies and settings. Delegated administration IMSVA offers the ability to create different access rights to the management console. delete. Helps you analyze how IMSVA is performing. One time (on demand) reports allow you to specify the type of report content as and when required. Being SSLcompatible means access to IMSVA is more secure. . System availability monitor 1-8 DESCRIPTIONS A built-in agent monitors the health of your IMSVA server and delivers notifications through email or SNMP trap when a fault condition threatens to disrupt the mail flow. By delegating administrative roles to different employees. The EUQ indexes these messages into a database. you can configure IMSVA to automatically generate reports daily. and monthly. IMSVA quarantines messages that it determines are spam. The messages are then available for end-users to review. Alternatively. The web-based EUQ service allows end-users to manage the spam quarantine of their personal accounts and of distribution lists that they belong to. You can choose which sections of the console are accessible for different administrator logon accounts. end-users can manage messages that IMSVA quarantines. With the web-based EUQ management console. Email and SNMP notification on detection of system failure allows you to take immediate corrective actions and minimize downtime. In particular. TrendLabs issues a policy that uses the advanced content filters in IMSVA to block messages by identifying suspicious characteristics in these messages.Introducing InterScan Messaging Security Virtual Appliance FEATURE DESCRIPTIONS BENEFITS POP3 scanning You can choose to enable or disable POP3 scanning from the management console. These rules help minimize the window of opportunity for an infection before the updated pattern file is available. Integration with Trend Micro Control Manager™ Trend Micro Control Manager™ (TMCM) is a software management solution that gives you the ability to control antivirus and content security programs from a central location regardless of the program’s physical location or platform. including attachments. to Virtual Analyzer for further analysis. IMSVA sends suspicious messages. IMSVA integrates with the Virtual Analyzer in Deep Discovery Advisor. When a Trend Micro product detects a new email-borne virus. In addition to SMTP traffic. Integration with Deep Discovery Advisor Trend Micro™ Deep Discovery Advisor is a separately licensed product that provides unique security visibility based on Trend Micro’s proprietary threat analysis and recommendation engines. 1-9 . Virtual Analyzer performs content simulation and analysis in an isolated virtual environment to identify characteristics commonly associated with many types of malware. IMSVA can also scan POP3 messages at the gateway as messaging clients in your network retrieve them. Outbreak Prevention Services delivered through Trend Micro Control Manager™ reduces the risk of outbreaks. This application can simplify the administration of a corporate virus and content security policy. Virtual Analyzer checks if files attached to messages contain exploit code. mail servers or archiving solutions. This enables easy integration with other email server-based products. About Email Encryption Trend Micro Email Encryption provides IMSVA with the ability to perform encryption and decryption of email. confidentiality. No email is stored in the cloud. IMSVA has the ability to encrypt and decrypt email regardless of the email client or platform from which it originated. And local quarantines ensure your email stays private. The encryption and decryption of email on Trend Micro Email Encryption is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters. be them content scanners. and legal risks to your organization. With Cloud Pre-Filter. With Email Encryption. such as sender and recipient email addresses.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About Cloud Pre-Filter Cloud Pre-Filter is a cloud security solution that integrates with IMSVA to provide proactive protection in the cloud with the privacy and control of an on-premise. 1-10 . keywords or where the email (or attachments) contain credit card numbers. virtual appliance. Trend Micro Email Encryption presents itself as a simple mail transfer protocol (SMTP) interface and delivers email out over SMTP to a configured outbound mail transport agent (MTA). About Spyware/Grayware Your clients are at risk from potential threats other than viruses/malware. Cloud Pre-Filter reduces inbound email volume up to 90% by blocking spam and malware outside your network. Cloud Pre-Filter is integrated with IMSVA at the gateway allowing flexible control over sensitive information. you can reduce complexity and overhead to realize significant cost savings. Grayware can negatively affect the performance of the computers on your network and introduce significant security. Types of Grayware TYPE DESCRIPTION Spyware Gathers data. such as user web surfing preferences. Potential Risks and Threats The existence of spyware/grayware on your network has the potential to introduce the following: 1-11 . such as closing and opening the CD-ROM tray and displaying numerous message boxes Hacking Tools Help hackers enter computers Remote Access Tools Help hackers remotely access and control computers Password Cracking Applications Help hackers decipher account user names and passwords Other Other types not covered above How Spyware/Grayware Gets into your Network Spyware/grayware often gets into a corporate network when users download legitimate software that has grayware applications included in the installation package. and transmits them to third parties Adware Displays advertisements and gathers data. Most software programs include an End User License Agreement (EULA). however. Often the EULA does include information about the application and its intended use to collect personal data. to target advertisements at the user through a web browser Dialers Change computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem Joke Programs Cause abnormal computer behavior. such as account user names and passwords.Introducing InterScan Messaging Security Virtual Appliance TABLE 1-2. which the user has to accept before downloading. users often overlook this information or do not understand the legal jargon. they may be able to utilize your client computers to launch attacks or install spyware/grayware on computers outside your network. Spyware/grayware can also collect the user names and passwords users type to access their personal accounts.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide TABLE 1-3. This application can simplify the administration of a corporate virus/malware and content security policy. Degradation of network bandwidth Spyware/grayware applications often regularly transmit the data they collect to other applications running on your network or to locations outside of your network. users can be unnecessarily distracted from their main tasks. are often designed to create pop-up windows or display information in a browser frame or window. Types of Risks TYPE DESCRIPTION Reduced computer performance To perform their tasks. and corporate accounts that access resources on your network. About Trend Micro Control Manager Trend Micro™ Control Manager™ is a software management solution that gives you the ability to control antivirus and content security programs from a central locationregardless of the program’s physical location or platform. such as adware. such as a bank account. Reduced user efficiency By needing to close frequently occurring pop-up advertisements and deal with the negative effects of joke programs. Higher risk of legal liability If hackers gain access to the computer resources on your network. Having your network resources unwillingly participate in these types of activities could leave your organization legally liable to damages incurred by other parties. spyware/grayware applications often require significant CPU and system memory resources. grayware can sometimes cause browsers to crash or freeze and may even require a system reboot. Increased web browser-related crashes Certain types of grayware. Depending on how the code in these applications interacts with system processes. Loss of personal and corporate information Not all data that spyware/grayware applications collect is as innocuous as a list of websites users visit. 1-12 . The web-based Control Manager management console is hosted from this server. and sends them to Control Manager. 1-13 . The agent collects logs from the product. The agent receives commands from the Control Manager server. Control Manager Support The following table shows a list of Control Manager features that IMSVA supports. The Outbreak Prevention Policy (OPP) is a quick response to an outbreak developed by TrendLabs that contains a list of actions IMSVA should perform to reduce the likelihood of the IMSVA server or its clients from becoming infected. and then applies them to the managed product. Yes Only IMSVA can initiate a communication process with Control Manager. TABLE 1-4. • Entity: An entity is a representation of a managed product on the Product Directory link. The directory tree displays all managed entities residing on the Control Manager console. • Agent: The agent is an application installed on a managed product that allows Control Manager to manage the product.Introducing InterScan Messaging Security Virtual Appliance • Control Manager server: The Control Manager server is the machine upon which the Control Manager application is installed. Each entity has an icon in the directory tree. either IMSVA or Control Manager may initiate the communication process. No. Trend Micro ActiveUpdate Server deploys this policy to IMSVA through Control Manager. Supported Control Manager Features FEATURE 2-way communication Outbreak Prevention Policy DESCRIPTION SUPPORTED? Using 2-way communication. and Email reputation logs to Control Manager for query purposes.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FEATURE 1-14 DESCRIPTION SUPPORTED? Log upload for query Uploads IMSVA virus logs. Yes Renew product registration Renew IMSVA product license from Control Manager. Configuration by user interface redirect Configure IMSVA through the IMSVA management console accessible from Control Manager. Yes Pattern update Update pattern files used by IMSVA from Control Manager Yes Engine update Update engines used by IMSVA from Control Manager. Yes You need to first log on to the IMSVA management console before you can manage IMSVA from Control Manager. Yes Product component update Update IMSVA product components such as patches and hot fixes from Control Manager. Content Security logs. Yes Single Sign-on Manage IMSVA from Control Manager directly without first logging on to the IMSVA management console. Refer to the specific patch or hot fix readme file for instructions on how to update the product components. Configuration replication Replicate configuration settings from an existing IMSVA server to a new IMSVA server from Control Manager. . No. No. Yes Customized reporting from Control Manager Control Manager provides customized reporting and log queries for email-related data. To enable/disable the agent. Go to Administration > Connections. Smart protection services include: File Reputation Services File reputation decouples the pattern file from the local scan engine and conducts pattern file lookups to the Trend Micro Smart Protection Network.Introducing InterScan Messaging Security Virtual Appliance FEATURE Control Manager agent installation/ uninstallation DESCRIPTION Install or uninstall IMSVA Control Manager agent from Control Manager. 1-15 . select/clear the check box next to Enable MCP Agent. SUPPORTED? No. By processing threat information in the cloud. Event notification Send IMSVA event notification from Control Manager. Trend Micro smart protection reduces demand on system resources and eliminates time-consuming signature downloads. Yes About Trend Micro Smart Protection Trend Micro provides next-generation content security through smart protection services. 2. do the following from the IMSVA management console: 1. 3. Yes Command tracking for all commands Track the status of commands that Control Manager issues to IMSVA. IMSVA Control Manager agent is automatically installed when you install IMSVA. Click the TMCM Server tab. To enable/disable the agent. and suspicious activity indicators discovered through malware behavior analysis. network bandwidth usage. Web Reputation Services With one of the largest reputation databases in the world. Trend Micro assigns reputation scores to specific pages instead of classifying entire sites to increase accuracy and reduce false positives. While this method works. Trend Micro continually enhances file reputation to improve malware detection. the continued increase in threat volume can impact server and workstation performance. historical location changes.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide High performance content delivery networks ensure minimum latency during the checking process and enable more immediate protection. To address the exponential growth rate of threats. and the overall time it takes to delivery quality protection. Trend Micro pioneered a smart approach that off-loads the storage of malware signatures to the cloud. Smart Feedback allows Trend Micro to use community feedback of files from millions of users to identify pertinent information that helps determine the likelihood that a file is malicious. The technology and architecture used in this effort allows Trend Micro to provide better protection to customers against the volume of emerging malware threats. Trend Micro web reputation tracks the credibility of domains based on factors such as age. Web reputation technology prevents users from: • Accessing compromised or infected sites • Communicating with Command & Control (C&C) servers used in cybercrime The Need for a New Solution The conventional threat handling approach uses malware patterns or definitions that are delivered to a client on a scheduled basis and stored locally. new updates need to be received and reloaded into the malware prevention software regularly. To ensure continued protection. 1-16 . The client correlates a website's reputation with the specific web reputation policy enforced on the computer to determine whether access to the site is allowed or blocked. at home. The Trend Micro Smart Protection Network is a next-generation cloud-client content security infrastructure designed to protect customers from security risks and web threats. 1-17 . The Smart Protection Network uses lighter-weight clients to access its unique in-the-cloud correlation of email. and rated by the Trend Micro Smart Protection Network to detect callback addresses.smartprotectionnetwork.com About Command & Control (C&C) Contact Alert Services Trend Micro Command & Control (C&C) Contact Alert Services provides IMSVA with enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. tested. or on the go. visit: www. A client sends scan queries to the Smart Protection Network if its own pattern definitions cannot determine the risk of a file.Introducing InterScan Messaging Security Virtual Appliance Trend Micro™ Smart Protection Network™ Trend Micro delivers File Reputation Services and Web Reputation Services to IMSVA through the Trend Micro™ Smart Protection Network™. For more information on the Smart Protection Network. Customers' protection is automatically updated and strengthened as more products. creating a real-time neighborhood watch protection service for its users. The Smart Protection Network provides File Reputation Services by hosting the majority of the malware pattern definitions. It leverages the Global Intelligence list compiled. It powers both on-premise and Trend Micro hosted solutions to protect users whether they are on the network. as well as threat databases. web. and file reputation technologies. A client sends web reputation queries to the Smart Protection Network to check the reputation of websites that a user is attempting to access. The Smart Protection Network provides Web Reputation Services by hosting web reputation data previously available only through Trend Micro hosted servers. services and users access the network. 1-18 . to see if any of them matches known C&C objects. recipients and reply-to addresses in a message's header. as well as URLs in the message body.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide With C&C Contact Alert Services. IMSVA logs all detected email with C&C objects and the action taken on these messages. Administrators can configure IMSVA to quarantine such messages and send a notification when a message is flagged. IMSVA sends these logs to Control Manager for query purposes. IMSVA has the ability to inspect the sender. Chapter 2 This chapter explains how to log on to the management console and provides instructions on what to do immediately after installation to get IMSVA up and running. 2-1 . 2-2 . Type the following URL: https://<target server IP address>:8445 Tip An alternative to using the IP address is to use the target server’s fully qualified domain name (FQDN). The default logon credentials are as follows: 3. Add the management console IP address to your Trusted sites list (Internet Options > Security in Internet Explorer) or ignore the message and click Continue to this web site to proceed. Type the logon credentials to open the management console.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Opening the IMSVA Management Console You can view the IMSVA management console using a web browser from the server where you installed the program. Procedure 1. 2. What to do next Trend Micro recommends changing the password regularly. to prevent unauthorized access to the management console. or remotely across the network. • Administrator user name: admin • Password: imsva Click Log On.0 to access the management console. Internet Explorer will block the access and display a popup dialog box indicating that the certificate was issued from a different web address. Note If you are using Internet Explorer 7. using SSL. Help ( To access the table of contents for the Online Help. click the ) icon located at the top right corner of the page. ) icon next to FIGURE 2-1. Trend Micro suggests creating your own certificate to increase security.keystore /opt/trend/imss/UI/apache/conf/ssl.crt /opt/trend/imss/UI/apache/conf/ssl. After installing IMSVA.key/server.crt/server. replace the following: /opt/trend/imss/UI/tomcat/sslkey/. SSL communication should work because the installation contains a default certificate.key 2-3 . click the Help ( the Log Off hyperlink on the right of the page header. Table of Contents Access for Online Help Viewing the Management Console Using Secure Socket Layer The IMSVA management console supports encrypted communication.Using the Online Help The IMSVA management console comes with an Online Help that provides a description of each field on the user interface. If you want to use your own certificate. To access page-specific Online Help from the IMSVA management console. key -days 3652 -sha1 d. Generate a Private Key and Certificate Signing Request (CSR): openssl req -new > new.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Creating an SSL Certificate Procedure 1.key 2-4 .cert.cert.cert. Remove pass-phrase from the key: openssl rsa -in privkey.key /opt/trend/imss/UI/apache/conf/ssl. Generate a Self-Signed Certificate: openssl x509 -in new.0-doc/ssl-howto.cert.cert.crt cp new.cert/opt/trend/imss/UI/apache/conf/ssl. Copy the certificate and key to the Apache path: cp new.cert -req signkey new. as follows: a.apache. Create the Tomcat SSL certificate for the IMSVA management console.org/tomcat-6.csr -out new.html 2.pem -out new.crt/ server. visit: http://tomcat.cert. as follows: $IMSS_HOME/UI/javaJRE/bin/keytool -genkey -alias tomcat keyalg RSA -sigalg SHA1withRSA -keystore with a password value of changeit for both the certificate and the keystore itself $IMSS_HOME/UI/tomcat/sslkey/.keystore -validity 3652 For more details on SSL configuration in Tomcat.cert.key c.csr b.key/ server. Create the Apache SSL certificate for the EUQ management console. Log on to the management console. If your parent device or your child devices have multiple network interface cards (NIC). Make sure that you are logging on to the parent device management console. On the parent device in the CLI: configure network route add <IP address of child device’s Internal Communication Port>/32 <next hop> <Internal Communication Port of parent device> On the child device in the CLI: configure network route add <IP address of parent device’s Internal Communication Port >/32 <next hop> <Internal Communication Port of child device> 2. Determine the Internal Communication Port IP address of the child device. 2-5 . add a host-route entry by Command Line Interface (CLI) following the instructions below.Setting Up a Child Device This section explains how to set up a child device and register it to the parent device. After you set up a parent device (see Viewing the Management Console Using Secure Socket Layer on page 2-3). Make sure the parent device is operational. Procedure 1. see Configuring NTP Settings on page 29-18. b. Tip Trend Micro recommends using an NTP server if you intend to set up child devices. WARNING! Parent and child devices must use their Internal Communication Port to communicate with each other. do the following: a. For more information. Doing so ensures that the time and date of devices in the IMSVA group are synchronized. c. Policy. On the parent device. Note If you enabled EUQ on the parent.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. Click Finish. or EUQ services. add the IP address for the Internal Communication Port of the child device. On the parent device. Navigate to System Status. Under Add IP Address. Navigate to Administration > IMSVA Configuration > Connections > Child IP. d. All IMSVA devices have the same management console logon credentials. c. On the child device. connect a management computer to the child device and log on to the management console. Just as you did for the parent device. b. configure the local system settings and then click Next>. Select Redistribute all or Only redistribute to approved senders. navigate to Administration > End-User Quarantine. 2-6 . 4. Verify that the child device appears under Managed Services and that a green check mark ( ) appears under Connection. On the Deployment Settings screen. select Child Server and add the IP address for the Internal Communication Port of the parent device. In the Setup Wizard. it will also be enabled on the child. redistribute the data across the EUQ databases: a. If you want to use EUQ on the child device. b. You can start or stop Scanner. d. do the following: a. Tip Trend Micro recommends choosing Redistribute all. b. do the following: a. 5. Specify the name of the screen or the name of a feature in the Smart Search text box and then select an entry from the drop-down list that appears. • That the administrator notifies all end users not to add EUQ approved senders list when the administrator is adding a child device and redistributing EUQ. Some of the newly added approved senders might not appear. Procedure 1. Trend Micro recommends the following: • After redistributing EUQ. Go to Administration > Password. the administrator informs all end users to verify that the newly added approved senders are still available. Using Smart Search Smart Search provides a quick way to navigate to screens on the management console. 2-7 . Note If you registered an EUQ-enabled child device to its parent device. and then re-distribute EUQ data. Trend Micro strongly recommends that you change the password immediately. WARNING! If you are still using the default password.c. add senders to the approved senders list. Click Redistribute. Changing the Management Console Password Trend Micro recommends periodically changing the password you use to access the management console. . Specify the current password.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. Note A valid password can contain letters. the new password. configure IMSVA proxy settings. The password must be between 4 and 32 alphanumeric characters. Configuring Proxy Settings If your network uses a proxy server. Proxy settings affect the following: • Component updates (pattern files and scan engines) • Product license registration • Web Reputation queries • Cloud Pre-Filter service and Smart Feedback • Trend Micro Email Encryption Procedure 1. Click Save. and the new password confirmation.= _. numbers and the following characters: `~!@#$ %^&*()[]{}+-|:'<>?/.. 3. 2-8 Go to Administration > Proxy. Web Reputation queries. Specify the port the proxy server uses to connect to the Internet. or SOCKS5. 2. Trend Micro recommends using HTTP or SOCKS5.The Proxy screen appears. licenses. 7. 5. Click Save. 3. Specify the proxy protocol: HTTP. Select Use a proxy server for updates to patterns. Cloud Pre-Filter. SOCKS4. Tip When using Cloud Pre-Filter. Specify the user name you need for administrative access to the proxy server. 8. 2-9 . Specify the host name or IP address of the proxy server. 4. 6. engines. Specify the corresponding password. and Trend Micro Email Encryption. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide IMSVA Services The scanner and policy services must be started to start protecting your network using IMSVA. choose whether to install or start the EUQ service. however. refer to the Installation Guide. For more information on these services. Starting or Stopping Services After you have successfully installed IMSVA and configured the various settings. You can. start the services to begin scanning for malware and other threats. • EUQ Services: Hosts a web-based management console to enable end users to view. . 2-10 Go to System Status. • Scanner Services: Performs scanning of SMTP/POP3 traffic. delete and release spam messages addressed to them. You may need to stop IMSVA services prior to performing an upgrade or backup function. Procedure 1. • Policy Services: Acts as a remote store of rules for the scanner services to enhance rule lookups. Under the Managed Services Settings section. Selecting a Scan Method IMSVA provides two scanning methods for detection of malware and other security threats. Procedure 1.2. Navigate to Policy > Scan Method. 2-11 . click the Start or Stop button for the service(s) that you would like to start or stop. and any time after the discovery of a particularly damaging virus/malware. The Virus Pattern contains information that helps IMSVA identify the latest virus/malware and mixed threat attacks. The Smart Scan Agent Pattern is updated daily by Trend Micro and delivers the same protection provided by conventional antimalware and antispyware patterns. • Smart Scan: Smart scan leverages threat signatures that are stored in the cloud. Note Note: Conventional Scan is the default scan method for fresh installations. 2-12 . If the Smart Scan Agent Pattern cannot determine the reputation of a file. • Conventional Scan: Conventional scan leverages anti-malware and antispyware components stored locally. IMSVA uses the Smart Scan Agent Pattern to check for security risks. IMSVA queries the Smart Protection Network to provide up-to-date protection. Trend Micro creates and releases new versions of the Virus Pattern several times a week.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Scan Method screen displays. Select one of the following malware scanning methods. 2. When in Smart Scan mode. IMSVA does not save your settings. Reselect a scan method and save your settings again. If a connection is not established. • IMSVA reverts to Conventional Scan whenever unable to connect to the Smart Protection Network. Navigate to the Scan Method screen and reselect Smart Scan. For details on configuring notifications. 2-13 . • You can configure IMSVA to send notifications for unsuccessful attempts to connect to the Smart Protection Network. 4. Optional: Use an HTTP proxy server to connect to the Smart Protection Network. Specify the following: • Proxy server address • Proxy server port • User name • Password Click Save. see Notifications on page 26-1. If Smart Scan is selected: • IMSVA attempts to connect to the Smart Protection Network immediately after you click Save.3. Note IMSVA automatically restarts the scanner service (imssd) whenever you change your scan method settings. . Chapter 3 Configuring User Accounts This chapter explains how to add. Topics include: • Administrator Account Management on page 3-2 • Adding Administrator Accounts on page 3-2 • Editing or Deleting Administrator Accounts on page 3-5 3-1 . and manage user accounts. configure. • None: Users will not see the menu item. Procedure 1. . 2. The Admin Accounts screen appears. • Read: Users can view features and settings contained in the menu item. assign the desired permissions to the various areas of the management console. Adding Administrator Accounts Created accounts have three permission settings for IMSVA features: • Full: Users have complete access to the features and settings contained in the menu item. you can delegate administrative tasks to other staff by creating new administrator accounts. 3-2 Click Add. After creating the accounts. preventing them from viewing or configuring any of the settings in the menu item.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Administrator Account Management To reduce bottlenecks in administering IMSVA. The default "admin" account has access to all IMSVA features. Navigate to Administration > Admin Accounts. but cannot modify them. • 4. The password must be between 4 and 32 alphanumeric characters. Specify Authentication settings: a. Click the Permissions tab. LDAP authentication: Specify the LDAP user name. 3-3 . Select an authentication type: • IMSVAAuthentication: Specify the user name. displaying the Authentication tab. 3.Configuring User Accounts The Add Administrator Account screen appears. b. new password. and the new password confirmation. Select Enable account. Specify Permissions settings: a. Read. or None for each of the following access areas that appear on the IMSVA management console menu: • Summary • Cloud Pre-Filter • Policy • IP Filtering • Reports • Logs • Quarantine & Archive • Administration • Command Line Interface . 5.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Permissions screen appears. 3-4 Select Full. Custom administrator accounts cannot do so even if you assign full permission to the Administration area. Editing or Deleting Administrator Accounts You can change or delete the permissions of a custom administrator account whenever there is a revision of roles or other organizational changes. Click Save. 4. Editing Administrator Accounts Procedure 1. 2.Configuring User Accounts b. Click Save. The Admin Accounts screen appears. Navigate to Administration > Admin Accounts. Make the required changes. • Custom administrator accounts with full administration rights can only change their own IMSVA passwords. 3. contact Trend Micro technical support to reset the password. Select the check box next to the account to be removed. Deleting Administrator Accounts Procedure 1. If you forget the default administrator account password. Click the account name hyperlink. 3-5 . Note • Only the default IMSVA administrator account can add new administrator accounts. Click Delete. Note You can only delete custom administrator accounts. not the default IMSVA administrator account.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. 3. Click OK. 3-6 . Topics include: • Configuring IMSVA with the Configuration Wizard on page 4-2 4-1 .Chapter 4 Using the Configuration Wizard This chapter explains how to get IMSVA up and running using the configuration wizard. Type the following default user name and password: • User name: admin • Password: imsva The Configuration Wizard screen appears. 3. Type the following URL (accept the security certificate if necessary): https://<target server IP address>:8445 The Log On screen appears. Select the Open Configuration Wizard check box. Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring IMSVA with the Configuration Wizard IMSVA provides a configuration wizard to help you configure all the settings you need to get IMSVA up and running. 4-2 . On the management computer. 2. open a supported web browser. 4. The Local System Settings screen appears.Using the Configuration Wizard Step 1: Configuring System Settings Procedure 1. Click Next. 4-3 . Also. configure your network settings and set the device system time. The Deployment Settings screen appears. you must select Parent. Step 2: Configuring Deployment Settings Procedure 1. Wait until IMSVA is online and then log on again. clear the gateway deployment check box. If this is the first device you are setting up. and netmask if necessary. IP address. Modify the device host name. You can configure additional child devices at a later time. Select Parent or Child. Click Next. If the IP address or time settings are changed. Note The local system settings take effect immediately when you click the Next > button.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. 2. To deploy the device between upstream and downstream MTAs. internal communication port. IMSVA will restart. 4-4 . Using the Configuration Wizard Also. Step 3: Configuring SMTP Routing Procedure 1. 4-5 . decide if you want to use the NTP service. Click Next. The SMTP Routing screen appears. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4-6 . 4-7 . configure the following: • Recipient: Specify the recipient email addresses. Specify the SMTP root domain and default delivery method. Step 4: Configuring Notification Settings Procedure 1. Click Next.Using the Configuration Wizard 2. • SMTP server address: Specify the Fully Qualified Domain Name (FQDN) or the IP address of the SMTP server that delivers email on the network. Under Email Settings. 2. The Notification Settings screen appears. • Sender's email address: Specify the email address to appear as the sender. • Message header: Specify the text to appear at the top of the notification. configure the following: Note SNMP Trap is the notification message sent to the Simple Network Management Protocol (SNMP) server when events that require administrative attention occur. • Message footer: Specify the text to appear at the bottom of the notification. To send the alert message to all SNMP management stations. 4-8 . Under SNMP Trap. For more information. The Update Source screen appears. specify 'public' as the community name. • Server name: Specify the FQDN or IP address of the SNMP server. Note Community is the group that computers and management stations running SNMP belong to.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. Step 5: Configuring the Update Source Procedure 1. • Preferred charset: IMSVA will use this setting to encode the notification messages. refer to the SNMP documentation. • Community: Specify the SNMP server community name. Click Next. • SMTP server port: Specify the port number that IMSVA uses to connect to the SMTP server. port. Alternatively. server name.Using the Configuration Wizard 2. and Trend Micro Email Encryption check box and configure the proxy type. if applicable. Configure the following update settings. 4-9 . user name. Cloud Pre-Filter. engines. • Proxy Settings: Select the Use a proxy server for updates to patterns. click Other Internet source and specify the URL of the update source that will check the Trend Micro ActiveUpdate server for updates. which will determine from where IMSVA will receive its component updates and through which proxy (if any) IMSVA needs to connect to access the Internet: • Source: Click Trend Micro ActiveUpdate server to receive updates directly from Trend Micro. licenses. Web Reputation queries. You can specify an update source of your choice or type the URL of your Control Manager server http://<CM server address>/ControlManager/download/activeupdate/. and passwords. or End-User Quarantine authentication. The LDAP Settings screen appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Step 6: Configuring LDAP Settings Note Specify LDAP settings only if you will use LDAP for user-group definition. Procedure 1. Click Next. administrator privileges. 4-10 . Complete the following to enable LDAP settings: a. select one of the following: • Domino 4-11 .Using the Configuration Wizard 2. Specify a meaningful description for the LDAP server. 3. For LDAP server type. Under LDAP cache expiration for policy services and EUQ services. and the base-distinguished name. specify a number that represents the time to live next to the Time to Live in minutes field. See the following table for a guide on what to specify for the LDAP admin settings. select the check boxes next to Enable LDAP 1 or Enable LDAP 2. LDAP Server Types LDAP SERVER Active Directory™ LDAP ADMIN ACCOUNT (EXAMPLES) Without Kerberos: user1@domain. To enable one or both LDAP servers. dc=com AUTHENTICATION METHOD Simple Advanced (with Kerberos) . TABLE 4-1.c om (UPN) or domain\user1 With Kerberos: [email protected] om 4-12 BASE DISTINGUISHED NAME (EXAMPLES) dc=domain.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Microsoft Active Directory • Microsoft AD Global Catalog • OpenLDAP • Sun iPlanet Directory b. its corresponding password. e. c. d. Specify the names of the LDAP servers and the port numbers they listen on. Under LDAP admin. specify the administrator account. • If you are configuring a rule for incoming messages. dc=com dc=domain. click Simple or Advanced authentication. Step 7: Configuring Internal Addresses IMSVA uses the internal addresses to determine whether a policy or an event is inbound or outbound. ou=people. dc=com dc=domain1. OpenLDAP cn=manager.dc=c om (if mutiple unique domains exist) AUTHENTICATION METHOD Simple Advanced (with Kerberos) user1@domain. the internal address list applies to the recipients. dc=com Simple For Authentication method. 4-13 . and KDC port number. KDC and admin server. dc=test1.c om (UPN) or domain\user1 With Kerberos: BASE DISTINGUISHED NAME (EXAMPLES) dc=domain. configure the Kerberos authentication default realm. For Active Directory advanced authentication. dc=com Simple Lotus Domino™ user1/domain Not applicable Simple Sun™ iPlanet Directory uid=user1. • If you are configuring a rule for outgoing messages. the internal address list applies to the senders. dc=domain.Using the Configuration Wizard LDAP SERVER Active Directory Global Catalog LDAP ADMIN ACCOUNT (EXAMPLES) Without Kerberos: [email protected] om f. dc=com dc=test1. Default domain. 4-14 To define internal domains and user groups. 2. The search result appears in the list box. To add it to the Selected list. Click Next. and then click >>.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. A screen for selecting the LDAP groups appears. . specify the domain in the text box. The Internal Addresses screen appears. • Select Search for LDAP groups from the drop-down list. click >>. do one of the following: • Select Enter domain from the drop-down list. • Click the Import button to import a text file containing a list of predefined domains. Specify an LDAP group name to search in the text box and click Search. Ensure that the text file contains only one domain per line.Using the Configuration Wizard Note IMSVA can only import a domain list from a text file (. The TMCM Server Settings screen appears. Step 8: Configuring Control Manager Server Settings Procedure 1. *.txt).com or *. 4-15 . For example.com. Click Next. You can also use wildcard characters to specify the domain.example. do the following: a. Select Enable MCP Agent (installed with IMSVA by default). c. specify the user name and password for the web server if it requires authentication. 4-16 Under Web server authentication. and the default port number for HTTPS is 443. b. select HTTP or HTTPS and specify the corresponding port number. Next to Server.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. The default port number for HTTP access is 80. specify the TMCM IP address or FQDN. d. . Next to Communication protocol. If you will use Control Manager to manage IMSVA. 3.Using the Configuration Wizard e. Specify the proxy server port number. After obtaining the applicable Activation Codes. click Register Online and follow the directions at the Trend Micro Registration website. If a proxy server is between IMSVA and Control Manager. and password. The Product Activation screen appears. f. Click Next. user name. Step 9: Activating the Product Procedure 1. To obtain an Activation Code. specify the Activation Code for each product or service to activate. 4-17 . 2. select Enable proxy. 4-18 . 2. click Back and make changes.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Step 10: Verifying Settings Summary Procedure 1. click Finish. A Review Settings screen appears. To modify any specified setting. If the settings are correct. Click Next. Chapter 5 Updating Components This chapter explains how to update IMSVA components. Topics include: • Updating Engine and Pattern Files on page 5-2 • Specifying an Update Source on page 5-3 • Performing a Manual Update on page 5-4 • Rolling Back a Component Update on page 5-5 • Configuring Scheduled Updates on page 5-6 • Updating the System and Application Files on page 5-8 5-1 . spyware. network exploits and viruses in messages and attachments. You can choose to perform manual or scheduled updates. Antispam Pattern The Antispam Pattern helps IMSVA identify the latest spam in messages and attachments. Spyware Pattern The Spyware Pattern identifies spyware/grayware in messages and attachments. Virus Pattern The Virus Pattern contains information that helps IMSVA identify the latest viruses/malware and mixed attacks. The following table provides a list of all IMSVA components.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Updating Engine and Pattern Files To ensure that your network is constantly protected against the latest malware. The URL Filtering Service is a system that rates URLs and provides rating information to IMSVA. Trojans. phishing sites. Antispam Engine The Antispam Engine detects spam in messages and attachments. IMSVA Components COMPONENT 5-2 DESCRIPTION Virus Scan Engine The Virus Scan Engine detects Internet worms. IntelliTrap Exception Pattern The IntelliTrap Exceptions Pattern contains a list of "approved" compression files. TABLE 5-1. . update IMSVA components on a regular basis. URL Filtering Engine The URL Filtering Engine facilitates communication between IMSVA and the Trend Micro URL Filtering Service. mass-mailers. Advanced Threat Scan Engine The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and heuristic scanning to detect document exploits and other threats used in targeted attacks. IntelliTrap Pattern The IntelliTrap Pattern detects real-time compression files packed as executable files. However.Updating Components COMPONENT DESCRIPTION Smart Scan Agent Pattern The Smart Scan Agent Pattern contains pattern definitions used by IMSVA when in Smart Scan mode. which is the source for up-to-date components. Go to Administration > Updates > Components. Under Source. specify the update source. IMSVA downloads components from the Trend Micro ActiveUpdate server. If you did not specify the update source when configuring IMSVA using the Configuration Wizard. provide the update source and/or any proxy settings. you can update the components from the Control Manager server. The Updates screen appears. Specifying an Update Source Before you can update the IMSVA scan engine and pattern files. IMSVA downloads this pattern from the update source using the same methods for downloading other components. Procedure 1. Click the Source tab. By default. 3. 2. if you are using Trend Micro Control Manager to manage IMSVA. select one of the following: 5-3 . .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. • Other Internet source: Specify the URL or IP address of the Control Manager server or other update source. • Trend Micro ActiveUpdate server: The default source for up-to-date components. click Next. If you are using the Configuration Wizard. 5-4 Go to the System Status screen. Performing a Manual Update Perform a manual update of IMSVA components under the following circumstances: • If you have just deployed or upgraded IMSVA. Click Save. Procedure 1. • If you suspect that your network’s security is compromised by new malware and would like to update the components immediately. 3. Click Update. select the first check box on the column header next to the Name field. select the check box next to the desired component. 5-5 . To update all components. antispyware. and antispam components that IMSVA uses to protect your network. Rolling Back a Component Update If you encounter any system issues after updating IMSVA components.Updating Components 2. Under Components. 4. verify the version numbers of the antivirus. To update specific component(s). you can roll back to the previous version. configure an update schedule. 2. schedule updates during off-peak hours. Click the Rollback button. 3. To roll back specific component(s). 5-6 Go to Administration > Updates > Components. If your network has limited Internet bandwidth. The System tab loads by default. your network will be at risk from Internet threats. Configuring Scheduled Updates If you are unable to regularly download antivirus and antispam components. To roll back all components to the previous versions. To automate the update process. . select the first check box on the column header next to the Name field. Procedure 1. Go to the System Status screen.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. select the check box next to the desired component. Trend Micro recommends updating all components. the update is triggered four times an hour: at 00. 30. 45 minutes. 4. Select the Enable scheduled update check box. Select the minute interval. Under Update Component. Select the number of minutes after the hour. 15.Updating Components The Updates screen appears with the Schedule tab selected by default. select the components to update. select the update frequency: • Minute intervals: Updates every { } minutes per hour. 2. the update will be triggered twice an hour: at 00 and 30 minutes. 5-7 . Under Update Schedule. • Hourly: Updates every hour at { } minutes. 3. For example. If you select 30. if you select 15. upload them to a parent IMSVA device and all of its child devices. Click Upload. Under Upload. click Browse and locate the file. • Deploy the file to selected devices. Updating devices is a two-step process: • Upload the file to the IMSVA parent device. the update is triggered at 15 minutes after the hour. By default. Select the time of day. • Weekly: Updates once a week at the specified day and time. every hour. 5. After the file finishes uploading. Uploading a New System or Application File Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide For example. if you select 15. the package type. Navigate to Administration > Updates > System & Applications. child devices will be updated before the parent device. Updating the System and Application Files When new operating system and application files become available from Trend Micro. • Daily: Updates every day at the time you choose. 3. Click Save. build number. 2. Select a day of the week and the time of day. 5-8 . and title appear under Latest uploaded package. Click Update. A summary screen appears showing the updates and related log information. click the name of the device you want to view. 3. 2. 2. To stop the update. 4. click Cancel. If a device check box is grayed out. Under Host Name. • Has more up-to-date files than the ones you are trying to deploy. WARNING! During the update. You can only roll back the latest application updates.Updating Components Deploying the System or Application File Procedure 1. do not modify any other settings. Accept the license agreement. Select the check boxes next to the devices to which you want to deploy the update. click Rollback. 5-9 . To remove an update. you cannot deploy the update to the device because the device: • Already has the updated files. Viewing Update History for any Device or to Roll Back an Update Procedure 1. Click OK. • Is a child device and you have not yet uploaded the files to the parent device. After the update is complete. a summary page appears. To view details of the patch update.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. 5-10 . click OK. click Download patch log. 4. To go back to the main screen. Chapter 6 Getting Started with Cloud Pre-Filter This chapter deals exclusively with Cloud Pre-Filter and how it is used with IMSVA. This chapter has the following topics: • Understanding Cloud Pre-Filter on page 6-2 • Creating a Cloud Pre-Filter Account on page 6-5 6-1 . and other messaging threats before the threats reach your network. These malicious messages waste network bandwidth and staff resources for the administration effort of handling malicious messages.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Understanding Cloud Pre-Filter Cloud Pre-Filter service is a managed email security service powered by the Trend Micro Email Security SaaS Solutions. viruses. By routing your inbound messages through the service. messages containing viruses. and other malicious threats reach your network directly. Mail Flow With and Without Cloud Pre-Filter Without Cloud Pre-Filter. you can protect your domains against spam. FIGURE 6-1. Mail flow without Cloud Pre-Filter 6-2 . phishing. spam. Getting Started with Cloud Pre-Filter With Cloud Pre-Filter. FIGURE 6-2. 6-3 . you can protect your domains against malicious messages coming from outside your network. Mail flow with Cloud Pre-Filter Cloud Pre-Filter and IMSVA Communication Cloud Pre-Filter uses the SMTP protocol to route messages to IMSVA. Cloud Pre-Filter blocks malicious messages before they reach your network. Cloud Pre-Filter and IMSVA Cloud Pre-Filter Terminology When referring to Cloud Pre-Filter. 6-4 . and retrieving message tracking and report data. managing polices related to an account. such as managing Cloud Pre-Filter policies and retrieving message tracking or report data. You must create one Cloud Pre-Filter account before you use the Cloud Pre-Filter service. the following terminology applies. FIGURE 6-3. such as creating an account. IMSVA stores the account information locally after creating an account. TABLE 6-1. Cloud Pre-Filter Terminology TERM Account DESCRIPTION The Cloud Pre-Filter account is used to manage Cloud Pre-Filter policies.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide IMSVA uses an HTTPS connection to communicate with Cloud Pre-Filter for command requests. IMSVA uses the account information to communicate with Cloud Pre-Filter to complete command requests. Cloud Pre-Filter service stores all policies in the cloud. Cloud Pre-Filter rejects all messages to domains that do not exist in the Cloud Pre-Filter policy list. Procedure 1. You can create only one policy per domain. Creating a Cloud Pre-Filter Account Before you can use Cloud Pre-Filter you must create a Cloud Pre-Filter account.Getting Started with Cloud Pre-Filter TERM Policy DESCRIPTION Cloud Pre-Filter policies apply to your domains. Click Cloud Pre-Filter. Inbound Server Inbound servers of Cloud Pre-Filter are the servers that receive your inbound messages. Cloud Pre-Filter provides the inbound server addresses when you create a domain to change your MX records. 6-5 . When the messages sent to the domain reach Cloud Pre-Filter. Cloud Pre-Filter uses the policy for that domain to determine how to scan the messages and how to route the messages to the domain. 2. 4. 3. Select No next to Do you have a Cloud Pre-Filter account:. Specify your location from the Your location list. 5. Specify an account name and email address for the account.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Create/Authenticate Cloud Pre-Filter Account screen appears. 6-6 . This setting specifies which of the global Trend Micro data centers you use. IMSVA generates a key for the Cloud Pre-Filter account. Click Create. Click Load Cloud Pre-Filter service. Tip Trend Micro recommends saving the key file. click Cloud Pre-Filter Account Information on the Cloud Pre-Filter Policy List screen. To view the account information. and other related settings. 6-7 . 8.Getting Started with Cloud Pre-Filter 6. 7. IMSVA uses the key and the user name to authenticate connection to Cloud Pre-Filter. data center information. The Cloud Pre-Filter Policy List screen appears. The key file contains your account password. Save this key to a secure location. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 6-8 . Topics include: • Scan Technology on page 7-2 • About Advanced Threat Scan Engine on page 7-2 • About Deep Discovery Advisor on page 7-4 7-1 .Chapter 7 Advanced Threat Scan Engine and Deep Discovery Advisor This chapter explains how to enable Advanced Threat Scan Engine and configure Deep Discovery Advisor. Note Deep Discovery Advisor is a separately licensed product. The following table outlines the scanning technology available in IMSVA. By enhancing the features of the Virus Scan Engine. Scan Technology SCAN TECHNOLOGY DESCRIPTION Virus Scan Engine The Virus Scan Engine employs basic pattern matching and heuristic scanning technology to identify threats. IMSVA integrates with the Virtual Analyzer in Deep Discovery Advisor. Advanced Threat Scan Engine (ATSE) ATSE performs aggressive scanning to check for less conventional threats such as document exploits. TABLE 7-1. ATSE detects possible advanced threats that can be sent to Deep Discovery Advisor for further analysis. Major features include: 7-2 • Detection of zero-day threats • Detection of embedded exploit code • Detection rules for known vulnerabilities • Enhanced parsers for handling file deformities .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Scan Technology IMSVA allows you to select the level of malware detection appropriate for your company's security policy by configuring the scan engine. About Advanced Threat Scan Engine The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and heuristic scanning to detect document exploits and other threats used in targeted attacks. 2. Heuristic scanning can detect advanced threats to mitigate damage to company systems. • Targeted attacks: Targeted attacks refer to computer intrusions staged by threat actors that aggressively pursue and compromise specific targets. Such code is typically incorporated into malware. Trend Micro recommends sending detected files to a controlled virtual environment for further observation and analysis. enabling ATSE may increase the possibility of legitimate files being flagged as malicious. Select Enable Advanced Threat Scan Engine. Enabling ATSE adds another layer of protection to systems against threats that are typically used in targeted attacks. Note Trend Micro recommends enabling ATSE. These attacks seek to maintain a persistent presence within the target's network so that the attackers can move laterally and extract sensitive information. 7-3 . Enabling Advanced Threat Scan Engine Procedure 1. • Zero-day threats: Zero-day threats exploit previously unknown vulnerabilities in software. Navigate to Policy > Scan Engine. Understanding Advanced Threats Advanced threats use less conventional means to attack or infect a system.Advanced Threat Scan Engine and Deep Discovery Advisor Important Because ATSE identifies both known and unknown advanced threats. Some types of advanced threats that ATSE detects include: • Exploits: Exploits are pieces of code purposely created by attackers to take advantage of software vulnerabilities. manage. Deep Discovery Advisor is designed to: • Collect. About Deep Discovery Advisor Trend Micro™ Deep Discovery Advisor is a separately licensed product that provides unique security visibility based on Trend Micro’s proprietary threat analysis and recommendation engines. such as document exploits and other threats used in targeted attacks. see the Deep Discovery Advisor Administrator’s Guide. Click Save. attackers find ways to cause such files to exploit vulnerabilities in programs and operating systems that run them. For more information. In particular. to Virtual Analyzer for further analysis. explore.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. Virtual Analyzer checks if files attached to messages contain exploit code. ATSE provides an additional layer of protection against advanced threats. Virtual Analyzer performs content simulation and analysis in an isolated virtual environment to identify characteristics commonly associated with many types of malware. including attachments. sending malicious files to target users has become an effective way for attackers to compromise systems. ATSE Detections and Deep Discovery Advisor IMSVA leverages ATSE to determine which messages are sent to Deep Discovery Advisor. When enabled. Because of this. The IMSVA daemon is automatically restarted when ATSE is enabled. Although many files include non-executable data. IMSVA sends suspicious messages. and analyze logs into a centralized storage space • Provide advanced visualization and investigation tools that monitor. 7-4 . and diagnose security events within the corporate network IMSVA integrates with the Virtual Analyzer in Deep Discovery Advisor. aggregate. IMSVA logs the detection as a Probable advanced threat. Tip Trend Micro recommends setting the security level to Low. After receiving the risk level. Deep Discovery Advisor assigns a risk level to each analyzed message. IMSVA: • Sends the entire message (including attachments) to Deep Discovery Advisor for further analysis. IMSVA logs the detection as a Probable advanced threat or an Analyzed advanced threat based on the risk level and the security level that you select on the IMSVA management console. The following table contains the security levels and the corresponding Deep Discovery Advisor risk levels that trigger an action from IMSVA.Advanced Threat Scan Engine and Deep Discovery Advisor ATSE detections are identifiable through the prefixes HEUR and EXPL. Deep Discovery Advisor Risk Levels and IMSVA Security Level Settings IMSVA takes action on ATSE-detected messages based on the risk level returned by Deep Discovery Advisor and the security level that you select on the IMSVA management console. Note If IMSVA does not receive a risk level. If the detection name contains one of these prefixes. Note IMSVA does not delete suspicious attachments from messages detected by ATSE. • Logs the detection as a Probable advanced threat. or if the risk level returned is invalid. IMSVA queries this risk level approximately 15 minutes after sending the message to Deep Discovery Advisor. 7-5 . 7-6 Navigate to Administration > IMSVA Configuration > Deep Discovery Advisor Configuration. If you select any other action. IMSVA processes the message according to the rule configuration and logs the Deep Discovery Advisor risk level. . the risk level and security level determine if IMSVA intercepts and reprocesses the message. Configuring Deep Discovery Advisor Settings Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide SECURITY LEVEL High DESCRIPTION Apply action on all messages exhibiting any suspicious behavior Medium Low Apply action on messages with a moderate to high probability if being malicious Apply action only on messages with a high probability of being malicious RISK LEVEL • High risk • Medium risk • Low risk • High risk • Medium risk • High risk Note If you select the Quarantine action in a virus rule and IMSVA receives a valid risk level from Deep Discovery Advisor. Configure the Deep Discovery Advisor server settings. 4. • Server • Server port • API key Configure the Deep Discovery Advisor proxy server settings. Select Send messages to Deep Discovery Advisor for analysis. 7-7 . 2.Advanced Threat Scan Engine and Deep Discovery Advisor The Deep Discovery Advisor Configuration screen appears. 3. 6. Medium. and Low. 5. Configure the Security Level settings for the messages that Deep Discovery Advisor analyzes. see Deep Discovery Advisor Risk Levels and IMSVA Security Level Settings on page 7-5. Trend Micro recommends setting the security level to Low. For more information. Click Save. Note The security level determines the Deep Discovery Advisor risk level that triggers an action from IMSVA.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Proxy server • Proxy server port • User name • Password Note IMSVA supports only HTTP proxies. The available security level settings are: High. For more information. 7-8 . see Configuring Event Criteria and Notification Message on page 26-5. Note IMSVA can notify you if Deep Discovery Advisor is unable to return a valid or complete analysis result. Chapter 8 Getting Started with Email Encryption This chapter deals exclusively with Trend Micro Email Encryption and how it is used with IMSVA. This chapter has the following topics: • Understanding Email Encryption on page 8-2 • Using Email Encryption on page 8-3 • Registering for Email Encryption on page 8-3 • Managing Domains on page 8-4 • Registering Domains on page 8-5 8-1 . A policy rule enables outgoing messages containing private information to be encrypted. IMSVA Email Encryption Tip Before using Trend Micro Email Encryption. IMSVA encrypts the message sent to this [email protected]. For example. FIGURE 8-1.com.com sends a message with private information to user2@b. 8-2 . [email protected] is registered with IMSVA for encryption and decryption. This ensures standard time and date data for IMSVA.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Understanding Email Encryption Trend Micro Email Encryption encrypts messages using Indentity-Based Encryption (IBE). Trend Micro recommends that an NTP server is used with IMSVA. The domain a. The email address is only used for receiving key files and notifications. The Register Trend Micro Email Encryption screen appears. 8-3 . You cannot change your contact information unless you have registered at least one domain successfully.Getting Started with Email Encryption Using Email Encryption Using Trend Micro Email Encryption requires following these steps: • Step 1: Register IMSVA to the encryption service (See Registering for Email Encryption on page 8-3) • Step 2: Register domains to the encryption service (See Registering Domains on page 8-5) • Step 3: Configure policies to encrypt your messages (See Adding Policies on page 17-2) Registering for Email Encryption To encrypt messages with Trend Micro Email Encryption technology. The Trend Micro Email Encryption Server team contacts you using the email address. Key files are sent to the email address you provide. IMSVA needs to be registered to the Trend Micro Email Encryption Server. Upload key files to complete the domain ownership process. The contact email address will not be used for marketing purposes. Provide your contact information. 2. Note The email address you provide in the contact information is very important for registering your domains to the Email Encryption Server. Procedure 1. Go to Policy > Encryption Settings. the owner of the domain name. What to do next To change your contact information. Note The Change button is not enabled until at least one domain has been registered successfully. Note It may take one or two working days before you receive the information to complete domain ownership verification. If you do not receive a message within 3 working days. user02@mycompany. Your contact information is sent to the Trend Micro Email Encryption Server. Therefore. The security processes and checks to authorize an IMSVA domain registration. it is permitted to obtain private keys for email addresses on that domain. When a domain is registered with the encryption service.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. click Change on the Gateway Info tab.org. Managing Domains The Manage Domains tab enables the administrator to register new domains for use with the IMSVA email encryption features. you must be the owner of. 8-4 .org. the person who is the registered owner of the domain will be contacted by the registration team to validate the IMSVA registration. and will include checking publicly available information that might include contacting the domain registrant. Note For security reasons. Click Next. After the registration is authorized and completed on the encryption service. IMSVA will be able to obtain private keys to decrypt messages to user01@mycompany. you want to register mycompany. For example. to register a domain.org. contact your sales representative. and so on. or have the permission of. If a domain has already been registered. 8-5 .Getting Started with Email Encryption You can remove a domain from IMSVA by selecting the [Delete] link next to the domain. This removes the registration information from the encryption service’s database and it will no longer be possible to obtain private keys for email addresses on this domain. it cannot be re-registered. If there is a need to reinstall IMSVA. after a domain is registered. WARNING! One of the following must respond to the verification message: • postmaster@<domain> • webmaster@<domain> • the email address returned from a WHOIS lookup for the domain By design. Registering Domains When registering domains to the Trend Micro Email Encryption Server. subsequent re-registration results in a "domain already registered" error. Trend Micro sends a message to the "Contact Information" email address to verify that the domain exists and that the postmaster@<domain> and webmaster@<domain> accounts exist and are enabled. This is enforced for the purpose of security. messages are sent to the following email addresses to verify ownership of the domains: • postmaster@<domain> • webmaster@<domain> • the email address returned from a WHOIS lookup for the domain WARNING! The postmaster and webmaster accounts must exist and be enabled before domains can be registered. The default sender address for your domains will be postmaster@<domain>. Add the domains you want to protect to the domain list. 2. 5. The default sender address is used when IMSVA tries to encrypt a message. Up to 10 domains can be added at a time. LDAP groups (entries starting with" LDAP") cannot be added to the domain list. Go to the Policy > Encryption Settings screen. You can customize the default sender address from the Encryption Settings screen. Click the Domain tab. 4. 8-6 Click Save. Registering Domains to the Encryption Service Procedure 1. Sub-domains must be added separately to the domain list. Wildcards cannot be used to include sub-domains.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide backup the database prior to re-installation. 3. but whose domain is not in the Domain List. Note IMSVA must be registered to the encryption service before any domains can be registered. This eliminates the need to re-register IMSVA and the same domains after re-installation. and restore it afterwards. Note Domains and their sub-domains are treated as unique entries. Click Add. . IMSVA signs these messages with the default sender address. Domains can be manually typed or selected from a list of existing domains. Read the instructions about what to do once you receive the verification key file. reply to the confirmation message from the Trend Micro Encryption Server. 9. You must reply to the confirmation message to prove that you are the owner of the domain. Click Browse and locate the key. contact your sales representative. The domains appear in the Domain list on the Domain tab and a message about the Domain tab. Click Upload. A key file is sent for each domain that is registered. 10. 8. Once you receive the key file. Click Done. If you do not receive a message within 3 working days. Go to the Encryption Settings screen. If you are the registered owner of the domain. 7. Note It may take one or two working days before you receive the key file to register the domain(s) to the encryption service. 6. A confirmation screen appears that verifies the domain information was received by the Trend Micro Encryption Server. A confirmation message appears when registration completes successfully. save it to a secure location. 12. you receive the domain ownership verification key file. When your domains are approved.Getting Started with Email Encryption A progress bar appears as the domain information is sent to the Trend Micro Email Encryption Server. 11. The message is sent to postmaster@<domain> and webmaster@<domain>. 8-7 . . Part II Configuring IMSVA and Cloud Pre-filter . . Chapter 9 Configuring Cloud Pre-Filter This chapter deals exclusively with Cloud Pre-Filter and how it is used with IMSVA. Topics include: • Understanding Cloud Pre-Filter Policies on page 9-2 • Creating a Cloud Pre-Filter Policy on page 9-4 • Verifying Cloud Pre-Filter Works on page 9-14 • Configuring DNS MX Records on page 9-14 • Suggested IMSVA Settings When Using Cloud Pre-Filter on page 9-18 • Disabling Cloud Pre-Filter on page 9-20 9-1 . These servers receive messages bound for the domain after they are processed by the Cloud Pre-Filter service. all messages to this domain are protected by Cloud Pre-Filter. Valid Recipient This setting works by comparing the list of users on your LDAP servers to a list of your users on Cloud Pre-Filter. and only one policy can be applied to a domain. Cloud Pre-Filter Policies SECTION Domain DESCRIPTION The domain that will be covered by the policy. With the correct routing settings. Use the valid recipient check to block all messages that do not have a recipient on your domain. Each domain must be unique. . what filter actions to perform Destination servers are the inbound mail servers for the domain. TABLE 9-1. how each filtering criterion is applied • For filters that support this option. The following table lists the information that defines each policy. This prevents malicious messages and spam from reaching your network. The policy for a domain regulates how each filter is applied to messages sent to the domain.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Understanding Cloud Pre-Filter Policies The Cloud Pre-Filter service offers policy-based management of your email security. Filter settings Destination servers 9-2 These settings define the following Cloud Pre-Filter filtering options: • Whether a filter is enabled or not • For filters that support this option. The Cloud PreFilter list of your users is generated by synchronizing with your LDAP servers. • A policy comprises of a domain. Without these filters. Considerations • Each policy applies to one domain only and only one policy can be created for each domain. Note Trend Micro recommends that you create Cloud Pre-Filter policies that mirror. 9-3 . • Review each filter type and assess whether you want to apply it to a domain before saving the policy. • Blocked Sender: Messages from blocked senders are blocked immediately and never reach your network. the domain is highly vulnerable to large numbers of unwanted mail and infected messages. but are less aggressive than. and destination servers. on-premise IMSVA policies. filtering settings. approved and blocked sender lists. Using duplicate policies helps protect your business in the unlikely event that Cloud Pre-Filter becomes unavailable.Configuring Cloud Pre-Filter SECTION Approved and blocked senders DESCRIPTION • Approved Sender: Messages from approved senders bypass the Email Reputation service and antispam filters. The following filters are enabled by default: • Email Reputation • Antivirus • Antispam Tip Trend Micro recommends that you have the antivirus and antispam filters enabled and properly configured. create a policy for that domain. 9-4 . verify your proxy settings are correct at Administration > Proxy.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Creating a Cloud Pre-Filter Policy To provide email security services to a domain. Click Cloud Pre-Filter. The Cloud Pre-Filter Policy List screen appears. before creating a Cloud Pre-Filter policy. Creating a Cloud Pre-Filter policy requires the following steps: • Step 1: Domain Settings on page 9-4 • Step 2: Configuring Condition Settings on page 9-7 • Step 3: Configuring Filter Settings on page 9-11 Step 1: Domain Settings Procedure 1. Note If your network uses a proxy server. The Step 1: Specify Domain and Destination Server screen appears. 3.Configuring Cloud Pre-Filter 2. Click Add. Provide the name of the domain to protect. Click Add under Specify Destination Server. 9-5 . 4. 8. Provide an address for IMSVA in the Address field. Select one of the following from the Address Type drop-down list: • IP address: IP address of the MTA or IMSVA that receives messages from Cloud Pre-Filter • A record: Hostname Cloud Pre-Filter uses for DNS lookup • MX record: Mail exchange record Cloud Pre-Filter uses for DNS lookup Note A policy can only contain one address type for a destination server. Provide a port number for communication between IMSVA and Trend Micro Email Security SaaS Solutions.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Destination Server screen appears. Specify the addresses of the domain's actual destination servers to allow Cloud PreFilter to relay messages to these servers after processing. The default value is port 25. 5. 9. An IP address and an A record are considered to be the same type. Provide a value for Priority for the destination server. 6. 9-6 7. . An MX record is considered to be a different type. All messages from addresses that match the addresses in the approved list are not processed by these filters. The Cloud Pre-Filter list of your users is generated by synchronizing with your LDAP servers. Cloud PreFilter service will attempt to route messages to servers with higher priority values first. The lower the number. Note The Approved list from IP Filter or Spam rules can be imported to the Cloud Pre-Filter Approved list.Configuring Cloud Pre-Filter The Priority option specifies routing priority for the destination servers. with IMSVA’s details in the Destination Server list. 9-7 . The Step 1: Specify Domain and Destination Server screen appears. the higher the priority. Note You do not need to specify a priority for an MX record destination server. Valid Recipients This feature works by comparing the list of users on your LDAP servers to a list of your users on Cloud Pre-Filter. Click Add. Step 2: Configuring Condition Settings Approved and Blocked Senders Messages from Approved Senders are able to bypass the Email Reputation service and antispam filters. Specifying an IP address will block or approve all messages from that IP address. the Email Reputation filter. and the antispam filter. The priority for the MX record will be resolved automatically. The approved lists take precedence over the blocked list. while messages from Blocked Senders are prevented from reaching recipients. 10. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Use the valid recipient check to block all messages that do not have a recipient on your domain. Tip Trend Micro recommends enabling scheduled synchronization to ensure all valid messages reach your network. 9-8 Click Next. . This prevents malicious messages and spam from reaching your network. LDAP servers must be configured before enabling the valid recipient check and scheduled synchronization. Procedure 1. 9-9 . Click Add to add an entry to the list. 2.Configuring Cloud Pre-Filter The Step 2: Specify Sender conditions screen appears. Use wildcard characters with caution as they may allow or block messages from a large set of email addresses. To import entries to the approved or blocked senders list: • 9-10 When using the import function. 3. The entry appears in the specified list. use a text file with only one full email or IP address per line.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Add Approved Sender List or Add Blocked Sender List screen appears. . Click Add beside the IP Address and Email Address fields. WARNING! The wildcard character * may be used to specify any string in the local-part (localpart@domain. 4.com) of email addresses. 6. 5. The entry appears in the list. Click Add under the list. Provide an email address or IP address. Click Import. Note Trend Micro recommends enabling scheduled synchronization to ensure all vaild messages reach your network.Configuring Cloud Pre-Filter • 7. Specify the file to import. When importing sender addresses. Step 3: Configuring Filter Settings The Step 3: Select Filter screen contains settings for three filters: 9-11 . 10. 9. Click Import for the specified list. The list displays the imported entries. A dialog box appears. Select Enable valid recipient check. 11. Selecting to replace addresses will delete all existing addresses from the list. ensure that you select the correct import mode. 8. Select Synchronize LDAP server with Cloud Pre-Filter daily. • Spam: This setting is very conservative. Cloud Pre-Filter Filters FILTER Email Reputation DESCRIPTION Email Reputation enables you to take advantage of a dynamic and constantly updated email source rating system to block spam and other unwanted messages. whether this code is contained in an attachment or embedded in the message body. the antivirus filter can stop messages containing known and unknown malware code. Email Reputation Advanced queries the standard reputation database as well as a dynamic database that is updated in real time. • Potential Spam: This setting is more aggressive. Messages found to contain malware code are automatically deleted. The antispam filter uses a Web Reputation and spam prevention filter to stop spam from entering your network. Email Reputation Standard queries the standard reputation database. there may be some messages marked as "spam" that may be legitimate messages. Antispam When enabled. Antivirus When enabled. The filter identifies messages as spam based on the selected catch rate. Quarantine. Email Reputation blocks messages from source IP addresses whose current reputation ratings are poor. 9-12 Click Next. the antispam filter checks messages for spam and phishing characteristics. This setting has the following actions: Delete and Quarantine.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide TABLE 9-2. This setting has the following actions: Delete. . You can choose Email Reputation Advanced or Email Reputation Standard. The antispam filter can use two approaches when detecting spam: Procedure 1. Almost every "spam" detection is truly an unwanted message. and Pass. However. IMSVA then scans the messages. Click Finish. • Reject: Rejects the message without quarantining it • Pass: Cloud Pre-Filter performs no action and sends the messages directly to IMSVA. 2. 9-13 . The status for the filters display along with the domain. Specify the action for the filters. 4. Specify the status for the filters. Cloud Pre-Filter Policy List appears with the domain appearing in the list.Configuring Cloud Pre-Filter The Step 3: Select Filter screen appears. 3. The filters use the following actions: • Delete: Deletes the entire message without quarantining it • Quarantine: Saves a copy of the entire message in the local IMSVA quarantine area. Administrators can delete or deliver the message after assessing the message. eu and prefilter. add the Cloud Pre-Filter "Inbound Server Addresses" to the MX records for your DNS server.in. Wait a few minutes after sending the message and query the message tracking logs using Cloud Pre-Filter + IMSVA data.trendmicro.com.in.com processes your email traffic correctly and that Cloud Pre-Filter directs your messages to your IMSVA. The example Cloud Pre-Filter inbound server addresses for the policy are prefilter. send a message with a specified sender and recipient account (the recipient’s domain should be part of your-domain.emsp.eu02. 9-14 . To verify the policy works correctly. Send the test message to either inbound server address. The Cloud Pre-Filter inbound server addresses for the domain appear on the Domain tab for the policy.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Verifying Cloud Pre-Filter Works You can verify that a policy works correctly before activating the policy. This is final step before using Cloud Pre-Filter to scan your email traffic.eu.com) directly to the Cloud Pre-Filter inbound server for your-domain.emsp. Configuring DNS MX Records After configuring Cloud Pre-Filter settings and verifying that email traffic is delivered from Cloud Pre-Filter to IMSVA. For example: You want to verify that a policy created for the domain your-domain.trendmicro. Note The test message must be sent directly to the Cloud Pre-Filter inbound server for the domain.eu01. eXXXX.com. your messages will be delivered to your local servers. Table 9-3: Inbound Server Address on page 9-15provides an explanation of where you should direct the Inbound Server Addresses for your domains.trendmicro.emailsecurity.. 9-15 .trendmicro.gXXXX.. The Inbound Server Address for your domain could be as follows: example. To support high availability.com example. TABLE 9-3. Inbound Server Address Example Assume that your domain is example.im.com.im.ngXXXX. sgXXXX The address points to your Secondary Site.eXXXX.pgXXXX. Add the Cloud Pre-Filter "Inbound Server Addresses" to the MX records on your DNS server.im. Inbound Server Address ADDRESS CONTAINS POINTS TO.emailsecurity.Configuring Cloud Pre-Filter WARNING! You MUST configure your mail delivery (MX) records to route your email traffic through Cloud Pre-Filter.com.gXXXX.emailsecurity. pgXXXX The address points to your Primary Site. not from the IMSVA management console. and not to Cloud Pre-Filter for scanning. Trend Micro provides Inbound Server Addresses for each domain.eXXXX.com Where XXXX is "0001" to "9999".trendmicro. load balancing and flexibility for Cloud Pre-Filter. Inbound Server Address Cloud Pre-Filter uses the Inbound Server Address to direct email traffic to your IMSVA or your network.com. If this step is not completed.com example.sgXXXX.gXXXX. 1.1.com MX preference = 10.example.. mail exchanger = mail01. . ngXXXX Configuring MX Records Example The following process is provided as an example for you to follow when adding the Cloud Pre-Filter "Inbound Server Addresses" to your DNS server’s MX records. Retrieve the Cloud Pre-Filter "Inbound Server Addresses" from the Domain tab for a policy. mail exchanger = mail02. 9-16 Click the name of an existing policy in the Policy List. a..example.com mail01.example. Click Cloud Pre-Filter. Note Domains that have not had their MX records to include Inbound Server Addresses have an icon beside the domain name. The Cloud Pre-Filter Policy List screen appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide ADDRESS CONTAINS POINTS TO.1 mail02.example.com example.1.com internet address = 1. b. The address points to your Shared Sites. Example Assumptions: Assume the following is the current DNS MX record for example.1.com: example.com internet address = 1. When the MX records for the domain have been configured to include Inbound Server Addresses the icon disappears.com MX preference = 10.2 Procedure 1. The Edit Policy screen appears displaying the Domain tab. trendmic ro. a.com MX preference = 30.pgXXXX.com MX preference = 10. Note The addresses differ depending on your geographic location and the choices you made during the installation process.com MX preference = 10.1.trendmic ro.1.example. Consult the documentation supplied by your DNS provider to make the changes.your-domain.com mail01. mail exchanger = mail02.com example.example. Your existing MX records then act as a backup to Cloud Pre-Filter.com internet address = 1.com example. or your DNS provider.eXXXX. mail exchanger = example. 2. Add the "Inbound Server Addresses" to the Mail Exchanger (MX) records in your DNS server.com MX preference = 30. Configure the MX Records.com.2 9-17 .1. Continuing the example.com.emailsecurity.com your-domain.emailsecurity.1.eXXXX.gXXXX. Tip Trend Micro recommends configuring the MX records for Cloud Pre-Filter with a higher priority (specify a lower number) than your existing MX records.example.gXXXX.1 mail02.ngXXXX.com internet address = 1. The process for making the modification is different depending on the DNS service your company uses. mail exchanger = mail01. configure the MX records on your DNS server as follows: example.im.Configuring Cloud Pre-Filter The addresses display under the Inbound Server Addresses area of the Domain tab. mail exchanger = example.im. b. While Cloud Pre-Filter does not impact the deployment of IMSVA. This port must be open on the firewall for IMSVA to connect to Cloud Pre-Filter. all inbound email traffic is routed to Cloud PreFilter. Suggested IMSVA Settings When Using Cloud Pre-Filter Cloud Pre-Filter uses port 9000 as the web service listening port. test the message route by sending messages from another email service provider (Windows Live Hotmail or Gmail) to a recipient in your domain (for example your-domain. the DNS MX records are configured correctly. Cloud Pre-Filter does impact how you should configure IMSVA.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide After making the modifications to the MX records. Your original DNS record information is saved as a backup route. If you receive the message from the other email service provider. After the modifications take affect. After the DNS record modifications take effect (up to 72 hours).com). Cloud Pre-Filter is the major point of entry for your domain. 9-18 . 9-19 . Configure and use this feature as your network requires. even though Cloud Pre-Filter does filter for viruses. Cloud Pre-Filter does not support content filtering of messages. Using antispam policies on IMSVA will further reduce the spam reaching your email recipients. Trend Micro recommends creating antivirus policies. IMSVA Recommended Settings When Using Cloud Pre-Filter SECURITY SERVICE IP Filtering (both Email Reputation and IP Profiler) RECOMMENDED ACTION When Cloud Pre-Filter filters messages for all your domains: Disable or do not activate IP Filtering Cloud Pre-Filter uses Email Reputation to filter all messages before they reach your network. Content filtering policies must be created in IMSVA. The messages from domains that are not routed through Cloud Pre-Filter may still be malicious. When Cloud Pre-Filter filters messages for some of your domains: Enable and use IP Filtering (both Email Reputation and IP Profiler) Cloud Pre-Filter is not using Email Reputation to scan all messages before they reach your network. Also.Configuring Cloud Pre-Filter TABLE 9-4. DKIM Cloud Pre-Filter has no impact on DKIM. This makes using IP Filtering (both Email Reputation and IP Profiler) redundant. Cloud Pre-Filter does this to lower the risk that a legitimate message is detected as spam. Spam Prevention Solution (SPS) IMSVA should always use SPS. Trend Micro Antivirus and Content Filter IMSVA should always use the Antivirus and Content Filter. which means antispam policies should still be created. Cloud Pre-Filter uses a very conservative approach to detect spam. which means antivirus policies and content filtering policies should still be created. Cloud Pre-Filter delivers the message to the destination server using TLS. When messages reach Cloud Pre-Filter from an inbound server that does not use TLS. Cloud Pre-Filter delivers the message to the destination server over SMTP. Disabling Cloud Pre-Filter There is no way to disable Cloud Pre-Filter from the IMSVA management console. The only way to disable Cloud Pre-Filter is to change the DNS MX record of your domain to point to IMSVA or to an MTA and then to IMSVA. If the destination server does not support TLS. the message is delivered over SMTP. If the MTA sending messages to Cloud Pre-Filter supports TLS. 9-20 . the messages are delivered using TLS.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide SECURITY SERVICE Transport Layer Security (TLS) RECOMMENDED ACTION Cloud Pre-Filter supports TLS. When messages reach Cloud Pre-Filter from an inbound server using TLS. refer to the Online Help accessible from the management console. • IP Filtering Service on page 10-2 • Using Email Reputation on page 10-2 • Configuring IP Filtering on page 10-8 • Displaying Suspicious IP Addresses and Domains on page 10-23 10-1 . For further details.Chapter 10 Configuring IP Filtering Settings This chapter provides general descriptions on the various configuration tasks that you need to perform to get IMSVA up and running. and virus filtering. • Email Reputation filters spam senders at the connection layer. IP Filtering should act as the precursor to any application filtering you might use. • Advanced: Configure the MTA to make two DNS queries. spam filtering. it 10-2 . Tip Trend Micro recommends deploying IP Filtering as the first line of defense in your messaging infrastructure.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide IP Filtering Service The IP Filtering service has two individual components: Email Reputation and IP Profiler. • Standard: Blocks connections with a 550 level error code (“connection refused”). The MTA returns this error code to the server initiating the connection because the IP address is in the Standard Reputation database as a known spammer. Although most email systems have a multi-layer structure that often includes some preexisting IP blocking. Email Reputation filters spam by blocking the IP addresses stored in this database. Using Email Reputation Trend Micro maintains a list of IP addresses belonging to known spam senders in a central database. If the MTA does not receive a response from the first query to the standard reputation database. Trend Micro recommends completely removing other IP blocking techniques from the messaging environment. Preparing Your Message Transfer Agent for Use With Email Reputation Services Configure your MTA to perform the appropriate DNS queries for the type of Email Reputation to which you subscribed. • IP Profiler helps protect the mail server from attacks with smart profiles from the Intrusion Detection Service (IDS). trendmicro. For detailed instructions on configuring the settings for each screen. The MTA should return a temporarily deny connection 450 level error code (“server temporarily unavailable. Legitimate email servers with compromised hosts temporarily sending spam may be listed in the dynamic reputation database. create or manage Email reputation settings. view reports. and perform administrative tasks. This process will cause a short delay in mail delivery until the listing expires but will not permanently block the email. Some servers may have additional options for handling questionable IP connections.com/ These instructions have been provided by the vendor or manufacturer of the product (MTA or firewall). This section includes basic instructions for using the Email reputation management console. Using the Email Reputation Management Console Log on to the Email reputation management console to access global spam information. do not include any dashes. see the Email reputation management console Online Help. please retry”) when a response is received from this database. Refer to your product manuals and/or technical support organization for detailed configuration and setup options. If the connection request is from a legitimate email server. Note Insert your Activation Code to replace the instructional text example. These options include throttling or routing messages for more detailed scanning. it will re-queue and try sending the message later. Click the help icon in the upper right corner of any help screen to access the Online Help.Configuring IP Filtering Settings makes a second query to the dynamic reputation database. 10-3 . You can find instructions for configuring the MTA or firewall on the Trend Micro website: https://ers. ASN The Autonomous System Number (ASN) is a globally unique identifier for a group of IP networks having a single. Rank Last Week Displays the global rank for the previous week in terms of total spam volume. Log on using your Email reputation user name and password. The Global Spam Statistics screen ranks ISPs based on the amount of spam they send. Some ISPs may have multiple ASNs and therefore appear more than once in the table. The networks that are producing the most spam are ranked at the top. The Smart Protection Network portal opens with the Email tab selected and the General screen displaying.trendmicro. The Global Spam Statistics screen appears. The ISP Spam list displays the following: TABLE 10-1. clearly defined routing policy that is run by one or more network operators. Open a web browser and type the following address: https://ers.com/ 2. . ISP Name The registered name for a particular ASN. The ranking of the ISPs changes on a daily basis. ISP Spam List COLUMN 10-4 DESCRIPTION Rank This Week Displays the global rank for this week in terms of total spam volume. The ISP Spam list displays the total spam volume from the top 100 ISPs for a specific week. 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. Select Global Spam Statistics from the menu. DESCRIPTION Spam Volume (24 hours) The estimated total spam that has been sent during the previous 24 hours. and what Trend Micro is doing to respond to these new threats. Select Report from the menu. Botnet Activity An indication of how active botnets are for your email servers. Click the following tabs for information: 5. Click one of the following: 10-5 . you must add your email servers to the Valid Mail Servers list. The News screen displays breaking news about new spam and new features available for Email reputation. To view reports that summarize the activity between the MTA and the Email reputation database servers. Botnets are groups of infected computers that are controlled by a spammer from a central location and are the largest source of spam on the Internet today. • Release News: Provides a brief overview of new features available in Email reputation. b. This number indicates the percentage change in the number of bots from the previous hour. Click News. To see botnet activity.Configuring IP Filtering Settings COLUMN 4. It also describes how new tactics are deployed. The News screen appears. how they evade Trend Micro systems. A sub-menu appears. do the following: a. This total is updated every hour. • Spam News: Provides a brief overview and discussion of current spamming tactics and the implications for organizations. which indicates that a sender trying to establish a connection with your email server is a known spammer. The reports are based on connections. Queries per Hour The report shows how many times your email server queried the reputation database. Percentage Queries The report shows the percentage of queries that returned an IP address match. a red robot icon appears. not individual spam messages. Select Policy from the menu. Report Types REPORT 6. b. If there was any spam activity in the last seven days for any of the IP addresses that you specified.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide TABLE 10-2. To manage protection provided by Email reputation settings: a. Botnet Report The report provides a quick summary of the last seven days of spam activity originating from the servers that you listed as valid mail servers. Queries per Day The report shows how many times per day your email server queried the reputation database. 10-6 DESCRIPTION Click one of the following: . A sub-menu appears. New ISP Request • Approved Sender: Allows messages from the approved senders to bypass IP-level filtering. Provide as much information about an ISP as you can. but you can set up additional approved or blocked senders lists or do additional filtering at your MTA. The Approved Sender lists are not applied to your MTA. Policy Settings POLICY Settings DESCRIPTION Configure the Approved and Blocked senders lists. • Blocked Sender: Instructs Email reputation to always block email messages from certain countries. This helps Trend Micro add the ISP to the service. or by ISP. You can define your lists by individual IP address and Classless Inter-Domain Routing (CIDR) by Country. 10-7 . Trend Micro welcomes suggestions from customers regarding other Internet Service Providers (ISPs) to be added to the service. and IP addresses. ISPs.Configuring IP Filtering Settings TABLE 10-3. To change your password. 10-8 Go to IP Filtering > Overview. Step 4: Adding IP Addresses to the Blocked List on page 10-22 4. Step 4: Adding IP Addresses to the Approved List on page 10-21 3. Configuring IP Filtering To configure IP Filtering.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide POLICY Reputation Settings DESCRIPTION Configure Email reputation Standard and Advanced settings. Procedure 1. perform the following steps: 1. . or to add your mail servers to Email reputation. Activation Code. Standard customers will see only the Enable Standard Settings section. Step 1: Enabling Email Reputation and IP Profiler on page 10-8 2. Step 2: Enabling IP Profiler Rules on page 10-10 5. You can enable both or one type of protection. Advanced customers will see both the Dynamic Settings and the Enable Standard Settings sections. click Administration from the menu. 7. Step 3: Configuring Email Reputation on page 10-18 Step 1: Enabling Email Reputation and IP Profiler Enable Email reputation and IP Profiler to begin IP Filtering protection. This will select both the Email reputation and IP Profiler check boxes. Click Save. 3. 2.Configuring IP Filtering Settings The IP Filtering Overview screen appears. Select the Enable IP Filtering check box. 10-9 . 4. Clear the Email reputation or IP Profiler check box if you do not require them. Specifying IP Filtering Spam Settings Procedure 1. To configure the IP Filtering Approved List. add all of your email servers’ IP addresses (that send outgoing messages to IMSVA) to the IP Filtering Approved List. see Step 4: Adding IP Addresses to the Approved List on page 10-21. The Rules screen appears with 4 tabs. one for each type of threat.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Step 2: Enabling IP Profiler Rules Rules are set to monitor the behavior of all IP addresses and block them according to the threshold setting. Go to IP Filtering > Rules. Rules can be set for the following: • Spam • Viruses • DHA attacks • Bounced mail WARNING! Before enabling IP Profiler Rules. 10-10 . Configuring IP Filtering Settings 2. • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again. • Total mails: Specify the total number of spam messages out of which the threshold percentage is calculated (the denominator). • Total mails: Specify the total number of spam messages out of which the threshold percentage is calculated. Select the Enable check box to enable blocking of spam. 10-11 . The Spam screen appears. • Rate (%): Specify the maximum number of allowable messages with spam threats. 3. Click the Spam tab. • Threshold: The maximum percentage of spam messages that IMSVA will allow during the value you set for Duration to monitor above. select one of the following: • Block temporarily: Block messages from the IP address and allow the upstream MTA to try again. 5. Specify a value for the following: • Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of spam messages exceeds the threshold you set. During each one-hour period that spam blocking is active. Consider the following example: Duration to monitor: 1 hour at a rate of 20 out of 100. The threshold is a fraction with a numerator and denominator: • Rate (%): Specify the maximum number of allowable messages with spam threats (the numerator). Next to Triggering action. 4. IMSVA starts blocking IP addresses when more than 20% of the messages it receives contain spam and the total number of messages exceeds 100. Go to IP Filtering > Rules. The Rules screen appears with 4 tabs.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 6. 3. Configure the following: 10-12 • Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of messages with viruses exceeds the threshold you set. 2. Specifying IP Filtering Virus Settings Procedure 1. 4. Click Save. The Virus screen appears. • Rate (%): Type the maximum number of allowable messages with viruses (the numerator). Select the Enable check box to enable blocking of viruses. • Total mails: Type the total number of infected messages out of which the threshold percentage is calculated (the denominator). Click the Virus tab. . one for each type of threat. Go to IP Filtering > Rules. Consider the following example. select one of the following: • Block temporarily: Block messages from the IP address and allow the upstream MTA to try again. Next to Triggering action. Specifying IP Filtering Directory Harvest Attack (DHA) Settings Procedure 1. 10-13 . • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again. IMSVA starts blocking IP addresses when more than 20% of the messages it receives contain viruses and the total number of messages exceeds 100. Click Save. 6. 5.Configuring IP Filtering Settings • Threshold: The maximum percentage of messages with virus threats that IMSVA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator: • Rate (%): Type the maximum number of allowable messages with virus threats (the numerator). Duration to monitor: 1 hour at a rate of 20 out of 100 During each one-hour period that virus blocking is active. • Total mails: Type the total number of virus messages out of which the threshold percentage is calculated (the denominator). . Select the Enable check box to enable blocking of directory harvest attacks. The DHA Attack screen appears. DHA attacks often include randomly generated email addresses in the receiver list. • Non-existing recipients exceeds: Type the maximum number of nonexistent recipients allowed for the threshold value. • Rate (%): Type the maximum number of allowable messages with DHA threats (the numerator). 4. 3. 2. one for each type of threat.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Rules screen appears with 4 tabs. Configure the following: 10-14 • Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of messages signaling a DHA attack exceeds the threshold you set. Click the DHA Attack tab. • Sent to more than: Type the maximum number of recipients allowed for the threshold value. • Total mails: Type the total number of DHA messages out of which the threshold percentage is calculated (the denominator). Consider the following example. IMSVA starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100. Note The LDAP service must be running to determine non-existing recipients. 10-15 . Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5. The threshold is a complex expression with the following • Rate (%): Type the maximum number of allowable messages with DHA threats (the numerator). • Total mails: Type the total number of DHA messages out of which the threshold percentage is calculated (the denominator). • Sent to more than: Type the maximum number of recipients allowed for the threshold value. • Non-existing recipients exceeds: Type the maximum number of nonexistent recipients allowed for the threshold value. During each one-hour period that DHA blocking is active. DHA attacks often include randomly generated email addresses in the receiver list. • Threshold: The maximum percentage of messages signalling a DHA attack that IMSVA will allow during the value you set for Duration to monitor above.Configuring IP Filtering Settings Note The LDAP service must be running to determine non-existing recipients. FoxProxy then analyzes the results to determine if they are DHA attacks. The Rules screen appears with 4 tabs. 6. select one of the following • Block temporarily: Block messages from the IP address and allow the upstream MTA to try again. 5. Go to IP Filtering > Rules. 2. LDAP server is only one of the means by which Postfix checks if a user's mailbox exists. Specifying IP Filtering Bounced Mail Settings Procedure 1. 10-16 Click the Bounced Mail tab. which in turn passes these results to FoxProxy through the LDAP server or other means. Click Save.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Tip Technically. The DHA rule of IMSVA can also obtain the DHA results returned from Postfix. one for each type of threat. . the LDAP server is not a must-have. Next to Triggering action. • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again. • Total mails: Specify the total number of bounced messages out of which the threshold percentage is calculated (the denominator). 10-17 . Consider the following example: Duration to monitor: 1 hour at a rate of 20 out of 100 During each one-hour period that blocking for bounced mail is active. 5. Note The LDAP service must be running to check bounced mail. 3. select one of the following: • Block temporarily: Block messages from the IP address and allow the upstream MTA to try again. The threshold is a fraction with a numerator and denominator: • Rate (%): Specify the maximum number of allowable messages signalling bounced mail (the numerator). • Rate (%): Specify the maximum number of allowable messages signaling bounced mail (the numerator). Next to Triggering action. Configure the following: • Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of messages signaling bounced mail exceeds the threshold you set.Configuring IP Filtering Settings The Bounced Mail screen appears. 4. • Total mails: Specify the total number of bounced messages out of which the threshold percentage is calculated (the denominator). Select the Enable check box to enable blocking of bounced mail. • Threshold: The maximum percentage of messages signalling bounced mail that IMSVA will allow during the value you set for Duration to monitor above. IMSVA starts blocking IP addresses when more than 20% of the messages it receives are bounced messages and the total number of messages exceeds 100. . 10-18 Go to IP Filtering > Email Reputation. Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • 6. Click Save. Procedure 1. Step 3: Configuring Email Reputation Email reputation verifies IP addresses of incoming messages using the Trend Micro Email Reputation database. 3. Select the Enable Email reputation check box. and configure the settings: Standard: 10-19 . Click a radio button next to one of the following. 2.Configuring IP Filtering Settings The Email Reputation screen appears. depending on your level of service. • Pass and log only: Allows and records all connections. • Take customized action for all matches: • SMTP error code: Blocks any connections that have a certain SMTP code. Advanced: • Default intelligent action: Email reputation permanently denies connection (550) for RBL+ matches and temporarily denies connection (450) for Zombie matches. • Pass and log only: Allows and records all connections. Specify an SMTP code. • Delay connection by: Delays all connections by the specified time in seconds. • SMTP error string: Specify the message associated with the SMTP error code. • Take customized action for all matches: • SMTP error code: Blocks any connections that have a certain SMTP code. 10-20 • Delay connection by: Delays all connections by the specified time in seconds. • Connection closed with no returning code: Blocks all connections without providing an associated error code.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Default intelligent action: Email reputation permanently denies connection (550) for RBL+ matches. Specify an SMTP code. such as recording the error code and error string in a log file. . • SMTP error string: Specify the message associated with the SMTP error code. Note The above SMTP error code and error string will be sent to the upstream MTA that will then take the necessary pre-configured actions. 3. 5. 2.Configuring IP Filtering Settings 4. 10-21 . The Add IP/Domain to Approved List screen appears. Click Add. The Approved List screen appears. Go to IP Filtering > Approved List. Select the Enable check box. Step 4: Adding IP Addresses to the Approved List IMSVA does not filter IP addresses or domains that appear in the Approved List. Procedure 1. Click Save. 4. Specify the domain or IP address that you would like to add to the Approved List. Click Save. The Add IP/Domain to Blocked List screen appears. 2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The domain or IP address appears in the Approved List. Step 4: Adding IP Addresses to the Blocked List IMSVA blocks IP addresses that appear in the Blocked List. Go to IP Filtering > Blocked List. The Blocked List screen appears. . 3. 10-22 Select the Enable check box. Click Add. Procedure 1. Click Display Log. select the date-time range within which IMSVA blocked the sender. Click Save. Specify the domain or IP address. • Next to Logs per page. Go to IP Filtering > Suspicious IP. • To display the corresponding domain names of the IP addresses. • Next to Dates. 3. Choose from any of the following conditions: • Next to Type. Displaying Suspicious IP Addresses and Domains IMSVA creates log entries of the IP addresses or domains that have sent messages violating scanning conditions.Configuring IP Filtering Settings 4. select the Show Domain names check box. Perform any of the additional actions: 10-23 . Select Block temporarily or Block permanently. 5. The domain or IP address is added to the Blocked List. select the number of log entries to display on the screen at a time. select the check boxes next to the type of threat that the IP filter detected. 6. 4. 2. • If you know a specific IP address to query. but are still not blocked because the total number of messages did not exceed the threshold you set for the given time period. specify it next to IP. Procedure 1. select a new display value from the drop-down box on the top of the table. select the corresponding check box in the list. then click Block Permanently. • To change the number of items that appears in the list at a time. click the column title.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 10-24 • To block an IP address temporarily. • To block an IP address permanently. select the corresponding check box in the list. . • To sort the table. then click Block Temporarily. refer to the Online Help accessible from the management console. For further details. • Configuring SMTP Routing on page 11-2 • About Message Delivery on page 11-10 11-1 .Chapter 11 Scanning SMTP Messages This chapter provides general descriptions on the various configuration tasks that you need to perform to get IMSVA up and running. Procedure 1. Procedure 1. where IMSVA saves messages before it scans and delivers them. Configuring SMTP Settings on page 11-2 2. such as the SMTP greeting message and the location of the mail processing queue. 2. Configuring Connections Settings on page 11-3 3. Select the check box next to Accept SMTP connections. enable SMTP connections. Configuring Message Delivery Settings on page 11-11 Configuring SMTP Settings Use the SMTP screen to configure SMTP settings for the MTA. Configuring SMTP Routing Configuring SMTP routing involves the following steps: 1. Click Save. . Choose Summary from the menu. Configuring Message Rule Settings on page 11-7 4.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Enabling SMTP Connections Before IMSS can start scanning incoming and outgoing traffic on your network. The System tab appears by default. 11-2 Go to Administration > IMSVA Configuration > SMTP Routing. 3. Configuring Connections Settings Configure SMTP connection settings for the MTA from the Connection settings screen. 2. Click Save. Click the Connections tab. 2. Procedure 1. Go to Administration > IMSVA Configuration > SMTP Routing. 11-3 .Scanning SMTP Messages The SMTP Routing screen appears. 3. Specify SMTP server Greeting Message (displays when a session is created). Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Connections screen appears. 11-4 Scanning SMTP Messages 3. 4. Specify the SMTP Interface settings. • Port: Specify the listening port of the SMTP server. • Enable Secure SMTP: Specify the SSMTP port number. • Disconnect after { } minutes of inactivity: Specify a time-out value. • Simultaneous connections: Click No limit or Allow up to { } connections and specify the maximum number of connections. Specify the Connection Control settings. a. Select Accept all, except the following list to configure the "deny list" or Deny all, except the following list to configure the "permit list”. b. Configure the list using any of the following options. • Single computer: Specify an IP address, and then click >> to add it to the list. • Group of computers: i. ii. • Select the IP version. IMSVA supports IPv4 and IPv6 addresses. • For IPv4 addresses, specify a subnet address and mask. • For IPv6 addresses, specify a subnet address. Click >> to add the group to the list. Import from file: Click to import an IP list from a file. The following shows sample content of an IP list text file: 192.168.1.1 192.168.2.0:255.255.255.0 192.168.3.1:255.255.255.128 192.168.4.100 192.168.5.32:255.255.255.192 2001:db8:10ff::ae:44f2: 11-5 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2001:db8::/32 5. Specify the Transport Layer Security settings: a. Select Enable Incoming Transport Layer Security. This option allows the IMSVA SMTP Server to provide Transport Layer Security (TLS) support to SMTP clients, but does not require that clients use TLS encryption to establish the connection. b. Select Only accept SMTP connection by TLS for IMSVA to only accept secure incoming connections. This option enables the IMSVA SMTP Server to accept messages only through a TLS connection. c. Click a Browse button next to one of the following: • CA certificate: A CA certificate is usually used for verifying SMTP clients. However, IMSVA does not verify the client and only uses the CA certificate for enabling the TLS connection. Only upload this file if it is provided to you together with the public key. Otherwise, this file is not mandatory for enabling a TLS connection. • Private key: The SMTP client encrypts a random number using IMSVA SMTP server's public key and an encryption key to generate the session keys. IMSVA SMTP server then uses the private key to decrypt the random number in order to establish the secure connection.This key must be uploaded to enable a TLS connection. • SMTP server certification: The IMSVA SMTP server's public key made available to the SMTP clients for generating the session keys. This key must be uploaded to enable a TLS connection. 11-6 d. Click Upload to save the file on the IMSVA server. e. Select Enable Outgoing Transport Layer Security to protect outbound messages, if desired. Scanning SMTP Messages 6. Click Save. Configuring Message Rule Settings To set limits on the messages that IMSVA can handle and to control email relay, configure all settings on the Messages Rules screen. Email Relay To prevent spammers from using the IMSVA MTA as a relay for spam, configure relay control by adding the mail domains on your network to the Incoming Message Settings list. When IMSVA receives a message, it looks at the final destination of the message and compares it to this list. IMSVA discards the message under the following circumstances: • The destination domain is not in this list • The parent domain of the destination domain is not in this list • The host is not on the Permitted Senders of Relayed Mail list Relay domain settings are different from Domain-based delivery settings. Specifying Message Rules Procedure 1. Go to Administration > IMSVA Configuration > SMTP Routing. 2. Click the Message Rule tab. The Message Rule screen appears. 11-7 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 11-8 Scanning SMTP Messages 3. Specify the Message Limits settings: • Maximum message size: Specify the number of megabytes. • Maximum number of recipients: Specify the number of recipients from 1 to 99999. 4. Specify the Relay Control parameters to have IMSVA reject messages matching the selected condition. 5. Specify theIncoming Message Settings. IMSVA relays the messages to the added domains. Tip When importing, import both the exact domain and all sub-domains for best results. 11-9 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The following shows sample content of a domain list text file: • domain.com: Imports the exact domain • *.domain.com: Imports all sub-domains • domain.org: Imports the exact domain Note The import file must be a text file containing one domain per line. You can use wildcards when specifying the domain. 6. 7. Specify the Permitted Senders of Relayed Mail. • Host only • Same subnet as the host • Same IP class as the host • Specified IP addresses Click Save. Tip For security reasons, Trend Micro recommends that you avoid open relay when configuring the message rule settings. For more information on how to avoid open relay, refer to the Online Help and the FAQ section in this manual. About Message Delivery IMSVA maintains a routing table based on the domain names of recipient email addresses. IMSVA then uses this routing table to route messages (with matching recipient email addresses) to specified SMTP servers using domain-based delivery. Messages destined to all other domains are routed based on the records in the Domain Name Server (DNS). 11-10 Scanning SMTP Messages Incoming Message and Message Delivery Domains The domains you configure for incoming message settings are different from the domains you configure for message delivery settings. Incoming message domains IMSVA relays messages that are sent only to the relay domains. For example, if the relay domains list includes only one domain, "domain.com", IMSVA will relay only messages that are sent to "domain.com". Message delivery domains IMSVA delivers messages based on domain-based delivery. For example, if the delivery domains include "domain.com" and the associated SMTP server 10.10.10.10 on port 25, all email messages sent to "domain.com" will be delivered to the SMTP server 10.10.10.10 using port 25. Configuring Message Delivery Settings Specify settings for the next stage of delivery. IMSVA checks the recipient mail domain and sends the message to the next SMTP host for the matched domain. When importing a Message Delivery list, the list must be in a valid XML file. Each entry consists of the following: [domain name],[server name or IP address]:[port number] For example, all of the following are valid entries: • domain1.com,192.168.1.1:2000 • domain2.net,192.168.2.2:1029 • domain3.com,smtp.domain3.com:25 • domain4.com,mail.domain4.com:2000 • domain5.com,[2001:db8:10ff::ae:44f2]:25 Procedure 1. Go to Administration > IMSVA Configuration > SMTP Routing. 11-11 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. Click the Message Delivery tab. The Message Delivery Settings screen appears. 3. 11-12 Click Add. Scanning SMTP Messages The Destination Domain screen appears. 4. Specify the Destination Domain and Delivery Method. 5. Click OK. 6. Click Save. 11-13 Chapter 12 Configuring Transport Layer Security Settings This chapter provides general descriptions on the various configuration tasks that you need to perform to get IMSVA up and running. For further details, refer to the Online Help accessible from the management console. • About Transport Layer Security on page 12-2 • Prerequisites for Using TLS with IMSVA on page 12-3 • TLS Settings for Messages Entering IMSVA on page 12-4 • TLS Settings for Messages Exiting IMSVA on page 12-7 • Deploying IMSVA in TLS Environments on page 12-8 • Creating and Deploying Certificates in IMSVA on page 12-14 12-1 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About Transport Layer Security In IMSVA, Transport Layer Security (TLS) provides a secure communication channel between servers over the Internet, ensuring the privacy and integrity of the data during transmission. Two servers (Server A and Server B) establish a TLS connection through a handshaking procedure as described below: 1. The handshake begins when Server B requests a secure connection with Server A by sending a list of ciphers. 2. Server A then selects one cipher presented by Server B and replies with its digital certificate that may have been signed by a Certificate Authority (CA). 3. Server B verifies Server A's identity with the trusted CA certificate. If the verification fails, Server B may choose to stop the TLS handshake. 4. Upon verifying Server A’s identity, Server B proceeds to generate the session keys by encrypting a message using a public key. 5. This message can only be decrypted using the corresponding private key. Server B’s identity is thus authenticated when Server A is able to decrypt the message successfully using the private key. 6. The handshake completes and the secure connection is established after the servers have created the material required for encryption and decryption. 12-2 Configuring Transport Layer Security Settings IMSVA applies TLS on traffic entering IMSVA and traffic exiting IMSVA, not on incoming or outgoing message traffic. FIGURE 12-1. IMSVA TLS Communication Prerequisites for Using TLS with IMSVA Establishing the TLS infrastructure requires that the organization has its own Certificate Authority key or is able to sign all generated certificate requests by the external Certification Authority. Private keys and certificate requests must be generated for each SMTP server in the network. The certificate requests should be signed by the Certificate Authority. Obtaining a Digital Certificate To obtain a digital certificate, perform one of the following actions: • Use a certificate generator or key generator tool to generate a digital certificate and public/private key pairs. Request a certificate authority to sign the certificate. • Apply for the certificate and public/private key pairs from a certificate authority. Note A default certificate and key file is provided with IMSVA. 12-3 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Ensure that the Certificate Format is Valid • IMSVA only supports the .pem certificate format. • Ensure that the signed certificate contains both the private key and certificate information. Note If your certificate is in PKCS12 format, convert it to the PEM format using the command: [root@imsva85b ~]# openssl pkcs12 -in mycert.pfx -out mycert.pem Uploading the Certificate Procedure 1. Navigate to Administration > IMSVA Configuration > SMTP Routing. 2. Click the Connections tab. 3. Under Transport Layer Security Setting, click the Browse button next to CA certificate. 4. Select the signed certificate. 5. Click Upload. TLS Settings for Messages Entering IMSVA IMSVA applies TLS to messages that enter and exit the server where IMSVA is installed. Message traffic can enter IMSVA from two directions: • Message traffic from the Internet that is to be delivered to your clients. • Message traffic from your clients to the client’s intended recipient 12-4 Configuring Transport Layer Security Settings FIGURE 12-2. TLS: Traffic Entering IMSVA Configuring TLS Settings for Messages Entering IMSVA Procedure 1. Navigate to Administration > IMSVA Configuration > SMTP Routing > Connections. 12-5 12-6 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Connections screen appears. Message traffic can exit IMSVA from two directions: 12-7 . Select Only accept SMTP connection by TLS for IMSVA to only accept secure incoming connections. Click a Browse button next to one of the following: • CA certificate: A CA certificate is usually used for verifying SMTP clients. • SMTP server certification: The IMSVA SMTP server's public key made available to the SMTP clients for generating the session keys. IMSVA does not verify the client and only uses the CA certificate for enabling the TLS connection. 5. This key must be uploaded to enable a TLS connection. TLS Settings for Messages Exiting IMSVA IMSVA applies TLS to messages that enter and exit the server where IMSVA is installed. Click Save. Select Enable Incoming Transport Layer Security. This option allows the IMSVA SMTP Server to provide Transport Layer Security (TLS) support to SMTP clients.Configuring Transport Layer Security Settings 2. However. Only upload this file if it is provided to you together with the public key. This option enables the IMSVA SMTP server to accept messages only through a TLS connection. but does not require that clients use TLS encryption to establish the connection. The IMSVA SMTP server then uses the private key to decrypt the random number in order to establish the secure connection. this file is not mandatory for enabling a TLS connection. • Private key: The SMTP client encrypts a random number using the IMSVA SMTP server's public key and an encryption key to generate the session keys. 4. Otherwise. 3. This key must be uploaded to enable a TLS connection. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Message traffic from the Internet that is to be delivered to your clients. TLS: Traffic Exiting IMSVA Configuring TLS Settings for Messages Exiting IMSVA Procedure 1. • Message traffic from your clients to the client’s intended recipient FIGURE 12-3. 12-8 . enable outgoing TLS. Click Save. With IMSVA acting as the server. Navigate to Administration > IMSVA Configuration > SMTP Routing > Connections. Deploying IMSVA in TLS Environments Use the management console to enable the Transport Layer Security (TLS) settings for messages entering and exiting IMSVA. With IMSVA acting as the client. While the management console provides a convenient means to enable global TLS settings. it does not provide the option to configure specific TLS settings per site. The Connections screen appears. 3. enable incoming TLS. Select Enable Outgoing Transport Layer Security. 2. org/TLS_README. TLS Levels for Messages Entering IMSVA The smtpd_tls_security_level parameter controls the global TLS settings for messages entering IMSVA. the following sections provide examples for your network.html#server_tls TLS Levels for Messages Exiting IMSVA The smtp_tls_security_level parameter controls the global TLS settings for messages exiting IMSVA.Configuring Transport Layer Security Settings Example of General Settings for TLS To configure site-specific TLS settings. TABLE 12-2. Upstream TLS levels SECURITY LEVELS DESCRIPTIONS none No TLS may Opportunistic TLS encrypt Mandatory TLS Table 12-1: Upstream TLS levels on page 12-9 lists the upstream TLS security levels in order of increasing security. TABLE 12-1. visit: http://www.postfix. Downstream TLS levels SECURITY LEVELS LEVELS none No TLS may Opportunistic TLS encrypt Mandatory TLS verify Mandatory TLS 12-9 . For more information on each security level. ini to override existing settings in main.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide SECURITY LEVELS secure LEVELS Secure-channel TLS Table 12-2: Downstream TLS levels on page 12-9 lists the downstream TLS security levels in order of increasing security.ini. detach_key_postfix=smtpd_tls_CAfile:smtpd_tls_cert_file:smt p d_tls_key_file:smtp_tls_CAfile:smtp_tls_cert_file:smtp_tls_ k ey_file:smtpd_tls_security_level:smtp_tls_security_level Note The settings of postfix configured by the management console do not have to apply to all scanners. Save your Certificate Authority (CA).postfix. IMSVA uses the key detach_key_postfix in imss. Here you need to “Enter the IMSVA shell environment”.cf. visit: http://www.cf. $ /opt/trend/imss/script/S99MANAGER restart 3. and IMSVA private key in the /opt/trend/imss/postfix/etc/postfix folder. 4. 2. Restart IMSSMGR Service. Set the value of detach_key_postfix in /opt/trend/imss/config/ imss. 12-10 .html#client_tls Using Site-specific TLS Procedure 1.org/TLS_README. IMSVA public key. For more information on each security level. Configure /opt/trend/imss/postfix/etc/postfix/main. pem smtpd_tls_key_file = /opt/trend/imss/postfix/etc/ postfix/key.pem smtp_tls_policy_maps = hash:/opt/trend/imss/postfix/etc/ postfix/smtp_tls_policy 5.pem smtp_tls_key_file = /opt/trend/imss/postfix/etc/postfix/ key1. • Contents of smtpd_tls_policy: <IP address> encrypt • Contents of smtp_tls_policy: example. Create the two site-specific policy files smtpd_tls_policy and smtp_tls_policy in the /opt/trend/imss/postfix/etc/postfix folder.pem smtpd_tls_policy_maps = hash:/opt/trend/imss/ postfix/etc/postfix/smtpd_tls_policy • For outgoing site-specific TLS settings: smtp_tls_security_level = may smtp_tls_CAfile = /opt/trend/imss/postfix/etc/postfix/ ca1. Generate a database file with the following commands: 12-11 .pem smtp_tls_cert_file = /opt/trend/imss/postfix/etc/ postfix/cert1.Configuring Transport Layer Security Settings • For incoming site-specific TLS settings: smtpd_tls_security_level = may smtpd_tls_CAfile = /opt/trend/imss/postfix/etc/ postfix/ca.pem smtpd_tls_cert_file = /opt/trend/imss/postfix/etc/ postfix/cert.com encrypt 6. cf: smtpd_tls_security_level=none smtpd_tls_policy_maps= hash:/opt/trend/imss/postfix/etc/ postfix/smtpd_tls_policy • smtpd_tls_policy: <IP address> may In this example. IMSVA requires a trusted remote SMTP client certificate to allow TLS connections to proceed. Modify the following: • main.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide postmap smtpd_tls_policy postmap smtp_tls_policy 7. Upstream Site-specific TLS Security Parameters SECURITY PARAMETER req_cert 12-12 DESCRIPTION In mandatory TLS mode. a client whose IP address is not in the smtpd_tls_policy list will communicate with the Postfix server without TLS.cf and smtpd_tls_policy to apply upstream TLS settings to specific IP addresses. TABLE 12-3. The security level can be changed from may to encrypt as required. Reload the postfix configuration using the command postfix reload. this parameter does not work.cf. Security parameters can be customized in the upstream site-specific TLS settings. . This parameter overrides smtpd_tls_req_ccert in main. Configuring Upstream TLS Settings Configure main. In opportunistic TLS mode. The alternative parameters smtp_tls_exclude_ciphers and smtp_tls_mandatory_exclude_ciphers may also be used.cf and smtp_tls_policy to apply TLS settings to specific downstream connections. this parameter overrides smtpd_tls_protocols. exclude Ciphers can be excluded from the IMSVA cipher list.cf for all TLS security levels. In mandatory TLS mode. This parameter overrides smtpd_tls_exclude_ciphers in main. In mandatory TLS mode. This parameter also overrides smtpd_tls_mandatory_exclude_ciphers in mandatory TLS mode. In opportunistic TLS mode. Table 12-3: Upstream Site-specific TLS Security Parameters on page 12-12 lists the upstream sitespecific TLS security parameters in order of increasing security and customization.cf. this parameter overrides smtpd_tls_mandatory_protocols in main.cf.Configuring Transport Layer Security Settings SECURITY PARAMETER DESCRIPTION ciphers The minimum TLS cipher grade that IMSVA uses. this parameter overrides smtpd_tls_mandatory_ciphers. In opportunistic TLS mode. protocols SSL/TLS protocols can be accepted by IMSVA. For example: smtpd_tls_policy: <IP address> encrypt req_cert=yes ciphers=medium protocols=TLSv1 This policy is set to limit communication with IMSVA through a TLS connection to: • a specific IP address (<IP address>) • a trusted certificate • a cypher with at least a medium security level • a connection protocol that is only TLSv1 Configuring Downstream TLS Settings Configure main. this parameter overrides smtpd_tls_ciphers in main. For example: 12-13 . com encrypt In the example above. servers not listed in the smtp_tls_policy will communicate with the Postfix client without TLS. or execute the following procedure to generate their own CA private key and certificate. external service.pem 12-14 . such as VeriSign. visit the following site: http://www. The security level can be changed from may to encrypt or verify as required.postfix.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Modify main. To generate your own CA private key and self-signed certificate.pem –out /tmp/root_req.cf: smtp_tls_security_level=none smtp_tls_policy_maps= hash:/opt/trend/imss/postfix/etc/ postfix/smtp_tls_policy • Modify smtp_tls_policy: [<IP address>]:25 may example.org/TLS_README. For more information on security parameters in the downstream site-specific TLS settings. complete the following: [root@imsva85b ~]# openssl req -x509 -days 365 -newkey rsa:1024 -keyout /tmp/root_key.html#client_tls_policy Creating and Deploying Certificates in IMSVA This section provides you with an introduction on how to create and deploy certificates in IMSVA for Transport Layer Security (TLS) environments Creating the Certificate Authority Key and Certificate Organizations that do not have existing CA infrastructure can obtain a CA private key and certificate through a well-known. ++++++ ....... the field will be left blank.... If you enter '........ the /tmp/root_key.. ----Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]:Bavaria Locality Name (eg.pem file contains the self-signed certificate that must be distributed to all clients and servers.com [root@imsva85b ~]# After the completion of this procedure.pem' Enter PEM pass phrase:Trend ----You are about to be asked to enter information that will be incorporated into your certificate request. company) [My Company Ltd]: Trend Micro Organizational Unit Name (eg.... The /tmp/root_req.pem file contains the private key encrypted with the “Trend” password...++++++ writing new private key to '/tmp/root_key.. What you are about to enter is what is called a Distinguished Name or a DN. Both are stored in the PEM-format.Configuring Transport Layer Security Settings Generating a 1024 bit RSA private key .. There are quite a few fields but you can leave some blank For some fields there will be a default value. your name or your server's hostname) []:EF Email Address []:Evgueni_Faddeenkov@trendmicro.. section) []:Global Training Common Name (eg.. 12-15 ... city) [Newbury]:Munich Organization Name (eg..'... After obtaining a CA private key and certificate: • Deploy the CA certificate on all servers.++++++ e is 65537 (0x10001) [root@imsva85b ~]# openssl req -new -key /tmp/imsva_key......... What you are about to enter is what is called a Distinguished Name or a DN. ----- 12-16 . • Have all certificates issued in your organization signed by the CA...++++++ ... complete the following: [root@imsva85b ~]# openssl genrsa -out /tmp/imsva_key.. 1024 bit long modulus .'..Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide WARNING! The Organization (O) field for the CA and key owners must be the same.. There are quite a few fields but you can leave some blank For some fields there will be a default value... To create the IMSVA private key and certificate..pem Generating RSA private key.. Creating the IMSVA Key and Certificate The IMSVA private key and certificate must be created to be used for secure communication.pem You are about to be asked to enter information that will be incorporated into your certificate request. If you enter '...pem out /tmp/imsva_req. the field will be left blank... section) []:Global Training Common Name (eg.course.course. Creating the Keys and Certificates for other Servers Keys and certificates for other communicating servers must be created if they do not exist.test) private key in PEM-format.pem 1024 12-17 .test. the /tmp/imsva_key. company) [My Company Ltd]: Trend Micro Organizational Unit Name (eg. complete the following: [root@imsva85b ~]# openssl genrsa -out /tmp/linux_key. The /tmp/imsva_req. To create IMSVA keys and certificates for other servers.course. The following procedure describes the key and certificate generation for host linux.pem file contains the unsigned certificate (certificate request) in the PEM-format. your name or your server's hostname) []:imsva.pem file contains the IMSVA (imsva. city) [Newbury]:Munich Organization Name (eg. WARNING! The Common Name (CN) field for the key owner must be equal to the FQDN or be the same as the name specified in the domain-based delivery.test Email Address []:<Enter> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<Enter> An optional company name []:<Enter> [root@imsva85b ~]# After completing this procedure.Configuring Transport Layer Security Settings Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]:Bavaria Locality Name (eg. What you are about to enter is what is called a Distinguished Name or a DN...... city) [Newbury]:Munich Organization Name (eg. the field will be left blank.. company) [My Company Ltd]: Trend Micro Organizational Unit Name (eg... 1024 bit long modulus . your name or your server's hostname) []:linux..pem You are about to be asked to enter information that will be incorporated into your certificate request..'.pem out /tmp/linux_req..... There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter '....++++++ . section) []:Global Training Common Name (eg.....course....++++++ e is 65537 (0x10001) [root@imsva85b ~]# openssl req -new -key /tmp/linux_key....test Email Address []:<Enter> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<Enter> An optional company name []:<Enter> 12-18 ......................Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Generating RSA private key... ----Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]:Bavaria Locality Name (eg.. you need to sign the IMSVA certificate request by the CA private key (/tmp/root_key.course. Sign the certificate: 12-19 .pem file contains the unsigned certificate (certificate request) in the PEM-format. The /tmp/linux_req. the /tmp/linux_key. To confirm that the IMSVA Certificate (/tmp/imsva_req.cnf.pem) is trusted by the CA. Create the serial file with initial content in the /etc/pki/CA directory: [root@imsva85b ~]# echo "01" > /etc/pki/CA/serial [root@imsva85b ~]# 4. Find the definition of the [ CA_default ]/ dir parameter and change it to /etc/pki/CA: [ CA_default ] dir = /etc/pki/CA # Where everything is kept 2. Update the OpenSSL configuration file /etc/pki/tls/openssl.pem file contains the linux. Signing the IMSVA Certificate Signing the certificate is an optional procedure.txt [root@imsva85b ~]# 3.txt file in the /etc/pki/CA directory: [root@imsva85b ~]# touch /etc/pki/CA/index.Configuring Transport Layer Security Settings [root@imsva85b ~]# After completing this procedure.pem) but before doing this you need to set up the OpenSSL environment for CA: Procedure 1. Create the empty index.test private key in PEM-format. The certificate must be signed if you do not want to distribute all the certificates on systems and only distribute the CA certificate. course.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide [root@imsva85b ~]# openssl ca -days 365 -cert /tmp/ root_req.test X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: X509v3 Subject Key Identifier: 82:15:B8:84:9C:40:8C:AB:33:EE:A4:BA:9C:2E:F6:7E:C0:DC:E8:1C X509v3 12-20 .pem -outdir /tmp Using configuration from /etc/pki/tls/openssl.pem -out /tmp/imsva_cert.cnf Enter pass phrase for /tmp/root_key.pem:Trend Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 22 09:35:52 2010 GMT Not After : Oct 22 09:35:52 2011 GMT Subject: countryName = DE stateOrProvinceName = Bavaria organizationName = Trend Micro organizationalUnitName = Global Training commonName = imsva.pem -in /tmp/ imsva_req.pem –keyfile /tmp/root_key. .Configuring Transport Layer Security Settings Authority Key Identifier: keyid:5B:B4:06:4D:8D:12:D0:B3:36:A7:6B: 3A:FD:F2:C8:83:4A:DD:AA: BD Certificate is to be certified until Oct 22 09:35:52 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified.pem ca_cert. • Individual certificates of all clients and servers communicating with IMSVA. the administrator must copy all individual certificates in one file using the following commands: 1.. You need to distribute this file to all servers and clients communicating with IMSVA.pem + .pem 12-21 . + client_certN. The CA certificate can be one of the following: • The real Certification Authority Certificate used to sign all public keys of all clients and servers communicating with IMSVA. For Windows: copy client_cert1. commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@imsva85b ~]# The /tmp/imsva_cert. In this case. Deploying TLS Certificates Importing Certificates The TLS support provided by IMSVA uses the same set of keys for upstream and downstream directions.pem file contains the IMSVA certificate signed by the Certificate Authority. pem smtpd_tls_key_file = /opt/trend/imss/postfix/etc/postfix/ key.pem .. It downloads the key and certificates in the Postfix configuration directory (/opt/ trend/imss/postfix/etc/postfix) and updates the configuration for the Upstream SMTP Server in the main.pem Configuring Postfix The management console must be used to configure TLS support in IMSVA.cf configuration file: smtpd_tls_security_level = may smtpd_tls_CAfile = /opt/trend/imss/postfix/etc/postfix/ca. Converting Certificates Outlook Express does not recognize the certificates in PEM-format.pem > ca_cert.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. client_certN.. the Manager makes the following configuration changes in the main. so they need to be converted into the PKCS12-format.pem When the administrator enables the downstream TLS from the management console. For Linux: cat client_cert1.cf configuration file that affect the SMTP client: smtp_tls_security_level = may Enabling the TLS Support in Outlook Express To enable TLS support on the Outlook Express Mail clients. follow the procedure described below.pem smtpd_tls_cert_file = /opt/trend/imss/postfix/etc/postfix/ cert. The example below shows how to convert the IMSVA signed certificate needed for the Outlook Express clients that contact IMSVA directly: [root@imsva85b ~]# openssl pkcs12 -export -out 12-22 . Select the This server requires a secure connection (SSL) check box for Downstream mail (SMTP). *. 2.p12 -inkey /tmp/imsva_key. Confirm the certificate import with an empty password to import the certificate. To see the available certificates.pfx. Click Import… 3. 3.p12 file generated in Converting Certificates on page 12-22. Importing Certificates into Outlook Express Procedure 1. Open the Properties of the mail account.pem -in /tmp/imsva_cert.Configuring Transport Layer Security Settings /tmp/imsva_cert. 2. Enabling TLS in Outlook Express To enable TLS support in Outlook Express for one particular account that uses IMSVA. Click Advanced. Select the imsva_cert. Search for files in the Personal Information Exchange format (*. do the following: Procedure 1. 12-23 . 5. go to Menu > Tools > Options > Security > Digital IDs.pem Enter Export Password: <Enter> Verifying .Enter Export Password: <Enter> [root@imsva85b ~]# The /tmp/imsva_cert.p12 file contains the IMSVA certificate in PKCS12-format and must be transferred to the Windows machines running Outlook Express and communicating directly with IMSVA.p12) 4. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. 12-24 Apply changes. . Chapter 13 Configuring POP3 Settings This chapter provides instructions for configuring POP3 settings. • Scanning POP3 Messages on page 13-2 • Enabling POP3 Scanning on page 13-3 • Configuring POP3 Settings on page 13-4 13-1 . This can create points of vulnerability on your network if the messages from those accounts are not scanned. Even if your company does not use POP3 messages. which connects to POP3 servers to retrieve and scan messages. You can set up the following connection types: 13-2 . Scanning POP3 messages To scan POP3 traffic. your employees might access their personal POP3 email accounts using email clients on their computers. IMSVA can scan POP3 messages at the gateway as clients in your network retrieve them. FIGURE 13-1. Understanding POP3 Scanning The IMSVA POP3 scanner acts as a proxy server (positioned between mail clients and POP3 servers) to scan messages as the clients retrieve them. configure your email clients to connect to the IMSVA server POP3 proxy. Hotmail® or Yahoo!® accounts are some examples of POP3 email accounts.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Scanning POP3 Messages In addition to SMTP traffic. typically 110. enable POP3 scanning and configure POP3 settings. Enabling POP3 Scanning Before IMSVA can begin scanning POP3 traffic. 13-3 . • Dedicated: Accesses the POP3 server using a specified port. Use these connections when the POP3 server requires authentication using a secure logon. except the IMSVA server.Configuring POP3 Settings • Generic: Allows you to access different POP3 servers using the same port. a firewall must be installed on the network and configured to block POP3 requests from all the computers on the network. such as APOP or NTLM. the default port for POP3 traffic. Procedure 1. POP3 Requirements For IMSVA to scan POP3 traffic. Go to System Status. This configuration ensures that all POP3 traffic passes to IMSVA through the firewall and that IMSVA scans the POP3 data flow. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. The default POP3 port is 110. . you may also set up a dedicated connection and assign a custom port. However. 13-4 Go to Administration > IMSVA Configuration > Connections. if your users need to access a POP3 server through an authenticated connection (through the APOP command or using NTLM). Select the check box next to Accept POP3 connections. Configuring POP3 Settings You can specify the IMSVA server ports that clients will use to retrieve POP3 traffic. Click Save. Procedure 1. 3. 3. Click the POP3 tab. Configuring POP3 Scan Service Procedure 1. • To access the POP3 server using a specific port for authentication purposes. 2. Enable POP3 connections: 13-5 . click Add to create a new dedicated POP3 connection. Do one of the following: 4. if it is different from the default port 110.Configuring POP3 Settings The Components tab appears by default. specify the incoming IMSVA port number. Provide the required information and click OK. Click Save. • To accept any POP3 server requested by a user. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. a. Go to System Status. 3. Click Save. c. 13-6 . b. see Configuring POP3 Settings on page 13-4. Configure the POP3 settings. Click Accept POP3 connections under Enable Connections. please set the user account format to username#remote_server#remote_POP3_port. Configure the email client. For details. • POP3 server: IP address of IMSVA • POP3 port: Port specified in IMSVA • User account • • If you have specified a generic POP3 server: Username#remote_server • If you have specified a dedicated POP3 server: Username Password: User's password on the remote server Note If you have specified a generic POP3 server and the POP3 port is changed at the remote POP3 server. Part III IMSVA Policies . . modifying. and managing IMSVA policies. Topics include: • How the Policy Manager Works on page 14-2 • Filter Policies that Display in the Policy List on page 14-3 14-1 .Chapter 14 Managing Policies This chapter provides instructions for creating. Create rules to enforce your organization’s antivirus and other security goals. or an LDAP user or group to which the policy is applied. ensure that you have defined the internal addresses. How the Policy Manager Works You can create multiple rules for the following types of policies. You can use the asterisk (*) to create wildcard expressions and simplify route configuration. The antivirus rule does not protect against spam.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About Policies IMSVA policies are rules that are applied to SMTP and POP3 messages. An IMSVA policy has the following components: • Route: A set of sender and recipient email addresses or groups. and activate the IP Filtering product. also known as scanning conditions. Use policies to reduce security and productivity threats to your messaging system: • Antivirus: Scans messages for viruses and other malware such as spyware and worms. • Filter: A rule or set of rules that apply to a specific route. message content. you should always keep it in the first position on the rule list so IMSVA can analyze traffic for virus content first. Because an antivirus rule addresses the most critical and potentially damaging types of messages. By default. For the best protection against spam. • Others: Scans spam or phishing messages. IMSVA contains predefined filters that you can use to combat 14-2 . See Configuring Internal Addresses on page 16-2 for more information. IMSVA includes a Global Antivirus rule to help protect your network from viruses and related Internet threats. and other attachment criteria. Note Before creating a new policy. configure a custom rule that includes spam in the scanning conditions. Managing Policies common virus and other threats. Depending on the filter result. a filter action is performed that determines how the message is finally processed. FIGURE 14-1. see Adding Policies on page 17-2. 14-3 . Go to Policy > Policy List. • Action: The action that IMSVA performs if the filter conditions are met. Filter Policies that Display in the Policy List Procedure 1. Simplified policy manager process flow Note For more information on how to create a policy. The Policy screen appears. You can modify these predefined filters or define your own filters. b. "outgoing". c. Configure the Filter by options: a. 14-4 Specify a route: • All routes: Displays all policies • Incoming: Displays policies that only monitor incoming messages • Outgoing: Displays policies that only monitor outgoing messages • Both directions: Displays policies that monitor "incoming". and "incoming and outgoing" messages • POP3: Displays policies that only monitor POP3 messages Specify the type of protection the policy provides: • All types • Viruses and malware • C&C email • Spam and phishing email • Web Reputation • Attachments • Content • Compliance • Size • Other Specify the users the policy protects: • All Groups • [Find user or group] .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. and managing IMSVA policies. modifying. Topics include: • Configuring Common Policy Objects on page 15-2 • Understanding Address Groups on page 15-2 • Using the Keyword & Expression List on page 15-13 • Using the Notifications List on page 15-37 • Using Stamps on page 15-41 • Using the DKIM Approved List on page 15-45 • Using the Web Reputation Approved List on page 15-46 15-1 .Chapter 15 Common Policy Objects This chapter provides instructions for creating. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring Common Policy Objects Common policy objects are items that can be shared across all policies. making policy creation easier for administrators. Address groups allow you to organize multiple email addresses into a single group and apply the same policy to every address in the group. Common Policy Objects COMMON POLICY OBJECTS DESCRIPTION Address Groups Organize multiple email addresses into a single group. DKIM Approved List Messages from domains with matched DKIM signatures will not be scanned or marked as spam. However. 15-2 . other filters could block messages on the Web Reputation Approved List. Understanding Address Groups An address group is a list of email addresses to which your policy applies. Notifications Create messages to notify a recipient or email administrator that IMSVA took action on a message's attachment or that the message violated IMSVA rule scanning conditions. Stamps Create stamps to notify a recipient that IMSVA took action on a message's attachment or that the message violated scanning conditions for rules. Web Reputation Approved List Domains appearing in the Web Reputation Approved List will not be scanned or blocked by web reputation filters. block spam. or block derogatory messages from entering or moving in your network. Keywords & Expressions Create keywords or expressions to prevent information leaks. Compliance Templates Create compliance templates to prevent sensitive data from leaving your network. TABLE 15-1. Creating Address Groups An address group is a collection of user email addresses in your organization. If you create an address group. and IT developers have legitimate business reasons to send financial information. you have identified three types of content that you do not want transmitted through your company’s email system and have defined three filters (in parentheses) to detect these types of content: • Sensitive company financial data (FINANCIAL) • Job search messages (JOBSEARCH) • VBS script viruses (VBSCRIPT) Consider the following address groups within your company: • All Executives • All HR Department • All IT Development Staff The filters that you use in the policies will be applied to these groups as follows: ADDRESS GROUPS FINANCIAL JOBSEARCH VBSCRIPT All Executives Not applied Applied Applied All HR Department Applied Not applied Applied All IT Development Staff Applied Applied Not applied Executives.Common Policy Objects For example. respectively. HR staff. rather than applying rules to each address individually. so you would not apply some filters to those groups. 15-3 . email addresses identify the different members of your organization and determine the policies that are applied to them. you can apply rules to several email addresses at the same time. job search-related correspondence and VBS files. In IMSVA. Defining accurate and complete address groups ensures that the appropriate policies are applied to the individuals in those groups. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide You can create address groups before creating any policies or when specifying the route during policy creation. The Add Address Group screen appears. You can also add an address group when modifying an existing policy. 2. Tip While address groups can be created during policy creation. Procedure 1. Create address groups manually or import them from a text file that contains one email address per line. Click Add. 15-4 . Trend Micro recommends creating address groups before you begin creating policies. Go to Policy > Address Group. The Address Groups screen appears. 15-5 . Click Import. For example. Import an address list: a. then do any of the following: • Add an individual address: • • Specify an email address and click Add. *@hr.com. Select one of the following: d. Click Save. The Import Address Group screen appears. 4. c. Ensure that the text file contains only one email address per line. The Address Groups screen appears with the new address group appearing in the Address Groups table. Note IMSVA can only import email addresses from a text file. Specify a group name. This can be done by adding email addresses individually or importing them from a text file. You can also use wildcard characters to specify the email address. For example. *@hr.com. Adding an Address Group During Policy Creation You can create an address group when specifying the route during policy creation.Common Policy Objects 3. Specify the file path and file name to import or click Browse and locate the file. You can also use wildcard characters to specify the email address. b. • Merge with current list • Overwrite current list Click Import. 2. 15-6 . Click the Add button. You can also use wildcard characters to specify the email address. 3. 4. Select Antivirus or Other from the drop-down list to create an antivirus rule or a rule against other threats. Procedure 1.com. Go to Policy > Policy List. Click the Recipients or Senders link.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note IMSVA can only import email addresses from a text file. Ensure that the text file contains only one email address per line. The Step 1: Select Recipients and Senders screen appears. For example. *@hr. The Select addresses screen appears. 6. 15-7 . Select Select Address Groups from the drop-down list. Click the Add button. The Add Address Group screen appears.Common Policy Objects 5. The Import Address Group screen appears. Select one of the following: • 15-8 Merge with current list . b. *@hr. c. Specify a group name. For example. Click Import. Specify the file path and file name to import or click Browse and locate the file. Import an address list: a. You can also use wildcard characters to specify the email address.com.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 7. then do one of the following: • Add an individual address: • • Specify an email address and click Add to add email addresses individually. The Address Groups screen appears. To delete an address group: a. Go to Policy > Address Groups. 3. Ensure that the text file contains only one email address per line. 8. Click Save. 2.com. c. You can also use wildcard characters to specify the email address. Click Save. *@hr. 15-9 . For example. Select the check box next to an address group.Common Policy Objects • d. Edit the address group as required. Note IMSVA can only import email addresses from a text file. The Address Group screen appears. The Address Groups screen appears. Overwrite current list Click Import. Editing or Deleting an Address Group You can edit or delete an address group from the Address Groups screen or by editing an existing policy. Procedure 1. Click an existing address group from the Address Group table. To edit an address group: a. b. Click the link for an existing policy. 4. The Select addresses screen appears. Go to Policy > Policy List. Click the Recipients or Senders link. Click the If recipients and senders are link. 2. Editing or Deleting an Address Group from an Existing Policy Procedure 1. 15-10 . 3. Click Delete.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide b. The Address Groups screen appears. Procedure 1. Select Select address groups from the drop-down list. 15-11 . Go to Policy > Address Groups. Select the desired address group and click the Edit or Delete button accordingly. Export from existing policies or from the Address Group list.Common Policy Objects 5. 6. Exporting an Address Group Export address groups to import to other IMSVA servers. 6. Specify the name and location to export the address group. 5. Click Save. Click Save. The File Download screen appears. Click Export. 2. Click the link for an existing policy. Exporting an Address Group from an Existing Policy Procedure 1. 8. The Select addresses screen appears. Select Select address groups from the drop-down list. 6. Click the If recipients and senders are link. 5. Click the address group to export.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. The Save As dialog box appears. 4. 7. 4. 3. The File Download screen appears. Click the Recipients or Senders link. The Address Group screen appears. 15-12 . Click Export. 3. The Address Group screen appears. The Save As dialog box appears. Click Edit. Go to Policy > Policy List. Click Save. 2. see Adding Policies on page 17-2. or header. Add related keywords to a keyword list to identify specific types of data. 3. "vaccination". combine keywords or regular expressions in keyword expression lists. The Keyword Expressions screen appears with two columns: 15-13 . For example. To prevent the transmission of medical certificate files. Click Save. Specify the name and location to export the address group. Under Content. Keywords are special words or phrases. Expressions are data that have a certain structure. • For information on modifying an existing rule. select the check boxes next to the parts of a message to which you want the content conditions to apply. "prognosis". on the Scanning Conditions screen. Create or modify an "Other" (not an Antivirus) policy. see Modifying Existing Policies on page 20-2. credit card numbers typically have 16 digits and appear in the format "nnnn-nnnn-nnnn-nnnn". body. • For information on creating a new rule.Common Policy Objects 9. For example. Click the link that specifies the part of the message to which you want to configure content conditions. Selecting Scanning Conditions for Content Procedure 1. making them suitable for expression-based detections. configure IMSVA to block files containing these keywords. To filter messages by content. Using the Keyword & Expression List IMSVA can take action on a message based on the content of its subject. 10. and "physician" are keywords that may appear in a medical certificate. "blood type". click the expression in the selected list. 5. Click Save to continue to the scanning conditions selection screen. The screen for managing keyword expressions appears. To keep an expression list available but temporarily prevent IMSVA from using it. Click Add. 9. and then click <<. Trend Micro recommends creating keywords or expressions before creating policies. select the check boxes next to the header items where the expression will apply. Keywords & Expressions Create keywords or expressions on the Keywords & Expressions screen or during policy creation. Click >>.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Available: Expressions available for use. 8. click the expression list you want to enable. • Selected: Expressions currently in use. but not currently in use. You can create keywords or expressions from the Keywords & Expressions screen or during rule creation. 15-14 . Tip While keywords or expressions can be created during policy creation. 4. The expressions appear in the Selected list. Configure the expressions. In the Available list. If you are configuring expressions for the header. Configuring an Expression Configure keyword and regular expressions to enable IMSVA to scan message content. 6. 7. Trend Micro recommends creating keywords or expressions before you begin creating policies. The Keywords & Expressions screen appears.Common Policy Objects Each keyword list has built-in conditions that determine if the content triggers a detection. 2. When creating expressions: • Note that IMSVA follows the expression formats defined in Perl Compatible Regular Expressions (PCRE). Click Add. Go to Policy > Keywords & Expressions. • Refer to the predefined expressions for guidance on how to define valid expressions. 15-15 .org/. Poorly written expressions can dramatically impact performance. visit http:// www. For more information on PCRE. • Start with simple expressions. Creating Keywords or Expressions Procedure 1. Expressions are a powerful string-matching tool. • There are several criteria that you can choose from when creating expressions. A keyword list must satisfy your chosen criteria before IMSVA subjects it to a policy. Modify the expressions if they are causing false alarms or fine tune them to improve detections. Ensure that you are comfortable with expression syntax before creating expressions. An expression must satisfy your chosen criteria before IMSVA subjects it to a policy.pcre. • All specified: Message content matches all keywords or expressions in the list. its score must be higher than the threshold. When you add an expression.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Add Keyword Expression screen appears. To create a new keyword expression. • Only when combined score exceeds threshold: Message content contains one or more keywords or expressions in the list. specify a descriptive name. 3. Next to List name. Next to Match. 4. select one of the following that specifies when IMSVA takes action: • Any specified: Message content matches any of the keywords or expressions in the list. specify a number that represents the maximum score for allowed keyword expressions. you can set a value for the Score. • Not the specified: Message content does not match any of the keywords or expressions in the list. their combined score must be higher than the threshold. do the following: a. If several keywords or expressions are detected. . Next to Total message score to trigger action. If only one keyword or expression was detected. 15-16 Click Add. 5. Create or modify an "Other" (not an Antivirus) policy.Common Policy Objects The Add Keyword Expression list appears. To specify an exact match. The Keywords & Expressions screen appears with the new keyword or expression appearing in the table. b. Specify the keywords. For a partial match. 7. use "\s" (without the quotes) before and after the keyword. a. see Modifying Existing Policies on page 20-2. Select a value from the Score drop-down box. Specify a threshold in the Total message score to trigger action field. Adding/Editing a Keyword or Expression during Policy Creation/Modification Procedure 1. • For information on modifying an existing rule. To instruct IMSVA to consider the capitalization of message content when it uses the filter. 2. 6. For example: c. click the link that specifies the part of the message to which you want to configure content conditions. Under Content on the Scanning Conditions screen. Click Save. • keyword matches "keywords". "akeyword" • \skeyword\s matches "keyword" only Click Save. see Adding Policies on page 17-2. select the check box under Case sensitive. If you selected Only when combined score exceeds threshold: 8. b. specify the keyword. 15-17 . • For information on creating a new rule. 3. • Only when combined score exceeds threshold: Next to Total message score to trigger action. specify a descriptive name. 7. For a partial match. 15-18 • keyword matches "keywords". use \s before and after the keyword. For example: 8. just specify the keyword. • All specified: Message content must match all the expressions in the list. specify a number that represents the maximum score for allowed keyword expressions. 5. When you add an expression.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Keyword Expressions screen appears with two columns. b. you can set a value for the Score. Select a value from the Score drop-down box. The configuration screen for keyword expression lists appears. click Add. Specify a threshold in the Total message score to trigger action field. select one of the following that specifies when IMSVA takes action: 6. • Not the specified: Message content must not match any of the expressions in the list. Click Add or Edit from the Keyword Expressions screen. Next to Match. "akeyword" • \skeyword\s matches "keyword" only If you selected Only when combined score exceeds threshold: a. Specify the keywords. • Any specified: Message content can match any of the expressions in the list. The Add Keyword Expression list appears. 4. Next to List name. To create an expression. 9. To specify an exact match. Click Save. . About Regular Expressions IMSVA treats all keyword expressions as regular expressions. [\b] or \b 15-19 . Click Save to continue modifying or creating the policy. it will be treated as the backspace character (ASCII 0x08). (dot) Any character (byte) except newline x The character 'x' \\ The character '\' \a The alert (bell) character (ASCII 0x07) \b If this meta-symbol is within square brackets [] or by itself. 11. Characters REGULAR EXPRESSION DESCRIPTION . Trend Micro recommends creating keywords or expressions before you begin creating policies. For example.Common Policy Objects 10. Tip While keywords or expressions can be created during policy creation. select the check box under Case sensitive. IMSVA supports the following regular expressions. To instruct IMSVA to consider the capitalization of message content when it uses the filter. it means any matched string of the regular expression must check whether the left (or right) side of the matched string is a boundary. \f The form-feed character (ASCII 0x0C) \n The newline (line feed) character (ASCII 0x0A) \r The carriage-return character (ASCII 0x0D) \t The normal (horizontal) tab character (ASCII 0x09) \v The vertical tab character (ASCII 0x0B) \n The character with octal value 0n (0 <= n <= 7) \nn The character with octal value 0nn (0 <= n <= 7) \mnn The character with octal value 0mnn (0 <= m <= 3. it will cause a syntax error. for example. \bluck > left side must be the boundary luck\b > right side must be the boundary \bluck\b > both sides must be the boundary If this meta-symbol appears in the middle of a regular expression.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide REGULAR EXPRESSION DESCRIPTION If this meta-symbol is at the beginning (or end) of a regular expression. 0 <= n <= 7) \xhh The character with a hexadecimal value 0xhh. \x20 means the space character 15-20 . For example. For example. Use bracket expressions to match single characters in a list. control characters. CHARACTER CLASS DESCRIPTION [:alpha:] Alphabetic characters [:digit:] Digits [:alnum:] Alphabetic characters and numeric characters [:cntrl:] Control character [:blank:] Space and tab [:space:] All white space characters [:graph:] Non-blank (not spaces. [:alpha:] designates those characters for which isalpha() returns true (example: any alphabetic character). or c [[:alpha:]] Any alphabetic character (see below) Each character class designates a set of characters equivalent to the corresponding standard C isXXX function. If the first character of the list is the carat ^ then it matches characters that are not in the list. or the like) 15-21 . or c [a-z] a through z [^abc] Any character except a.Common Policy Objects Bracket Expression and Character Classes Bracket expressions are a list of characters and/or character classes enclosed in brackets []. b. For example: EXPRESSION MATCHES [abc] a. or a range of characters in a list. b. Character classes must be within bracket expression. } Matches R. 15-22 . at least n times R{n. but includes the space character [:punct:] Punctuation characters [:lower:] Lowercase alphabetic [:upper:] Uppercase alphabetic [:xdigit:] Digits allowed in a hexadecimal number (0-9a-fA-F) For a case-insensitive expression. at least n but no more than m times R is a regular expression. zero or more times R+ Matches R. one or more times R{n} Matches R.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide CHARACTER CLASS DESCRIPTION [:print:] Like [:graph:]. once or not at all R* Matches R. [:lower:] and [:upper:] are equivalent to [:alpha:].m} Matches R. exactly n times R{n. Boundary Matches EXPRESSION DESCRIPTION ^ Beginning of line $ End of line Greedy Quantifiers EXPRESSION DESCRIPTION R? Matches R. the regular expression ". For example: If the content is 123456abc.*" matches any length of letters and the large number of matches may increase memory usage and affect performance.*" in a regular expression. replace ". ". Logical Operators EXPRESSION DESCRIPTION RS R followed by S (concatenation) R|S Either R or S R/S An R but only if it is followed by S (R) Grouping R R and S are regular expressions 15-23 .*abc" match results are: • 12345abc • 23455abc • 3456abc • 456abc • 56abc • 6abc • abc In this example.Common Policy Objects Trend Micro does not recommend using ".*abc" with "abc" to prevent excessive use of resources. \\<>@\[\]:] {NUMBER} [0-9]+ {WORD} [A-Za-z]+ {CR} \r {LF} \n {LWSP} [ \t] {CRLF} (\r\n) {WSP} [ \t\f]+ {ALLC} . {D}+ would be translated to [0-9]+. then IMSVA will not translate that shorthand expression to a regular expression. eManager will pre-process expressions and translate the shorthand into regular expressions. If a shorthand expression is enclosed in brackets (example: {}) or double-quotes. SHORTHAND DESCRIPTION {D} [0-9] {L} [A-Za-z] {SP} [().. The difference between shorthand and meta-symbols is that meta-symbols can be within a bracket expression. eManager also provides the following meta-symbols.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Shorthand and meta-symbol eManager provides the following shorthand for writing complicated regular expressions. For example.\. META-SYMBOL DESCRIPTION \s [[:space:]] \S [^[:space:]] \d [[:digit:]] 15-24 . The following are some examples: EXPRESSION DESCRIPTION "C/C++" Match string C/C++ (does not include double-quotes) "Regular\x20Expression" Match string Regular Expression (does not include double-quotes). to match string C/C++. enclose the string C/C++ in double-quotes (example: .WILD. 15-25 . Characters (except \ which is an escape character) within double-quotes are literal. you need to use the backslash \ escape character. use the expression C\/C\+\+. For example. you have to add many escape characters to your expression (example: C\/C \+\+).NOT. • .AND. In this situation. "[xyz]\"foo" Match the literal string: [xyz]"foo Change the adjacent <space> to "\x20" for the following in a regular expression: • . where \x20 means the space character. • . • . Sometimes.REG "C/C++") then the new expression is equivalent to the old one.OR.Common Policy Objects META-SYMBOL DESCRIPTION \D [^[:digit:]] \w [_[:alnum:]] \W [^_[:alnum:]] Literal string and escape character of regular expressions To match a character that has a special meaning in regular expressions (example: +). Selecting Scanning Conditions for Content Procedure 1. Create or modify an "Other" (not an Antivirus) policy. Click Compliance templates. 15-26 Click Save to continue to the scanning conditions selection screen. • For information on modifying an existing rule. Click >>. 2. Under Compliance. see Modifying Existing Policies on page 20-2. 6. 5. but not currently in use. Select the compliance templates to apply. 4. . 3. • For information on creating a new rule. The compliance templates appear in the Selected list. The Compliance Templates screen appears with two columns: • Available: Templates available for use. social security numbers and credit card numbers) from leaving your company network. on the Scanning Conditions screen.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Using Compliance Templates Compliance templates prevent your digital assets (for example. select the Compliance templates check box. see Adding Policies on page 17-2. They also provide compliance for government regulations regarding privacy. • Selected: Templates currently in use. Tip Trend Micro recommends creating compliance templates before you begin creating policies. 6. Specify a name for the template. Imported compliance templates overwrite existing templates of the same name. Specify a meaningful description for the template. 4. Click +. Adding a Compliance Template Procedure 1. The Add Compliance Template screen appears. 15-27 . 3. You can import or export compliance templates. • Expression: Select Expression. The list under Digital Asset Definition increases by one entry. 2. and the number of times the data asset could appear in a message before IMSVA blocks the message from leaving your network. 5. Click Add. Go to Policy > Policy Objects > Compliance Templates. You can create compliance templates from the Compliance Templates screen. Specify a digital asset definition using keywords and expressions.Common Policy Objects Configuring Compliance Templates Configure compliance templates to enable IMSVA to protect your digital assets. the data asset to protect. • Keyword: Select Keyword and the data that you want IMSVA to prevent leaving your network. The following table lists the predefined expressions and the additional verification tasks that IMSVA performs. exported. Specify the relationship between the new entry and existing entries using And or Or.Credit Card Number 15-28 ADDITIONAL VERIFICATION IMSVA checks the prefix and further verifies it with the Luhn checksum. 8. Predefined Expressions NAME All . Add multiple digital asset definitions if required. Predefined Expressions IMSVA comes with a set of predefined expressions. a widely used algorithm for validating identification numbers. 9. making them suitable for expression-based detections. or deleted IMSVA verifies these expressions using pattern matching and mathematical equations. the data may also undergo additional verification checks. Specify another digital asset. copied. if any. Click Add. 11. 10. credit card numbers typically have 16 digits and appear in the format "nnnn-nnnn-nnnn-nnnn". For example. TABLE 15-2. The compliance template appears in the Compliance Template list. . Click Save. After IMSVA matches potentially sensitive data with an expression.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 7. These expressions cannot be modified. The digital asset definition appears in the Compliance Template Definition list. Compliance Template Expressions An expression is data that has a certain structure. IMSVA also verifies the format for the specific country code. Canada and the expression’s own checksum.SSN (Social Insurance Number) IMSVA verifies the prefix and the Luhn checksum.IBAN (International Bank Account Number) IMSVA verifies the International Bank Account Number. Some country codes are not included in the list. and a location code.Swift BIC IMSVA verifies the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Bank Identifier Code (BIC). a country code. The first two letters define the country code. IMSVA verifies the country code against a list of country codes that are considered significant to the business. Swift-BIC is also known as the BIC code. or SWIFT code. Canada . a widely used algorithm for validating identification numbers.SSN (Sozialversicherungsnumm er) IMSVA verifies the social security number used in Austria and the expression’s own checksum. up to the year 1990. Austria . which has several different formats depending on the country of origin.Quebec RAMQ IMSVA verifies the health insurance card number used in Quebec.Email Address None All . Canada . IMSVA checks the birth date embedded in the ID number and the expression’s own checksum. SWIFT ID.Common Policy Objects ADDITIONAL VERIFICATION NAME All . All . It consists of a bank code.Names from US Census Bureau IMSVA verifies first and last names from the US Census Bureau. 15-29 .National ID Number IMSVA verifies the national ID card number used in the People’s Republic of China. All . China .Home Address None All . Personal ID Number IMSVA verifies the personal identification number used in Denmark and the expression’s own checksum.dd • Syy.m.Full (month/day/ year) IMSVA validates dates in the Month-Day-Year format.Full (day/month/ year) IMSVA validates dates in the Day-Month-Year format. Date . 15-30 . IMSVA checks the range of the month and day for the specified month and if the year is earlier than 2051.Full (year/month/ day) IMSVA validates dates in the Year-Month-Day format. Date .Formats used in Japan IMSVA validates dates formats used in Japan: • yyyy/mm/dd • yy/mm/d • yy. Finland . Dominican Republic Personal ID Number IMSVA verifies the personal identification number used in the Dominican Republic and the expression’s own checksum. IMSVA checks the range of the month and day for the specified month and if the year is earlier than 2051.d • yyyy-m-d • 昭和 yy 年 m 月 d 日 Date .mm.Partial (month/year) None Denmark . INSEE identifies various entities and is used as the National Identification Numbers for individuals. Date .Personal ID Number IMSVA verifies the personal identification number used in Finland and the expression’s own checksum. The INSEE code is a numerical indexing code used by the French National Institute for Statistics and Economic Studies (INSEE).INSEE Code IMSVA verifies the INSEE code and the expression’s own checksum. France . IMSVA checks the range of the month and day for the specified month and if the year is earlier than 2051.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide ADDITIONAL VERIFICATION NAME Date . IMSVA also verifies the expression’s checksum.Common Policy Objects ADDITIONAL VERIFICATION NAME France .Registration Number IMSVA verifies the registration number of a citizen from the Republic of Korea and the birth date included in the data and gender digit.SSN (Social Security Number) None Taiwan . Spain . 15-31 .National Identity Card Number None Spain . the gender digit. Poland .VAT None Japan .Fiscal Identification Number IMSVA verifies the Spanish Fiscal Identification Number and the expression’s own checksum.National ID Number IMSVA verifies the PESEL and the expression’s own checksum. PESEL is the national identification number used in Poland. IMSVA also verifies the expression’s two checksums.Electronic Taxpayer ID IMSVA verifies the German Tax ID (eTIN) by checking both the birth month and day defined in the eTIN. Ireland . Japan . South Korea .PPSN IMSVA verifies the Irish Personal Public Service Number and the expression’s checksum.Phone Number None Norway .National Insurance Number None Germany .National ID Number IMSVA verifies the national ID card number used in Taiwan.Birth Number IMSVA verifies the birth date and the 3-digit personal number embedded in the data. Ireland . town and village. and the expression’s own checksum. Spain . city.Address IMSVA verifies the address format used in Japan including: prefecture. Each list has its own built-in conditions that determine if the template should trigger a policy violation. These keyword lists cannot be modified.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide ADDITIONAL VERIFICATION NAME UK . 15-32 . Compliance Template Keyword Lists IMSVA comes with a set of predefined keyword lists.California ID or DL Number None US .S.ABA Routing Number IMSVA verifies the first two digits of the data and the expression’s own checksum.SSN (Social Security Number) IMSVA validates a 9-digit number by checking its area code and group number and then matching it against invalid SSNs identified by the U. The NPI has its own checksum based on the Luhn algorithm. which is widely used for validating identification numbers. exported.HIC (Health Insurance Claim) IMSVA verifies a valid Health Insurance Claim (HIC) suffix letter.Phone Number IMSVA checks the area code against a dictionary of collected US area codes. US . Social Security Administration (SSA). copied. IMSVA also verifies the expression’s checksum.National Insurance Number IMSVA verifies the national health service number used in the United Kingdom and the expression’s own checksum. US . The HIC number has one or two suffix letters.Dollar Amount None US .NPI (National Provider Identifier) IMSVA verifies the National Provider Identifier (NPI). US . or deleted.National Health System Number None UK . US . US . For an example of an entry that would not trigger a violation. Distance Condition Some of the lists contain a distance condition to determine if a violation is present. the number of characters between the "f" in "first name" and the "l" in "last name" is sixty-one (61). His last name is Smith. This exceeds the distance threshold and does not trigger a violation. a violation will trigger as the number of characters between the “F” in First Name and the "L" in Last Name is equal to eighteen (18). In the example above. If there are more keywords in the document than the number specified. In this example.First Name. • Specific number: There must be at least the specified number of keywords in the document. consider the following: The first name of our new employee from Switzerland is John. Last Name list has a distance condition of fifty (50) and the commonly used form fields of "First Name" and "Last Name".Common Policy Objects How Keyword Lists Work Number of Keywords Condition Each keyword list contains a condition that requires a certain number of keywords be present in a document before the list will trigger a violation. Distance refers to the amount of characters between the first character of one keyword and the first character of another keyword. Keyword List Descriptions The following table describes the content that each of the keyword lists detect and the conditions necessary to trigger a policy violation. Consider the following entry: First Name:_John_ Last Name:_Smith_ The Forms . a violation will trigger. • Any: Any one of the keywords in the list must be present in the document. 15-33 . The number of keywords condition contains the following values: • All: All of the keywords in the list must be present in the document. Any Forms .Date of birth list detects documents such as forms that contain private information. Any Forms .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide TABLE 15-3. This list detects the common use of the “Birth Date”. This list detects the common use of the “(First)”. This list detects the common use of terms that state information about when an item (such as a credit card) expires. (Middle).(First).Date of birth The Forms . • All • Distance: 50 Forms . (Middle). Last Name list detects documents such as forms that contain private information. • Specific number: 5 Forms . Name list detects documents such as forms that contain private information. This list detects the common use of terms that state information about a person’s birthplace.Place of birth list detects documents such as forms that contain private information. • Specific number: 4 Common medical terms The Common medical terms list detects a wide variety of terms used by hospitals. Overview of the Keyword Lists LIST NAME DESCRIPTION CONDITIONS Adult The Adult list detects a wide variety of sensitive words commonly associated with the adult entertainment industry and pornographic websites.First Name.(First). Name The Forms . Any 15-34 .Expiration date The Forms . and other health care providers. or “Date of Birth” fields. Last Name The Forms . This list detects the common use of the “First Name” and “Last Name” fields. “Birthdate”.First Name. and “Name” fields. “(Middle)”. • All • Distance: 50 Forms .Place of birth The Forms .Expiration date list detects documents such as labels or contracts that contain a date of expiration. clinics. • Specific number: 50 Japan .Surname in Katakana (match 50) This list detects documents containing Japanese surnames typed in Katakana.Street. The list contains 2000 Japanese surnames. The list contains 2000 Japanese surnames. • Specific number: 50 Japan . The list contains 2000 Japanese surnames. State detects documents such as forms that contain private information. • All • Casesensitive Japan . • Specific number: 50 Japan .Surname in Hiragana (match 50) This list detects documents containing Japanese surnames typed in Hiragana. • Specific number: 50 Forms .Common Policy Objects LIST NAME DESCRIPTION CONDITIONS • All • Distance: 50 This list detects the HCFA-1500 and the CMS-1500 forms. The list contains 1672 Japanese surnames. The list contains 1672 Japanese surnames.Street. This list detects the common use of the “State”. City.Surname in Kanji1 (match 10) This list detects documents containing Japanese surnames typed in Kanji. State The Forms . and “Street” fields. • Specific number: 10 Japan .Surname in Kanji2 (match 50) This list detects documents containing Japanese surnames typed in Kanji.Surname in Kanji3 (match 100) This list detects documents containing Japanese surnames typed in Kanji. The list contains 1672 Japanese surnames. “City”. These are documents used in the United States for health insurance claims. HCFA (CMS) 1500 Form (Health Care Financing Agency) (Centers for Medicare and Medicaid Services) 15-35 .Surname in Katakana 1-byte (match 50) This list detects documents containing Japanese surnames typed in one-byte Katakana. • Specific number: 100 Japan . City. VB The Source code . • Specific number: 4 Source code . • Specific number: 10 • Casesensitive The Source code . • All • Casesensitive 15-36 .Java The Source code . • Specific number: 10 Source code . • Specific number: 10 • Casesensitive The Source code . • Specific number: 10 • Casesensitive Source code .C/C++ The Source code .VB list detects a large number of common source code functions/ commands used in Visual Basic.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide LIST NAME DESCRIPTION CONDITIONS Racism The Racism list detects a wide variety of sensitive words that may be offensive to specific ethnic groups. • Specific number: 10 UB-04 Form (Uniform Bill-04 Form) The UB-04 Form list detects the billing document used in the United States at hospitals.C/C++ list detects a large number of common source code functions/commands used in C/C++. hospices. • Specific number: 10 • Casesensitive Source code COBOL The Source code .COBOL list detects a large number of common source code functions/commands used in COBOL. nursing homes.C# list detects a large number of common source code functions/ commands used in C#.Perl list detects a large number of common source code functions/ commands used in Perl. and other institutional providers. home health agencies.C# Source code .Java list detects a large number of common source code functions/ commands used in Java.Perl Source code . see Adding Policies on page 17-2. Sending Policy Notifications Procedure 1. The Notifications screen appears with two columns: 3. 15-37 . • For information on creating a new rule. on the Select Actions screen during policy modification or creation.Common Policy Objects LIST NAME Weapons DESCRIPTION The Weapons list detects a wide variety of words that describe implements of violence. see Adding or Modifying Policy Notifications on page 15-38. • Available: Notification messages available for use. Create or modify a policy. Although you can create notifications during policy creation. click Send policy notifications. Under Monitor. For details about adding to the policy notifications list. Trend Micro recommends creating notifications before you begin creating policies. CONDITIONS • Specific number: 4 Using the Notifications List To notify a recipient or an email administrator that IMSVA performed action on a message's attachment or that the message violated IMSVA rule scanning conditions. • For information on modifying an existing rule. send a notification. • Selected: Notification messages currently in use. but not currently in use. see Modifying Existing Policies on page 20-2. Add or modify a notification. 2. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. and then click <<. 15-38 . click the notifications you want to enable. Procedure 1. Click Add. 5. The Add/Edit Policy Notification screen appears. Go to Policy > Policy Notifications. Click >>. 2. 6. The notifications appear in the Selected list. Click Save to continue creating or modifying the policy. In the Available list. click the notification in the selected list. The Policy Notifications screen appears. Adding or Modifying Policy Notifications Create policy notifications from the Policy Notifications screen or during policy creation or modification. To keep a notification available but temporarily prevent IMSVA from using it. • Subject: Specify the subject line of the notification. Configure the following: • Name: Specify a descriptive name for the notification. • From: Specify a sender email address.). Separate each address with a semicolon (. • To: Specify the receiver email addresses and select the check boxes next to Original Mail Sender and/or Original Mail Recipient. 15-39 . • Message: Specify the notification message.Common Policy Objects 3. To send an SNMP trap. 6. Adding or Modifying a Policy Notification During Policy Creation or Modification Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. Click Save. 7. see Modifying Existing Policies on page 20-2. • Available: Notification messages available for use. click Variables list. • Third radio button: Specify a custom trap ID. Message: Specify the notification message. • Selected: Notification messages currently in use. To send the original message as an attachment of the notification message. Create or modify a policy. • For information on creating a new rule. Under Monitor on the Select Actions screen. Click Add or Edit. 15-40 . but not currently in use. The Notifications screen appears with two columns: 3. • For information on modifying an existing rule. select the check box next to Attach the message. 5. The configuration screen for the notification appears. click Send policy notifications. Click one of the following: • Disable (first radio button): Avoid sending any trap IDs. • Second radio button: Select one of the default SNMP traps. see Adding Policies on page 17-2. configure the following: a. b. To see the types of variables you can include in the message. 2. • Message: Specify the notification message. select the check box next to Attach the message. To send the original message as an attachment of the notification message. • Third radio button: Specify a custom trap ID. Using Stamps To notify a recipient that IMSVA took action on a message's attachment or that the message violated scanning conditions for rules. • From: Specify a sender email address. configure the following: a.). • Subject: Specify the subject line of the notification.Common Policy Objects 4. To send an SNMP trap. To send an email notification. 7. add a stamp to the beginning or end of the message body. configure the following: • Name: Specify a descriptive name for the notification. 8. Message: Specify the notification message. 6. Click Save. Separate each address with a semicolon (. Click one of the following: • Disable (first radio button): Avoid sending any trap IDs. 15-41 . 5. click Variables list. • Second radio button: Select one of the default SNMP traps. b. • To: Specify the receiver email addresses and select the check boxes next to Original Mail Sender and/or Original Mail Recipient. To see the types of variables you can include in the message. • For information on modifying an existing rule. Create or modify a policy. 2. select the check box next to Insert stamp in body or Insert stamp in clean email messages under Modify. adding a stamp is not necessary. Note While stamps can be created during policy creation. see Adding Policies on page 17-2. Trend Micro recommends creating stamps before you begin creating policies. • For information on creating a new rule. 15-42 . Go to Policy > Stamps. The Stamps screen appears. Procedure 1. see Modifying Existing Policies on page 20-2 While creating or modifying a policy on the Select Actions screen.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Tip Add stamps only for messages that the intended recipients will eventually receive. Using Stamps in a Policy Procedure 1. If you are configuring a rule to delete messages that violate your scanning conditions. Creating Stamps Create stamps from the Stamps screen or during policy creation or modification. Next to Name. 3. 6. specify the message. Next to Insert at. To prevent possible damage to Transport Neutral Encapsulation Format (TNEF)encoded messages or digitally signed messages. specify the name of the stamp 4. The Add/Edit Stamp screen appears. select Do not stamp TNEFencoded messages or digitally signed messages. click Variables list. Under Text. click End of message body or Beginning of message body. 15-43 . 5. Click Add or select a stamp to edit from the Stamp list.Common Policy Objects 2. To see the types of variables you can include in the message. An edit screen appears. Click Done. The Stamps screen appears showing the available stamps. To see the types of variables you can include in the message. To add a new stamp. Creating a Stamp During Policy Creation or Modification Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 7. 4. specify the message. 6. To prevent possible damage to TNEF-encoded messages or digitally signed messages. Next to Name. • For information on creating a new rule. select Do not stamp TNEF-encoded messages or digitally signed messages. Click Save to return to the Stamps screen. 8. Create or modify a policy. click Edit next to Insert stamp in body or Insert stamp in clean email messages. • For information on modifying an existing rule. 15-44 . Click Save to return to the Stamps screen. 9. 5. 7. click Variables list. Under Modify on the Select Actions screen. Next to Insert at. 3. click it in the list box and then click Edit. see Modifying Existing Policies on page 20-2. 2. To modify an existing stamp. click Add. specify the name of the stamp. click End of message body or Beginning of message body. Under Text. see Adding Policies on page 17-2. Enabling the DKIM Approved List Procedure 1. This means false positives are reduced as is the need for scanning messages from a source that is known to be safe.Common Policy Objects Using the DKIM Approved List DomainKeys Identified Mail (DKIM) is a signature/cryptography-based email authentication that provides a method for validating a message during its transfer over the Internet. By validating that the message comes from the source it is claiming. Validated messages are not marked as spam and are not scanned for spam. 3. Populate the list with known safe domains. Select the Enable the DKIM Approved List for use in policies check box. IMSVA provides spam and phishing protection for your network. Go to Policy > DKIM Approved List. 15-45 . 2. The DKIM Approved List screen appears. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Manually: a. 4. b. Click Import. c. Click Add. Specify a domain name. 15-46 . Specify the file path and file name or click Browse and locate the file. Import a list: Note When importing a text file for the DKIM Approved List. Select one of the following: d. only one domain should be on each line. Click Save. • Merge with current list • Overwrite current list Click Import. The Web Reputation Approved List provides administrators with a way to bypass scanning and blocking of URLs which the administrator knows to be safe. a. Using the Web Reputation Approved List Web reputation protects users on your network from malicious URLs in messages. Web reputation does this by scanning URLs in messages and then comparing the URL with known malicious URLs in the Trend Micro Web reputation database. b. The Import DKIM Approved List appears. Only add domains that you know are safe. see Modifying Existing Policies on page 20-2. Under Web Reputation on the Scanning Conditions screen. Click Policy > Web Reputation Approved List. Create or modify an "Other" (not an Antivirus) policy. 15-47 . The Web Reputation Settings screen appears. • For information on modifying an existing rule. 3. The Web Reputation Approved List screen appears. The Step 2: Select Scanning Conditions screen appears. Click Save. • For information on creating a new rule. see Adding Policies on page 17-2. Select the Enable the use of the Web Reputation Approved List check box.Common Policy Objects Enabling the Web Reputation Approved List Procedure 1. 4. Adding to the Web Reputation Approved List Domains added to the Web Reputation Approved List will not be scanned by IMSVA. click Web Reputation settings. Procedure 1. 2. Continue configuring the policy. 5. com. Click Add>>. Select one of the following: d.trendmicro. Import a list: Note When importing a text file for the Web Reputation Approved List. Click Import. b. Specify the file path and file name or click Browse and locate the file. Specify a domain. Populate the Web Reputation Approved List in one of the following ways: Manually: a. 15-48 • Merge with current list • Overwrite current list Click Import. c. a. For example: *. b. The Import Web Reputation Approved List appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. only one domain should be on each line. . 15-49 . Click Save.Common Policy Objects 3. . and managing IMSVA policies. Topics include: • Configuring Internal Addresses on page 16-2 • Adding an Address Group on page 16-5 • Searching for Users or Groups on page 16-6 • Searching for an LDAP User or Group on page 16-7 16-1 .Chapter 16 Internal Addresses This chapter provides instructions for creating. modifying. For example: internal address is imsstest. Go to Policy > Internal Addresses. specify the sender’s address.com. valid senders include [email protected]. The Internal Addresses screen appears. 16-2 . • For outgoing messages. which is in range of the internal addresses. the rule applies to senders or recipients that match the mail address. bob@imsstest. valid recipients include [email protected] Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring Internal Addresses For reporting and rule creation.com. bob@imsstest. IMSVA uses internal addresses to determine which policies and events are Inbound and Outbound: • For incoming messages. For example: internal address is imsstest. which is in range of the internal addresses. Setting Internal Addresses Procedure 1. • For both incoming and outgoing messages.com. specify the recipient’s address. domainname or domainname1.*@domain.com". For more information. select one of the following from the drop-down box: • Enter domain: Specify a domain and click >>.com and user@*. or use the "@" symbol.domainname2 are valid. Do not type the "@" or user name parts of an email address. user@domainname is invalid. For example.domain. For example. However.com to include all sub-domains for "domain. • Search for LDAP group: A screen for searching the LDAP groups appears. click the LDAP group and then click >>. *.* are both invalid. The search result appears in the list box.Internal Addresses 2. To add it to the Selected list. you cannot use two asterisks in the user name or domain name portion of the address. Under Internal Domains and User Groups. use *. Note You can use wildcards for domain names. see Searching for an LDAP User or Group on page 16-7 16-3 . Specify an LDAP group name (not an individual LDAP user) that you want to search in the text box and click Search. com: Imports the exact domain • *.com: Imports all sub-domains • domain. To import domains from a file. 16-4 . click Import from File and select the file. 3. Click Export. Tip Import both the exact domain and all sub-domains for best results.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note When searching an LDAP group for the internal addresses. 2. 4.org: Imports the exact domain Note The import file must be a text file containing one domain per line. Exporting Internal Addresses Procedure 1. The following shows sample content of a domain list text file: • domain.domain. Go to Policy > Internal Addresses. A File Download dialog box appears. you can use wildcards at the beginning and/or at the end of the LDAP group if you have specified Microsoft Active Directory or Sun iPlanet Directory as the LDAP server. You can use wildcards when specifying the domain. The Internal Addresses screen appears. Click Save. Next to Addresses. do the following: a. Specify the location and file name. specify a descriptive name. The address appears in the list. Click Save. rather than applying rules to each address individually. 4. specify an email address to add. To import an address group from a file to the IMSVA server. Click Import. c. 2. Procedure 1. choose Select address groups under Select address. Click Add. When you configure a route or an exception for a route. If you create an address group. Click Save. do the following: a. Click Add. 16-5 . The Address Groups screen appears. To add multiple addresses.Internal Addresses 3. A Save As dialog box appears. b. Create address groups manually or import them from a text file that contains one email address per line. 3. you can apply rules to several email addresses at the same time. 4. Next to Address Group Name. use the asterisk (*) wildcard. 5. To add addresses manually. Adding an Address Group An address group is a collection of user email addresses in your organization. Searching for Users or Groups When you filter the list of rules by user or group. d. A dialog box appears. 5. Select one or both check boxes next to Senders or Recipients. 4. From the drop-down box. select [find user or group] from the last drop-down list. select one of the following: 16-6 • Email address • LDAP user or group . If addresses are already in the list. Click Import. choose whether to merge them or overwrite them with the imported list. 6. The Find Policy or User Group screen appears. Click Save. Go to Policy > Policy List. Next to Filter by. c. Continue configuring the route or configuring the exception for a route. 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide b. Click Browse. 2. you can select from the following items: • Email address • LDAP group • Address group Procedure 1. e. Locate the file and click Open. 2. Click Select. specify the key words for which to search. 6.4.4 • OpenLDAP™ 2.23 The following steps provide instructions on adding an LDAP user or group when creating a new policy. Searching for an LDAP User or Group When specifying the route for a policy. 16-7 . IMSVA supports the following types of LDAP servers: • Microsoft™ Active Directory 2003. In the text box. Select Antivirus or Other from the drop-down list to create an antivirus rule or a rule against other threats. Click the Add button. instead of entering an individual email address or address group. 3. 2008 R2. 4. Go to Policy > Policy List. you can also perform a search for a Lightweight Directory Access Protocol (LDAP) user or group.5. respectively. or Global Catalog • IBM™ Lotus™ Domino™ 6. Procedure 1. Click the Recipients or Senders link. 2.5 or above • Sun One iPlanet 5. 8.Internal Addresses • Address group 5. .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Select Addresses screen appears. 16-8 Select Search for LDAP users or groups from the drop-down list. 5. Internal Addresses 6. Note a. b. See . You can use the asterisk wildcard when performing a search. Specify the LDAP user or group that you want to search. 9. You can also search for LDAP groups when adding internal addresses. Click the Search button. IMSVA displays the LDAP user or group if a matching record exists on the LDAP server. 16-9 . 7. 8. Select the user or group and click the Add button to add it to the recipient or sender list. See Configuring Internal Addresses on page 16-2. . modifying. Topics include: • Adding Policies on page 17-2 • Specifying a Route on page 17-2 • Specifying Scanning Conditions on page 17-9 • Specifying Actions on page 17-35 • Finalizing a Policy on page 17-45 17-1 . and managing IMSVA policies.Chapter 17 Configuring Policies This chapter provides instructions for creating. Trend Micro recommends that you maintain at least one antivirus rule that applies to all messages.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Adding Policies Before creating a policy. ensure that you have configured the internal addresses. see Step 7: Configuring Internal Addresses on page 4-13. You can also configure exceptions to a route. Adding a Route Procedure 1. For information. Specifying a Route The first step in adding a rule is configuring the following: Route A specific "To" and "From" combination that includes a recipient's and sender's email addresses. Select all messages from the drop-down list when specifying the route for an antivirus rule. or all traffic. Creating a policy involves the following steps: • Step 1: Specifying a Route on page 17-2 • Step 2: Specifying Scanning Conditions on page 17-9 • Step 3: Specifying Actions on page 17-35 • Step 4: Finalizing a Policy on page 17-45 Tip To prevent a virus leak and ensure that all messages are scanned. LDAP users or groups. or address groups. POP3 traffic. 17-2 Go to Policy > Policy List. . Route type The direction of SMTP traffic. Note The Antivirus rule scans messages for viruses and other malware such as spyware and worms. 3.Configuring Policies The Policy List screen appears. and other attachment criteria. The Other rule scans for spam or phishing messages. regulatory compliance. message content. Select Antivirus or Other from the drop-down list. encrypted messages. The Add Rule screen appears. 2. Click Add. 17-3 . Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. • incoming messages • outgoing messages • both incoming and outgoing messages • POP3 • all messages . 17-4 Select the policy route type from the drop-down list next to This rule will apply to. com. Note 1. 6. 17-5 . specify the recipient’s address.Configuring Policies 5. Select the recipients and senders: • For incoming messages. which is in range of the internal addresses. • For both incoming and outgoing messages. The rule applies to all POP3 routes. The Step 2: Select Scanning Conditions screen appears. Click the name of the policy to edit. valid recipients include jim@imsstest. For more information. • For outgoing messages. Go to Policy > Policy List. If you selected "all messages" for a rule. bob@imsstest. see Using the Asterisk Wildcard on page 20-13. the rule also applies to messages from any sender to any recipient. valid senders include jim@imsstest. You can use the asterisk wildcard when specifying an email address.com.com. If you selected POP3. 3. 2.com. the rule applies to senders or recipients that match the mail address. Editing a Route Procedure 1. specify the sender’s address. 2. For example: internal address is imsstest. you cannot configure the route. Click Next.com. bob@imsstest. For example: internal address is imsstest. The Policy List screen appears.com. which is in range of the internal addresses. valid senders include [email protected]. 3. • 17-6 For both incoming and outgoing messages. • incoming messages • outgoing messages • both incoming and outgoing messages • POP3 • all messages Note The This rule will apply to option cannot be modified in the Global DKIM Enforcement rule.com. Select the policy route type from the drop-down list next to This rule will apply to. specify the sender’s address. specify the recipient’s address. Click Edit for If recipients and senders are. 4.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Summary screen for the policy appears. • For outgoing messages.com. which is in range of the internal addresses. 5. the rule applies to senders or recipients that match the mail address.com. The Recipients and Senders screen for the policy appears. For example: internal address is imsstest. . bob@imsstest. which is in range of the internal addresses.com. bob@imsstest. valid recipients include jim@imsstest. For example: internal address is imsstest. Select the recipients and senders: • For incoming messages.com. 6. Senders and recipients must be on the Internal Addresses list if you select incoming messages or outgoing messages when adding a new rule or modifying an existing rule: • If you are configuring an outgoing message.Configuring Policies Note 1. • *@*: Adds all addresses. 3.company. Use the asterisk wildcard to include a range of email addresses. the Internal Address list applies to the senders.com: Adds only the specific address.com: Adds any user at any subdomain of company. If you selected POP3. You can use the asterisk wildcard when specifying an email address. For example.com: Adds any user at the domain company. If you selected "all messages" for a rule. the Internal Address list applies to the recipients. • *@*. or address groups. The rule applies to all POP3 routes. LDAP users or groups. For example: • user@company. see Using the Asterisk Wildcard on page 20-13. the rule also applies to messages from any sender to any recipient. [email protected]. Route Configuration A route is a specific "To" and "From" combination that includes a recipient’s and sender’s email addresses. You can also configure exceptions to a route. Click Save. 2. 17-7 . • *@company. • If you are configuring an incoming message. For more information.com.com. you cannot configure the route.com would be included. If you are adding an LDAP or address group. Under Select addresses. • Select address groups: All existing address groups appear in the list. 17-8 . click Add>. click the trash can icon. select one of the following: • Anyone: Select this option to remove any restriction on the recipients or senders. 5. click Add to create an address group. 4. and then click Add>. • Enter address: Specify the email address to add. 3. • Search for LDAP users or groups: Specify the LDAP user or group name and click Search. Click Save. • Users: Appears if you selected both incoming and outgoing messages. The results display in the list box. 2. To remove any email address or email address group from the Selected list. click it in the list box. Click one of the following on the Select Recipients and Senders screen: • Recipients or Senders: Appears if you selected incoming messages or outgoing messages. If there are a large number of email addresses that you will reuse for routes in several rules.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring the Route Procedure 1. If you are adding an email address or email address group. Configuring Policies Tip When selecting an LDAP group as the recipients or senders. Trend Micro recommends that you maintain at least one antivirus rule that applies to all messages at all times. configure the rules to filter message traffic based on several conditions. To prevent virus leaks and ensure that all messages are scanned. Procedure 1. The categories of scanning conditions for the Antivirus and the Other rule 17-9 . from the Step 2: Select Scanning Conditions screen. Select the check boxes as desired. you can use wildcards at the beginning and/or at the end of the LDAP group if you have specified Microsoft Active Directory or Sun iPlanet Directory as the LDAP server. The scanning conditions vary depending on whether Antivirus rules or Other rules are being created. Specifying Scanning Conditions After selecting the senders and recipients for a new rule or modifying the senders and recipients for an existing rule. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide types vary as follows: • Antivirus rule a. TABLE 17-1. IntelliScan: uses "true file type" identification Use IntelliScan to identify malicious code that can be disguised by a harmless extension name. . Files to Scan: Set the default method for scanning messages and specific file types containing viruses and other malware. Files to Scan SETTING 17-10 DESCRIPTION All scannable files Attempt to scan all files. • Send the IntelliTrap samples to TrendLabs: IMSVA can automatically send messages with attachments that IntelliTrap catches to TrendLabs. • Specified file extensions: Specify the extension in the text box.) before the extension. Spyware/Grayware Scan: Scan for other types of threats such as spyware and adware. • IntelliTrap: Scan message attachments that contain real-time compressed executable files. • Compressed files: Click the link and select the sub-types to scan. You do not need to type the period (. DESCRIPTION Select the check box next to one of the following types of file extensions to scan: • Application and executables: Click the link and select the sub-types to scan. • Documents: Click the link and select the subtypes to scan. c. IntelliTrap Settings: Scan compressed files for viruses/malware and send samples to TrendLabs for investigation.Configuring Policies SETTING Specific file types b. 17-11 . You can also use an asterisk wildcard for the extension. 17-12 Select one of the following next to Take rule action when. C&C Email: Scans message headers for email addresses known to be used as C&C callback addresses. • any conditions matched (OR): When a message matches any of the conditions. b. which specifies when IMSVA can take action on a message: • all conditions matched (AND): When a message matches all of the conditions. .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Other rule a. • Phishing email d. or megabytes. see Configuring the C&C Email Approved List on page 17-15. image. c. Spam/Phishing Email: Scans messages identified as spam and phishing messages. Phishing messages. or equal to a certain number of bytes. document. such as attachments with specific extensions or belonging to a certain true file type. originate from senders masquerading as trustworthy entities. • Spam detection settings: Click the link to select a level of spam protection and configure lists for approved and blocked senders and text exemptions. For more information. KB. • True file type: Click the link to configure filter settings for common executable. • Name or extension: Click the link to configure filter settings for specific file names or extension names. Note Selecting C&C Email and the filter relation all conditions matched (AND) disables the Spam/Phishing Email and Web Reputation filters. • MIME content type: Click the link to configure filter settings for MIME content types. less than. =} {size} {MB. Attachment: Scans messages for file attachments that match the selected criteria. e. 17-13 . and compressed files. • Size is {>. on the other hand. <. media.Configuring Policies This filter is not triggered if the detected email addresses are found in the C&C Email Approved List. B}: Select to filter attachments of a size that is more than. kilobytes. Specify a number that represents the file size. Web Reputation: Scans URLs in messages to protect against phishing and other malicious websites. Spam messages are generally unsolicited messages containing mainly advertising content. Compliance: Scans messages to protect against data leakage using regulatory compliance templates. or equal to a certain number. Specify a number that represents the total number of attachments for each message. =} {size} {MB. less than. Content: Scans messages containing the keyword expressions that match those expressions specified in the subject. header. less than. <. Sometimes spam messages do not contain subject lines. and other headers that you can specify. 17-14 Message size is {>. or megabytes. • Number is {>. body. KB}: Select to filter messages of a size that is more than. Click Compliance templates to see the list of available templates.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide f. Specify a number that represents the message size. or equal to a certain number of kilobytes. To. CC. • Attachment content keyword expressions: Click the link to manage your expression lists. • Password protected zip files (unscannable files): Select to filter password protected zip files that cannot be scanned by IMSVA. From. • Body keyword expressions: Click the link to manage your expression lists. • Subject keyword expressions: Click the link to manage your expression lists. Headers include Subject. . Size: Scans messages that match the specified message size. or attachment content keyword expressions links. h. <. • Subject is blank: Select to filter messages without a subject. • Header keyword expressions: Click the link to manage your expression lists. • g. =} {number}: Select to filter the number of attachments that is more than. <.000 entries. =} {number}: Select to filter the number of recipients. Regulatory Compliance Templates TEMPLATE i. • Recipient number {>. Specify a number that represents the total number of recipients for each message. Note IMSVA identifies addresses used in the message header and not the SMTP session. DESCRIPTION GLBA Gramm-Leach-Bliley Financial Services Modernization Act of 1999 HIPAA Health Insurance Portability and Accountability Act PCI-DSS The Payment Card Industry Data Security Standard SB-1386 California law regulating the privacy of personal information US PII Personally Identifiable Information Others: Scans messages in which the number of recipients match the specified number. • Spoofed internal messages: Click the link to create or modify a trusted internal IP address list. Also scans messages that are received within the specified time range.Configuring Policies TABLE 17-2. 17-15 . The list can contain a maximum of 5. • Unable to decrypt messages: Select to filter encrypted messages that cannot be decrypted by IMSVA. • Received time range: Click the link to select a day and time within which a message was received. Configuring the C&C Email Approved List IMSVA does not identify messages from senders and recipients in this list as C&C email. 2. Note You can use the asterisk character to add multiple addresses. The C&C Email Settings screen appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. On the Scanning Conditions screen. Click C&C email settings. Select Enable C&C Email Approved List. 17-16 Import email addresses from a text file on a local host to the IMSVA server. 3. Type an email address in the box then click Add. see Using the Asterisk Wildcard on page 20-13. . Add email addresses using any of the following methods: a. The address appears in the list. b. 4. For details. select C&C email settings. Create a new email message with the following information: • Subject line: [IMSVA 8. 7. choose whether to merge the new entries or overwrite the existing ones.5] Potentially misclassified email address • Email body: • • Specify the email address. Take screenshots of the management console. Submitting Potentially Misclassified Email Addresses to Trend Micro Procedure 1. 5. For more information. or any notification you receive from IMSVA. see Submitting Potentially Misclassified Email Addresses to Trend Micro on page 17-17. 6.Configuring Policies Note Each line in the file should contain only one email address that follows any of the valid formats. Optional: Export the address list as a text file. IMSVA does not import incorrectly formatted email addresses. error messages. Click Save. • Explain why it is potentially misclassified. 2. If the list already contains email addresses. Optional: Send a message to [email protected] to notify Trend Micro about email addresses that may have been misclassified. Attachments: • Screenshots that you took in Step 1 • Email message(s) incorrectly identified as malicious 17-17 . however.com.msg or . 4. • High: Catches more spam.eml). send the message as an attachment (. Under Spam/phishing emails on the scanning conditions selection screen for the Other rule type. 17-18 Select one of the following spam catch rates or specify a detection threshold. Selecting Scanning Conditions for Spam Spam criteria includes a spam catch rate/detection threshold setting and configurable lists for approved and blocked senders and for text exemption rules. still take actions on any senders in the Blocked Senders list below. Instead. • Medium: Catches an average amount of spam (the default selection). IMSVA will not label any messages that violate this rule as spam. select the check box next to Spam detection settings. Procedure 1. 3. To enable spam scanning. If you do not select this check box. Send the email to: [email protected] Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Important Do not use the Forward command as it deletes essential information from the message header. 2. . Select a high catch rate if too much spam is getting through to your clients. You can. Select a low catch rate if IMSVA is tagging too many legitimate messages as spam. The Spam Detection Settings screen appears. • Low: Catches less spam. Click Spam detection settings. 3. select the check box next to Select a spam catch rate or specify a detection threshold. Click DKIM approved list to enable or disable use of the DKIM Approved List. but it also results in a lower number of false positives. 6. If IMSVA is letting too much spam through to your clients as legitimate messages. 17-19 . specify a lower threshold value. if the messages come from domains appearing in the DKIM approved list. This increases the spam catch rate. 7. Note A higher threshold value means that a message must be very "spam-like" for IMSVA to consider it spam. This decreases the spam catch rate. 5. see Configuring Approved and Blocked Sender Lists on page 17-20. Select the check boxes next to any of the following lists to enable them: • Approved sender list: Prevents IMSVA from identifying messages from senders in this list as spam.Configuring Policies • Specify a detection threshold: Specify a threshold value (between 3.0 and 10. specify a higher threshold value. If IMSVA is tagging too many legitimate messages as spam (too many false positives). Note For instructions on configuring the lists. A lower threshold value means that a message only needs to be slightly "spam-like" for IMSVA to consider it spam. • Blocked sender list: Forces IMSVA to identify messages from senders in this list as spam. but it also results in a higher number of false positives.0) that represents how critically IMSVA analyzes messages to determine if they are spam. IMSVA does not scan or mark messages as spam. Click Save to continue selecting scanning conditions. • Text exemption list: Prevents IMSVA from identifying messages that contains any of the text in this list as spam. • Blocked sender list: Forces IMSVA to identify messages from senders in this list as spam. Click Open. Click Add. d. To add addresses manually. b. A Save dialog box appears. 4. Click Export. To add multiple addresses. b. Click Browse and locate the file. To import an address group from a file on a local host to the IMSVA server. . If addresses are already in the list. Configure the lists when you select spam scanning conditions. 2. Procedure 1. The address appears in the list. choose whether to merge them or overwrite them with the imported list. do the following: a. Click Import. A dialog box appears. do the following: a. To export an address group as a file on the IMSVA server. e. specify the address. Click Import. c. Click Save.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring Approved and Blocked Sender Lists To provide added flexibility to spam filtering scanning conditions. do the following: 3. b. 17-20 a. Select the check box next to Approved sender list or Blocked sender list. IMSVA provides the following lists: • Approved sender list: Prevents IMSVA from identifying messages from senders in this list as spam. Next to Email address. use the asterisk (*) wildcard. select the Exclude messages matching text exemption rules check box under Text Exemption Rules. Configuring Spam Text Exemption Rules IMSVA does not identify any of the text in the text exemption list as spam. e.? Procedure 1. 17-21 .Configuring Policies 5. Click Close. The file saves to the location and a dialog appears. 3. Click Save. d. To configure an existing rule. 2. When configuring the spam scanning conditions. Specify a name for the file and a location to save the file. Configure rules for this list if you want users to always receive messages that contain specific keywords. To add a new text exemption rule. The Text Exemption Rules screen appears. select a portion of the message. Next to Name. specify a descriptive name for the text exemption rule. click it in the list box. and then click Edit. Next to Scan area. 4. Use regular expressions to define the conditions. click Add. Type a backslash character before any of the following characters: \|(){}[]^$*+. Click Save. c. Next to Items are case sensitive. Example: a. select the check box to consider the text case as well as the content. 7. specify the text strings in the text boxes. provide only the header content for Line beginning. From: test@trendmicro. 17-22 Create or modify an "Other" (not an Antivirus) policy. If you select All Headers as the scan area and use Line beginning to match the header. 6. . To. provide the header name as well. Line beginning means matching regular expressions at the beginning of a line. From. Select All Headers as the scan area. or Reply-to as the scan area and use Line beginning to match the header. Under Strings to match. Click Save. test@trendmicro. provide both the header name and a message string for Line beginning. 5. b. Configuring Web Reputation Settings Enable and configure Web Reputation settings to protect your clients from malicious URLs in messages. For example. Enabling Web Reputation Settings Procedure 1. Example: a. provide a message string for Line beginning. Line end means matching regular expressions at the end of a line. Select From as the scan area. b.com. Under Strings to match.com.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note If you select Subject. For example. Under Strings to match. • For information on modifying an existing rule. Under Web Reputation on the Scanning Conditions screen. Select one of the following security levels. • High: Blocks more websites embedded in messages but also increases the risk of false positives.Configuring Policies • For information on creating a new rule. • Low: Blocks fewer websites embedded in messages and reduces the risk of false positives. • Medium: Blocks an average number of malicious websites. Click Next to continue configuring the policy. select the Web Reputation settings check box. Click Next. Create or modify an "Other" (not an Antivirus) policy. Under Web Reputation on the Scanning Conditions screen. 4. Select High if your users are visiting too many malicious websites. • For information on creating a new rule. see Adding Policies on page 17-2. 2. • For information on modifying an existing rule. Select Low if IMSVA is blocking too many legitimate websites. The Web Reputation Settings screen appears. see Adding Policies on page 17-2. Configuring Web Reputation Settings Procedure 1. see Modifying Existing Policies on page 20-2. Medium is the default setting because it blocks most web threats while keeping the false positive count low. 3. see Modifying Existing Policies on page 20-2. 17-23 . select Web Reputation settings. 2. 3. . • For information on modifying an existing rule. Add up to 5000 addresses by either adding individual addresses or by importing multiple addresses from a text file. Select Enable the use of the Web Reputation Approved List to prevent IMSVA from scanning and blocking domains included in the Web Reputation Approved List. Note Web pages change frequently. The policy takes effect on addresses in the order that they appear in the list. 7. click Marketing Message Scanning settings. and it is difficult to find data or follow a link after the underlying page is modified.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 5. Procedure 1. 17-24 Create or modify an "Other" (not an Antivirus) policy. see Modifying Existing Policies on page 20-2. see Adding Policies on page 17-2. Configuring the Marketing Message Exception List The exception list is a white list of email and IP addresses to ignore when filtering content. 6. • For information on creating a new rule. 2. Under Marketing Message Scanning. Click Save. Optional: Select Enable detection of URLs that have not been rated by Trend Micro to increase protection against short-lived websites. Such websites are usually used as vehicles for transporting malware and carrying out phishing attacks. Configuring Policies The Marketing Message Scanning settings screen appears. b. 3. For details. Click Save. Select Enable Exception List to scan email or IP address for marketing messages. 6. Optional: Export the address list as a text file. 5. Import email addresses from a text file on a local host to the IMSVA server. see Importing Marketing Email Exceptions on page 17-26. Specify an email or IP address and then click Add>>. Add email or IP addresses using the following methods: a. The address appears in the list. 17-25 . 4. 2. Procedure 1.com 17-26 . Examples of valid input: Email addresses user@company. On the right pane of the Market Email Settings rule screen. Click Choose File and then select the import file. click Import.com *@*. If the list already contains an email address or IP address that is in the file. The Import Marketing Message Scanning Exception List screen appears. the address is ignored.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Importing Marketing Email Exceptions Before you begin Complete Configuring the Marketing Message Exception List on page 17-24 Note Each line in the file should contain only one email address or IP address that follows any of the valid formats.company. IMSVA does not import incorrectly formatted addresses. 123. 3.0/24 IPv6 addresses 1050:0:0:0:5:600:300c:326b ff06::c3 3. The Attachment Name or Extension screen appears. Next to Select. select one of the following: 17-27 . 2. Selecting Scanning Conditions for Attachments IMSVA can filter email traffic based on the files attached to messages.36.36. Click Import.1-255 62. Under Attachment on the scanning conditions selection screen. Specifying Scanning Conditions for Attachment Names or Extensions Procedure 1. Click Name or extension. • Select Overwrite current list to replace the existing list with the addresses in the file. Select one of the following merge options: • Select Merge with current list to append the addresses in the file to the existing exceptions list. 4.Configuring Policies IPv4 addresses 123. select the check box next to Name or extension.52.123 62.52.123. Under Attachment on the scanning conditions selection screen. Click Save. 2. Click Import to import from an existing text file. Click Save to continue selecting scanning conditions. 4. 5. Select the check boxes next to the attachments to scan or not scan.) to separate values. • Not the selected attachment names: IMSVA takes action on messages with attachments that are not of the selected names. • Not the selected attachment types: IMSVA takes action on messages with attachments that are not of the selected types. Select the check box next to Attachments named. Use a semicolon (. . 6. select one of the following: • Selected attachment types: IMSVA takes action on messages with attachments of the selected types. Click MIME content type. 3. b. do the following: a. 17-28 Next to Select. You can also use an asterisk wildcard for the extension. c. Another window appears. Select the check boxes next to the MIME content types to filter. Alternatively. 4. specify the names in the text box. Specifying MIME Content Type Scanning Conditions Procedure 1. select the check box next to MIME content type.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Selected attachment names: IMSVA takes action on messages with attachments of the selected names. The Attachment MIME Type screen appears. To add your own attachment name. type them in the text box. Next to Select. select the check box next to Size is {>. • Not the selected attachment types: IMSVA takes action on messages with attachments that are not of the selected types. Click True file type. B}. 6.) to separate values. 5. 3. =). Click Save to continue selecting scanning conditions. Select the check boxes next to the true file types to filter. Under Attachment on the scanning conditions screen.Configuring Policies 5. <. Specifying True File Type Scanning Conditions Procedure 1. Use a semicolon (. =} {size} {MB. 4. 17-29 . You can also use an asterisk wildcard for the MIME type. 2. KB. <. select the check box next to True file type. 2. Select the comparison symbol (>. To add your own MIME types. The Attachment True File Type screen appears. select one of the following: • Selected attachment types: IMSVA takes action on messages with attachments of the selected types. Under Attachment on the scanning conditions selection screen. Specifying Attachment Size Scanning Conditions Procedure 1. Click Save to continue selecting scanning conditions. <. Specify a number to represent the number of attachments. =). 2. Select Megabytes. Choose the comparison symbol (>. select the check box next to Number is {>. KB. =} {number}. Under Attachment on the scanning conditions screen. 2. Blocking Password Protected Zip Files Procedure • Under Attachment on the scanning conditions screen. Kilobytes. select the check box next to Message size is {>. <. =} {size} {MB or KB}. 4. Selecting Scanning Conditions for Message Size IMSVA can take action on a message based on its total size. 17-30 . Select the comparison symbol (>. or Bytes (MB. <. 3. Under Size on the scanning conditions selection screen. 5. Continue selecting scanning conditions. <. Continue selecting scanning conditions. Specifying Attachment Number Scanning Conditions Procedure 1. =). select the check box next to Password protected zip files. Specify a number to represent the size. 4. B). Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. including all attachments. 3. Click the link that specifies the part of the message to which you want to configure content conditions. on the Step 2: Select Scanning Conditions screen. In the Available list. Specify a number to represent the size of the message. Go to Policy > Policy List. The Policy screen appears. but not currently in use. Selecting Scanning Conditions for Message Content IMSVA can take action on a message based on its content and where the content appears. 17-31 .Configuring Policies 3. The screen for managing keyword expressions appears. See Configuring an Expression on page 15-14 for more information on how to specify the content to filter. • Selected: Expressions currently in use. The Keyword Expressions screen appears with two columns: • Available: Expressions available for use. 5. 7. 6. If you are configuring expressions for the header. Click Add. 5. 2. 8. Create or modify an "Other" (not an Antivirus) policy. Configure the expressions. select the check boxes next to the header items where the expression will apply. 4. Procedure 1. Select Megabytes or Kilobytes (MB or KB). click the expression list you want to enable. Under Content. Continue selecting scanning conditions. select the check boxes next to the parts of a message to which you want the content conditions to apply. 4. Select the compliance templates you require from the list. Click Save to continue to the scanning conditions selection screen. Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 9. 5. The Policy screen appears. Under Compliance. click Compliance templates. 4. To keep an expression list available but temporarily prevent IMSVA from using it. Go to Policy > Policy List. 3. 10. Click Save to continue to the scanning conditions selection screen. and then click <<. The expressions appear in the Selected list. click the expression in the selected list. 2. The Compliance Templates screen appears. Click >>. Specifying Compliance Scanning Conditions Regulatory Compliance for IMSVA must be activated before the compliance templates can be used in a policy. Specifying "Other" Scanning Conditions IMSVA can filter email traffic based on the following: • Number of recipients • Message arrival time • Message content is encrypted 17-32 . Create or modify an "Other" (not an Antivirus) policy. 2. Specify a number to represent the number of recipients. Under Other. 3. select the check boxes next to the following: • Number of recipients {>. select the check box next to Number of recipients {>. <. on the Scanning Conditions screen. • Received time range: Blocks messages if they enter your network within the specified time range. =). or is equal to the specified limit. 2. Under Others on the scanning conditions selection screen. =} {number}. 17-33 . <. • Spoofed internal messages: Blocks all messages that do not originate from the trusted IP address list. see Adding Policies on page 17-2. Procedure 1. <.Configuring Policies Procedure 1. • Unable to decrypt messages: Blocks encrypted messages that cannot be decrypted by IMSVA. Select the comparison symbol (>. • For information on creating a new rule. 3. Click Policy > Policy List. =} {number}: Blocks messages if the number of recipients is less than. see Modifying Existing Policies on page 20-2. The Policy screen appears. • For information on modifying an existing rule. exceeds. Selecting Scanning Conditions for Number of Recipients IMSVA can take action on a message based on the number of recipients to which the message is addressed. Create or modify an "Other" (not an Antivirus) policy. Procedure 1. Click Spoofed internal messages. select one of the following: • Anytime within selected ranges • Anytime except selected ranges 4. 2. Under Others on the scanning conditions selection screen. From the time drop-down boxes. Setting Scanning Conditions for Message Arrival Time IMSVA can take action on a message based on the time it arrived. select the check box next to Received time range. Under Others on the scanning conditions selection screen. select the day. Procedure 1. Click Save to continue selecting scanning conditions. This filter triggers only on messages where the sender’s and recipient’s domains are the same. 5.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. start time. Next to Select. Click Add. select the check box next to Spoofed internal messages. 2. 3. Continue selecting scanning conditions. Setting Scanning Conditions for Spoofed Internal Messages IMSVA blocks all messages if they do not originate from the trusted internal IP address list. 6. The Time Range screen appears. 17-34 . Click Received time range. and end time. • Monitor: Instructs IMSVA to send a notification. 4. Click Save. archive or blind copy the messages if you would like to further analyze them. 3. Select the desired action(s) from the following categories: • Intercept: Allows you to choose whether you would like IMSVA to intercept the messages and prevent them from reaching the recipients. The Step 3: Select Actions screen appears. although there are minor differences in the options listed. Choosing the intercept option allows you to specify an action for IMSVA to take on intercepted messages. • Modify: Instructs IMSVA to make some alterations to the messages or the attachments. Add IP addresses to the Trusted Internal IP List.Configuring Policies The Spoofed Internal Messages screen appears. Specifying Actions The main actions for both the Antivirus and Other rules are similar. Click Next from the Step 2: Select Scanning Conditions screen. such as inserting a stamp or tagging the subject. 17-35 . all messages from the edge MTAs that are not added will be blocked. WARNING! All edge MTA IP addresses must be added to this list if the feature is enabled. If the IP addresses are not added to the list. Procedure 1. 17-36 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note The screen that appears in this step depends on the type of rule that you are creating. The antivirus rule contains two tabs that allow you to configure the main actions and the actions for special viruses. Other Rule Actions 17-37 .Configuring Policies Specifying Actions for "Other" Rules FIGURE 17-1. ). . • Delete attachments: Select an action for IMSVA to take: • 17-38 Delete matching attachment: Remove only the attachment that matches the attachment scan condition. Under Intercept. click the radio button next to one of the following: • Do not intercept messages: This specific rule does not intercept messages. If there are no rules. • Change recipient: IMSVA sends the message to another recipient. If there are other rules. • Delete entire message: Deletes the message and all attachments. Under Modify. • Quarantine: IMSVA puts the message and its attachments into the quarantine area that you select from the drop-down box. Note IMSVA can only track a message before it is handed off. Specify the recipient email address and separate multiple recipients with a semicolon (. • Next to Port. • Handoff: IMSVA hands off the message to a specific mail server. select the check boxes next to any of the following: • Insert X-header: Inserts a user-specified message to the header of messages. IMSVA passes the message to your network.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. Select Handoff if you have a secure messaging server on your network that can process or handle the message. For instructions on creating a new quarantine area. the message is not traceable anymore as it is no longer within the control of IMSVA. specify the FQDN or IP address of the mail server. After the handoff. Configure the following: • Next to Host. specify the port number through which the mail server receives email traffic. see Configuring Quarantine and Archive Settings on page 25-3. 2. IMSVA will process the message. Under Monitor. For instructions on creating notifications. select the check boxes next to any of the following: • Send policy notifications: Send a message to one or more recipients. Note If a message is detected by ATSE and if Deep Discovery Advisor is enabled. Click Tag subject to edit the tag. To select a type of notification. select the name of the stamp to insert or click Edit to go to the Stamps screen and manage your stamps. • Encrypt message: Encrypt the message and send the message to the recipient. see Using the Notifications List on page 15-37. Select the hour of the day and minutes from the drop-down boxes. IMSVA performs the specified actions and sends a copy of the message to Deep Discovery Advisor for further analysis. Delete all attachments: Remove all attachments. For instructions on creating a new archive area. • Insert stamp in body: Insert text at the beginning or end of the message. • BCC: Blind carbon copy the message to another recipient. click Send policy notifications.Configuring Policies • 3. From the drop-down box. Specifying Actions for "Virus" Rules Main Actions Main Actions allow you to specify the default actions that IMSVA takes when messages match the scanning conditions specified in Step 2: Scanning Conditions. Select the BCC option to prevent the intended recipients from seeing the new recipient. Specify the recipient's email address and separate multiple addresses with a semicolon (. see Configuring Quarantine and Archive Settings on page 25-3. • Archive modified to: Archive the message to an archive area.). • Postpone delivery to: Delay delivery until a specified hour of the day. 17-39 . • Tag subject: Add text to the subject line of the message. Antivirus Rule Main Actions 17-40 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE 17-2. Under Modify. If there are other rules. Select Handoff if you have a secure messaging server on your network that can process or handle the message. For instructions on creating a new quarantine area. Intercept Settings SETTING DESCRIPTION Do not intercept messages This specific rule does not intercept messages. • Next to Port. select the check boxes next to any of the following: 17-41 . the message is not traceable anymore as it is no longer within the control of IMSVA.Configuring Policies Procedure 1. specify the port number through which the mail server receives email traffic. Note IMSVA can only track a message before it is handed off. If there are no rules. 2. IMSVA passes the message to your network.). Configure the following: • Next to Host. Change recipient IMSVA sends the message to another recipient. specify the FQDN or IP address of the mail server. Handoff IMSVA hands off the message to a specific mail server. select the radio button next to one of the following: TABLE 17-3. Specify the recipient email address and separate multiple recipients with a semicolon (. IMSVA will process the message. After the handoff. see Configuring Quarantine and Archive Settings on page 25-3. Delete entire message Deletes the message and all attachments. Under Intercept. Quarantine IMSVA puts the message and its attachments into the quarantine area that you select from the drop-down box. • If IMSVA finds a virus : Select the check box to enable actions if IMSVA finds a virus or other malware. From the drop-down box. IMSVA Finds a Virus Settings SETTING Use ActiveAction Enable IMSVA to automatically use pre-configured scan actions for specific types of viruses/malware. Select an action for IMSVA to take: • Delete matching attachment: Remove only the attachment with viruses/malware. . 17-42 • Insert stamp in body: Insert text at the beginning or end of the message. The X-header appears as configured in the last rule. Note If you configure multiple rules to add an x-header. • Delete all attachments: Remove all attachments. and then click one of the following: TABLE 17-4. select the name of the stamp to insert or click Edit to go to the Stamps screen and manage your stamps. Attempt to clean attachments. select the name of the stamp to insert or click Edit to go to the Stamps screen and manage your stamps. From the drop-down box. Insert X-header: Inserts a user-specified message to the header of messages. the X-header appears only once in the message.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note Options under If IMSVA finds a virus are only available for Antivirus rules. • Delete all attachments: Remove all attachments. If unable to clean Select an action for IMSVA to take if it cannot clean the attachment: Delete attachments • DESCRIPTION • Delete matching attachment: Remove only the attachments with viruses/malware. • Insert safe stamp for clean mails: Insert text into clean messages signifying that the message is safe. Specify the recipient's email address and separate multiple addresses with a semicolon (. Select the BCC option to prevent the intended recipients from seeing the new recipient. • Postpone delivery time: Delay delivery until a specified hour of the day. select the check boxes next to any of the following: • Send policy notifications: Send an message to one or more recipients. For instructions on creating a new archive area. 3. • Tag subject: Add text to the subject line of the message. The actions specified on this screen will override the default actions specified on the Main Actions tab. • Archive modified to: Archive the message to an archive area. To select a type of notification. 17-43 . Select the hour of the day and minutes from the drop-down boxes.). see Configuring Quarantine and Archive Settings on page 25-3. Specifying Actions for "Virus" Rules Special Viruses Special Virus settings allow you to specify the actions that IMSVA takes if the messages match any of the following criteria.Configuring Policies Note The Insert safe stamp for clean mails option is not available on the Special Viruses tab. see Using the Notifications List on page 15-37. Click Tag subject to edit the tag. Under Monitor. click Send policy notifications. For instructions on creating notifications. • BCC: Blind carbon copy the message to another recipient. add a brief message to the beginning of 17-44 . Note IMSVA takes the default action for messages matching the IntelliTrap conditions if you do not select alternative actions. it takes the actions that are specified here. Creating a Tag Subject To notify a recipient that IMSVA took action on a message's attachment or that the message violated scanning conditions for a rule. see Specifying Scanning Conditions on page 17-9. For more information. If IMSVA detects spyware/grayware in a message. • Spyware/grayware: Allows you to specify the corresponding actions if you have selected any of the Spyware/Grayware Scanning options on the Scanning Conditions screen in step 2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Mass mailing: IMSVA takes the actions specified in this section if it detects mass mailing messages. See Specifying Scanning Conditions on page 17-9. Note IMSVA takes the default action for messages matching the Spyware/Grayware Scanning conditions if you do not select alternative actions. • IntelliTrap: Allows you to specify the corresponding actions if you have selected the IntelliTrap Setting options on the Scanning Conditions screen in step 2. 2. If you are configuring a rule to delete messages that violate your scanning conditions.Configuring Policies the subject line. • The red cross mark button indicates that the rule is saved but inactive. When viewing rules. Finalizing a Policy After you select actions for a rule. You can also modify this information for an existing rule. Click Save to continue selecting actions. click Tag subject under Modify actions. Procedure 1. note the following: • The green check mark button indicates that the rule is active. When you select actions. Note You can enable and disable rules by clicking the buttons. select the check box next to Tag subject under Modify. Specify the text to insert in the subject line next to Tag. 17-45 . name and enable the rule. 3. IMSVA allows you to add any notes to the rule that you think are necessary for future reference. Also. select Do not tag digitally signed messages. Add a tag only for messages that the intended recipients will eventually receive. To use a tag. adding a tag is not necessary. To prevent possible damage to digitally signed messages. • The gray cross mark button indicates that the rule and the Activation Code for the product are both inactive. 4. 5. assign an order number that represents its position within the hierarchy of rules. An edit screen appears. The Step 4: Name and Order screen appears. specify the priority in which IMSVA will perform the scan. In the Order Number field. Select the Enable check box to activate the rule. click Next on the Step 3: Select Actions screen.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Finalizing a Rule Procedure 1. 2. Use one of the following methods to open the screen: • When creating a new policy. Specify a name for the rule in the Rule Name field. • When finalizing an existing policy. 3. 4. IMSVA applies the rule to messages according to the order you specify. 17-46 . click the name of the policy in the policy list on the Policy > Policy List screen. 7. Specify a note to distinguish the new rule from other rules. click < Previous and make your changes. If any information about the rule is incorrect.Configuring Policies 5. 8. The Notes screen appears. 17-47 . verify that the information on the screen is correct. Click Finish to complete a new rule or Save to modify an existing rule. If you are creating a new policy. 6. Click the Notes tab. . Topics include: • Configuring Encryption Settings on page 18-2 • Encrypting Message Traffic on page 18-3 • Configuring Encryption Policies on page 18-3 18-1 .Chapter 18 Encryption Settings This chapter provides instructions for configuring encryption settings for IMSVA. nor sold to any other party. When you register a domain. IMSVA can decrypt messages encrypted by IBE. In distributed environments. this email address will be used only for other product related use (example: password resets and registration notifications). Without the key. Encryption Types FEATURE DESCRIPTION Encryption exception This rule triggers when IMSVA cannot decrypt or encrypt messages using an Identity-Based Encryption (IBE) algorithm. You will not receive spam as a result of registering Encryption for Email. Trend Micro Email Encryption cannot encrypt your message. It will not be used for marketing purposes. However.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring Encryption Settings Trend Micro Email Encryption must have your registered domain in order to work. Note In addition to logging in. you must first register a domain to the Trend Micro Email Encryption Server before IMSVA is able to decrypt messages from that domain. 18-2 . Trend Micro Email Encryption acquires an encryption key that is unique to your registered and confirmed domain. Encryption Types There is a difference between the Encryption exception rule and the Unable to decrypt messages policy rule. TABLE 18-1. Unable to decrypt messages This rule is used to detect messages encrypted by Pretty Good Privacy (PGP) encryption or Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption. the ID that appears on the Encryption Settings > IMSVA tab is shared by the parent IMSVA and all child IMSVAs. For encrypted message traffic entering your network.com are not encrypted. registration and support messages from privatepost. See Registering Domains for more information. The message will be delivered to the intended recipient if this action is taken. Messages are re-encrypted after scanning to protect the message content. and Postpone delivery to. Note Encrypting messages is a terminal action. Deliver the message is selected automatically and the following selections are not available: Delete entire message. After configuring encryption settings. 18-3 . IMSVA decrypts the messages automatically and scans the messages according to the policy rules you specify. Change recipient to. If you enable a rule to encrypt incoming messages. IMSVA can decrypt and encrypt the messages to protect the message content. After selecting Encrypt message.Encryption Settings Encrypting Message Traffic Your domains must be registered to the Trend Micro Encryption Email service for email encryption to work. Configuring Encryption Policies IMSVA can encrypt plain text message content when you select Encrypt message when specifying scan actions for policies. . Chapter 19 Scanning Exceptions This chapter provides instructions for managing IMSVA scanning exceptions. 19-1 . For example. IMSVA stops scanning and takes the corresponding actions. IMSVA will stop scanning if it encounters a terminal scan action. The Security Settings Violations screen appears. 19-2 . Additionally. verify that the Global antivirus rule is enabled. That means IMSVA will not trigger any policy rules when a scan exception occurs. For the actions specified in Scan Exceptions to take effect. IMSVA will not stop scanning after the action of the scan exception executes. To set scan exception conditions for messages based on several conditions. Configuring Scan Exceptions Procedure 1. set scan exceptions to bypass scanning and instruct IMSVA to take action on the messages immediately. click the Security settings violations link under Exception. 3. messages with extremely large attachments require significant IMSVA server resources to scan fully. 2. messages addressed to hundreds of recipients are most likely spam or some type of attack. you may want to prevent IMSVA from scanning certain types of messages that could be part of a DoS attack. 2. click the Encryption exceptions link under Exception. The Encryption Exceptions screen appears. IMSVA continues checking other policy rules. Rather than consuming IMSVA resources to scan these types of messages. For malformed messages. To set scan exception conditions for encrypted or decrypted messages. WARNING! 1. when a message triggers the scan exception.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Setting Scan Exceptions Under certain circumstances. Go to Policy > Scanning Exceptions. For security setting violations and encryption exceptions. 2. click the corresponding link under Action: • Setting Scan Actions for Security Setting Violations on page 19-4 • Setting Scan Actions for Malformed Messages on page 19-5 • Setting Scan Actions for Encrypted Messages on page 19-7 Configuring Exceptions for Security Settings Violations The scan exceptions for the security settings violations on this screen apply to all senders and receivers. • Total # files in compressed file exceeds { } files: Specify the maximum number of files. Procedure 1. 3. • Total # recipients exceeds { } recipients: Specify the maximum number of recipients. Click Save. The Security Settings Violations screen appears.Scanning Exceptions 4. • Total # embedded layers in compressed file exceeds { } layers: Select the maximum number of layers. configure the following: • Total message size exceeds { } MB: Specify the maximum number of megabytes. On the Scanning Exceptions screen. To set limits on the types of messages IMSVA can scan. • Total decompressed size of any single file exceeds { } MB: Specify the maximum number of megabytes. click Security settings violations under Exception. To set an action for an exception type. 19-3 . specify the FQDN or IP address of the mail server. • Quarantine to: IMSVA moves the message and its attachments into the quarantine area that you select from the drop-down box. 2. click the radio button next to one of the following: • Do not intercept messages: IMSVA does not take action on the message. The screen for configuring actions appears. • Handoff: IMSVA hands off the message to a specific mail server. specify the port number through which the mail server receives email traffic. click the action name link under Actions for Security settings violations.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Scanning Exceptions screen reappears. Select Handoff if you have a secure messaging server on your network that can process or handle the message. For instructions on creating a new quarantine area. On the Scanning Exceptions screen. see Configuring Quarantine and Archive Settings on page 25-3. • Delete entire message: Deletes the message and all attachments. • Next to Port. Configure the following: • • Next to Host. Setting Scan Actions for Security Setting Violations The scan actions for the security settings violations on this screen apply to all senders and receivers. Procedure 1. IMSVA processes the message using other rules if other rules exist. . 19-4 Under Intercept. 19-5 . Click Save. see Using the Notifications List on page 15-37. On the Scanning Exceptions screen. Specify the recipient's email address and separate multiple addresses with a semicolon (. For instructions on creating notifications. To select a type of notification. click the action name link under Actions for Malformed messages. After the handoff. 3. • BCC: Blind carbon copy the message to another recipient. Under Monitor. Setting Scan Actions for Malformed Messages The scan actions for malformed messages security settings violations on this screen apply to all senders and receivers. click Send policy notifications. IMSVA passes the message on for delivery. • Archive: Archive the message to an archive area. Select the BCC option to prevent the intended recipients from seeing the new recipient. 2. Under Intercept. 4. see Configuring Quarantine and Archive Settings on page 25-3. Procedure 1.). For instructions on creating a new archive area. click the radio button next to one of the following: • Do not intercept messages: IMSVA does not take action on the message. The screen for configuring actions appears.Scanning Exceptions Note IMSVA can only track a message before it is handed off. the message is not traceable anymore as it is no longer within the control of IMSVA. select the check boxes next to any of the following: • Send policy notifications: Send a notification message to one or more recipients. • Handoff: IMSVA hands off the message to a specific mail server. • Delete entire message: Deletes the message and all attachments. Select the BCC option to prevent the intended recipients from seeing the new recipient. Configure the following: • Next to Host. 4. even if other rules exist. see Using the Notifications List on page 15-37. • Quarantine to: IMSVA moves the message and its attachments into the quarantine area that you select from the drop-down box. Note IMSVA can only track a message before it is handed off. . • Archive: Archive the message to an archive area. specify the port number through which the mail server receives email traffic. select the check boxes next to any of the following: • Send policy notifications: Send a message to one or more recipients.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note IMSVA does not scan malformed messages with other rules. Select Handoff if you have a secure messaging server on your network that can process or handle the message. see Configuring Quarantine and Archive Settings on page 25-3. click Send policy notifications. specify the FQDN or IP address of the mail server. For instructions on creating a new quarantine area. To select a type of notification. For instructions on creating notifications. Specify the recipient's email address and separate multiple addresses with a semicolon (. For instructions on creating a new archive area. see Configuring Quarantine and Archive Settings on page 25-3. 19-6 Under Monitor. 3. After the handoff. Click Save. • Next to Port. the message is not traceable as it is no longer within the control ofIMSVA. • BCC: Blind carbon copy the message to another recipient.). • Total # recipients exceeds { } recipients: Specify the maximum number of recipients. • Unable to encrypt outgoing message: Select this option to trigger IMSVA to take action on outgoing messages that IMSVA cannot encrypt.Scanning Exceptions Configuring Exceptions for Encrypted Messages Messages exceeding any of the limits specified on this screen will not be decrypted or encrypted by IMSVA. 2. The Scanning Exceptions screen reappears. Go to Policy > Scanning Exceptions > Encryption Exceptions. • Encrypted message size exceeds { } MB: Specify the maximum number of megabytes. • Decrypted message size exceeds { } MB: Specify the maximum number of megabytes. configure the following: 3. Procedure 1. To set limits on encrypted or decrypted messages IMSVA processes. 19-7 . Navigate to Policy > Scanning Exceptions. Setting Scan Actions for Encrypted Messages Procedure 1. Click Save. • Unable to decrypt outgoing message: Select this option to trigger IMSVA to take action on outgoing messages that IMSVA cannot decrypt. click the radio button next to one of the following: • Do not intercept messages: IMSVA does not process the message. • Archive: Archive the message to an archive area. The screen for configuring actions appears. 19-8 Under Monitor. 3. see Using the Notifications List on page 15-37. see Configuring Quarantine and Archive Settings on page 25-3. Click the Quarantine and Notify link for Encryption exception. For instructions on creating a new quarantine area.). select the check boxes next to any of the following: • Send notification: Send a message to one or more recipients. the message is not traceable any more as it is no longer within the control of IMSVA. After the handoff. • Handoff: IMSVA hands off the message to a specific mail server. • BCC: Blind carbon copy the message to another recipient. For instructions on creating a new archive area. specify the port number through which the mail server receives email traffic. For instructions on creating notifications. Select Handoff if you have a secure messaging server on your network that can process or handle the message.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. specify the FQDN or IP address of the mail server. click Send notifications. Specify the recipient's email address and separate multiple addresses with a semicolon (. Note IMSVA can only track a message before it is handed off. see Configuring Quarantine and Archive Settings on page 25-3. . • Quarantine to: IMSVA puts the message and its attachments into the quarantine area that you select from the drop-down box. • Next to Port. Configure the following: • Next to Host. 4. Select the BCC option to prevent the intended recipients from seeing the new recipient. Under Intercept. • Delete entire message: Deletes the message and all attachments. To select a type of notification. 19-9 . Click Save.Scanning Exceptions 5. . modifying. Topics include: • Modifying Existing Policies on page 20-2 • Policy Example 1 on page 20-4 • Policy Example 2 on page 20-8 • Using the Asterisk Wildcard on page 20-13 20-1 . and managing InterScan Messaging Security Virtual Appliance policies.Chapter 20 Existing Policies This chapter provides instructions for creating. Go to Policy > Policy List. 8. For more information. Configure the route settings. see the following: • For Antivirus and Other rules: Specifying Scanning Conditions on page 17-9 • For the Global DKIM Enforcement rule: Using the Domain List for the Global DKIM Enforcement Rule on page 20-3 7. see Specifying a Route on page 17-2. Click Edit for Then action is. Click the name of the rule to edit. (Global DKIM rule) Configure the scan settings. 3. The Summary screen for the rule appears. 2. Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Modifying Existing Policies Modification of rules follows a different process from rule creation. Click Edit for one of the following: 6. 5. Configure the action settings. • And scanning conditions match (Antivirus and Other rules) • And domains listed here do not pass DKIM verification. For more information. 20-2 . Click Edit for If recipients and senders are. For more information. see Specifying Actions on page 17-35. 9. Click Save. 4. Click Edit in the And domains listed here do not pass DKIM verification row. Click Policy > Policy List. The Scanning Conditions screen appears. Specify a domain name. b. The Policy Summary screen appears. Populate the Domain List in one of the following ways: • • Manually: a. The Policy screen appears. Import a list: Note When importing a text file for the Domain List. 20-3 . 2. Click Add. only one domain should be on each line. 4. 3. Click the Global DKIM Enforcement rule link.Existing Policies Using the Domain List for the Global DKIM Enforcement Rule IMSVA marks incoming messages as spam from domains appearing in the Domain List that: • Do not pass DKIM validation • Do not have a DKIM-Signature Adding Domains to the Domain List in the Global DKIM Enforcement Rule Procedure 1. 2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide a. The Step 1: Select Recipients and Senders screen appears. Click Import. Go to Policy > Policy List. 20-4 . Click Save. 5. Specify the file path and file name or click Browse and locate the file. 3. Select Other from the drop-down list. c. Policy Example 1 Create a rule to delete attachments with specific file names or extensions and then stamp the affected incoming message with an explanation to the recipients. The Import DKIM Enforcement List appears. • Step 1: Specify the Route on page 20-4 • Step 2: Specify the Scanning Conditions on page 20-5 • Step 3: Specify the Actions on page 20-6 • Step 4: Specify the Priority on page 20-8 Step 1: Specify the Route Procedure 1. b. Select one of the following: d. Click Add. • Merge with current list • Overwrite current list Click Import. • To apply this rule to any recipients. 2. select incoming messages from the drop-down list.Existing Policies 4. 3. Click Save. The Step 1: Select Recipients and Senders screen re-appears. 20-5 . select the check box next to it. To enable the Name or extension condition. Next to Take rule action when. The Step 2: Select Scanning Conditions screen appears. select Any of the selected addresses. Click Next. Step 2: Specify the Scanning Conditions Procedure 1. • To apply this rule to specific recipients. select any condition matched (OR). The Select addresses screen appears. Click the Recipients link. 6. and then specify the target email address or group. Next to This rule will apply to. select Anyone. 5. 20-6 . Click Next. The Step 3: Select Actions screen appears. Click Save. 3. Under Modify. 4. to enable the Delete attachment action. Select the check box next to Insert stamp in body. 6. click Edit. 5. The Attachment Name or Extension screen appears. Click Name or extension. Step 3: Specify the Actions Procedure 1. Select Matching attachment from the drop-down list if it is not already selected. 5. If there is no suitable stamp available from the drop-down list. select the check box next to it. Select the file extensions to block or consider blocking. 2. The Stamps screen appears. The Step 2: Select Scanning Conditions screen re-appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. Click Save. The Select Actions screen re-appears. 9. Click Add to create a new stamp.Existing Policies 6. The New Stamp screen appears. 10. 8. Click Done. 7. Select the newly created stamp from the drop-down list. Specify the required information. The Stamps screen re-appears. 20-7 . Go to Policy > Policy List. Specify the rule name and order number. 3. The Step 4: Name and Order screen appears. 2. • Step 1: Specify the Route on page 20-8 • Step 2: Specify the Scanning Conditions on page 20-10 • Step 3: Specify the Actions on page 20-12 • Step 4: Specify the Priority on page 20-13 Step 1: Specify the Route Procedure 1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Step 4: Specify the Priority Procedure 1. The newly created rule will appear highlighted in the Policy List screen. 2. Click Finish. Select Other from the drop-down list. Click Next. 3. Click Add. 20-8 . The Policy List screen appears. Policy Example 2 Create a rule that quarantines messages containing specific keywords in the subject or body and then apply this rule to all recipients except administrators. 5. To add other administrators or recipients. Under To (recipient). 11. select incoming messages from the drop-down list. Select Anyone. 8. The Select addresses screen appears. 10. 9. The Exceptions screen appears. type *@* to specify any sender. 4. Click the Recipients link. 7. Click Add. The Step 1: Select Recipients and Senders screen re-appears. Click Save. repeat steps 9 to 11. Next to This rule will apply to.Existing Policies The Step 1: Select Recipients and Senders screen appears. specify the administrator’s email address. Click the Sender to Recipient link next to Exceptions. The sender-recipient pair appears in the list. Under From (sender). 12. 6. 20-9 . The Keyword Expressions screen appears. Step 2: Specify the Scanning Conditions Procedure 1. Next to Take rule action when. select the check box next to it. 3. select any condition matched (OR). 20-10 . Click Next. If the desired keywords are not available from the existing list. To enable the Subject Keyword Expressions condition under Content. Click Subject Keyword Expressions. The Step 2: Select Scanning Conditions screen appears. 4.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 13. 5. click Add to create a new keyword list. The Step 1: Select Recipients and Senders screen re-appears. Click Save after you finish adding all the desired recipients. 2. The New Keyword Expression screen appears. After you have added all the required keyword expressions. 9. Select the new list and click >> to insert the list into the Selected box. specify the List name for the new keyword list and click Save. Repeat steps 7 and 8 for additional keyword expressions. The New Keyword Expression screen re-appears. 8. 10. 11. click Add. 12.Existing Policies 6. To add an individual keyword expression. Specify the desired keyword expression and click Save. 7. The Add Keyword Expressions screen appears. The New Keyword Expression screen re-appears. Specify the required information. Click Save. 20-11 . Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Step 2: Select Scanning Conditions screen re-appears. 13. Select the new keyword list and click >> to insert the list into the Selected box. Accept the Default Quarantine area or click the drop-down list to select the desired quarantine area. 3. Click Next. Click Body Keyword Expression. 16. The Step 3: Select Actions screen appears. To enable the Body Keyword Expression condition. 14. Ensure that both the Subject keyword and Body keyword expressions are selected. Step 3: Specify the Actions Procedure 1. 15. The Keyword Expressions screen appears. 2. select the check box next to it. Click Save. select Quarantine to. 20-12 . The Step 2: Select Scanning Conditions screen re-appears. Under Intercept. tld: Valid representation of the whole name or the domain (not the top level domain (TLD)).tld. Wildcards in Email Addresses Wildcards can appear in the name or domain sections of an email address. The following are invalid examples: • name@domain.*. 2. Using the Asterisk Wildcard You can use the asterisk (*) as a wildcard in email addresses when defining routes and in file names. Wildcards cannot appear in a subdomain or the top-level domain. Wildcards also cannot appear with other letters. they must appear alone. • *@domain. name@*. The following are valid examples: • name@*: Valid representation of the whole name.tld: Valid representation of both the name and the domain (not the TLD). Click Next. Specify the rule name and order number.*: Invalid representation of a TLD. • *@*. The newly created rule will appear highlighted in the Policy list screen. 3.Existing Policies Step 4: Specify the Priority Procedure 1.tld: Invalid representation of a subdomain. • name@domain. The Step 4: Name and Order screen appears. 20-13 . Click Finish. • *. • name. The following are valid examples: • *. Use an asterisk in the name or the extension sections of a file name.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • *name@domain. but not in conjunction with a partial name or extension.*: Valid representation of all files. • name. The following are invalid examples: • *name. Wildcards in File Names You can use wildcard characters in file names the same way you can use them in email addresses. 20-14 .*extension: Invalid representation of an extension.tld: Invalid use in conjunction with a name.*: Valid representation of files with a specific name but with any extension.extension: Valid representation of all files of a certain extension.*: Invalid representation of a name. Part IV Monitoring the Network . . For more information on each field on the management console. • Monitoring Your Network on page 21-2 • Viewing System Status on page 21-2 21-1 . refer to the Online Help.Chapter 21 Monitoring the Network This section provides you with general instructions on the tasks that you need to perform for the day-to-day maintenance of InterScan Messaging Security Virtual Appliance. 21-2 Select the check box next to the component to roll back. . Go to the System Status screen. Procedure 1. Click Save. b.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Monitoring Your Network IMSVA provides a set of tools that enable you to monitor network traffic. Viewing System Status The System Status screen provides at-a-glance information about the status of IMSVA components and services. or generate reports that display a breakdown of messages matching various scanning conditions. antispyware. From the screen. To enable or disable connections: • a. Email reputation. Click Update. To roll back to the previous version of the components: a. and antispam components that IMSVA uses to protect your network. Select or clear the check box next to a connection item. You can obtain useful information such as the statistics on the performance of IMSVA components. you can manage the following: • Enable Connections: The connections currently enabled (POP3. Components: The version numbers of the antivirus. b. Select the check box next to the component to update. and IP Profiler). To manually update components: a. To start or stop managed server services: • Click Start or Stop under the service to change. Note A managed service could become disconnected for any of the following reasons: • You removed the scanner. • The scanner server is shut down. To unregister managed server services: • When a managed service is inactive (it is disconnected from the IMSVA server). Click Rollback. To refresh the page: • • Click Refresh to connect to the update source and display the latest component versions in the Availability column. the Unregister button appears in the Connection column next to the specific service. To remove the managed service from this IMSVA server. click Unregister. 21-3 .Monitoring the Network b. • The IMSVA manager service stopped. Managed Services: Other IMSVA services registered to this IMSVA admin database. . Chapter 22 Working with the Dashboard and Widgets This section provides you with general instructions for using the dashboard and widgets with InterScan Messaging Security Virtual Appliance. This section contains the following topics: • Using the Dashboard on page 22-2 • Understanding Tabs on page 22-2 • Understanding Widgets on page 22-6 22-1 . The dashboard is comprised of two components: • Tabs: Allow administrators to create a screen that contains one or more widgets • Widgets: Provide specific information about various security-related events Note When accessing the Dashboard using Internet Explorer 9. Each user account can customize the dashboard. in Internet Explorer click Page > Compatibility View Settings. or widgets for one user account has no effect on the dashboard. The dashboard supports up to 30 tabs per user account. or widgets for a different user account. You can move widgets on tabs by dragging and dropping widgets in various locations on the tab. Tabs provide a container for widgets allowing administrators to create their own customized dashboard. and widgets for the account’s specific needs. When a user logs on to IMSVA for the first time. The layout for a tab determines where you can move the widget. To use Compatibility Mode for the Dashboard when using Internet Explorer 9. Understanding Tabs The IMSVA dashboard uses tabs to provide flexibility for administrators. Each user account has a completely independent dashboard. tabs. Customizing the dashboard. User Accounts and the Dashboard Each user account displays it’s own dashboard. tabs. 22-2 .0. the default tabs and the widgets contained within the tabs appear on the dashboard. and add IMSVA to the list.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Using the Dashboard The IMSVA dashboard provides at-a-glance information for the IMSVA network.0. Compatibility Mode must be used to correctly render the screen. tabs. tabs. and widgets from every other user account. System Overview Tab Widgets WIDGET System Usage DESCRIPTION Displays the system resources used by IMSVA on your network. or widgets for one user account has no effect on the dashboard. The dashboard provides the following default tabs: • System Overview • Message Traffic • IP Filtering • Cloud Pre-Filter Note Deleting the default tabs permanently removes the tabs from viewing for the user account that removed the tabs. All information that was available on the IMSVA Real-Time Statistics screen is available through the widgets on the default tabs. tabs. and widgets from every other user account. Default Tabs The default tabs replace the IMSVA Real-Time Statistics screen. tabs. TABLE 22-1. or widgets for a different user account. 22-3 . Deleting a default tab has no impact on the dashboard for other user accounts. tabs. The System Overview tab contains widgets that display system resource usage and queue status information.Working with the Dashboard and Widgets Note Customizing the dashboard. There is no way to recover a deleted tab. Each user account has a completely independent dashboard. System Overview Tab The System Overview tab replaces a portion of the Real-Time Statistics screen. 22-4 . Scanning Conditions Displays the number of messages that triggered each type of filter and the ratio of these messages compared to the total number of detections. The Message Traffic tab contains widgets that display message traffic statistics and violations detected by IMSVA. IMSVA Archive Displays the number of archived messages and the disk space for each archive area. and postponed.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide WIDGET DESCRIPTION Mail Queues Displays the number of messages that are in process. TABLE 22-2. deferred. Message Traffic Tab Widgets WIDGET DESCRIPTION IMSVA Scan Performance Displays the number of messages that triggered each type of filter for a given period. Messages Processed Displays the number of incoming and outgoing email traffic. Message Traffic Tab The Message Traffic tab replaces a portion of the Real-Time Statistics screen. IP Filtering Tab The IP Filtering tab contains widgets that display all the malicious messages and all the spam blocked by IP Filtering components. IMSVA Quarantine Displays the number of quarantined messages and the disk space for each quarantine area. Working with the Dashboard and Widgets TABLE 22-3. 3. Cloud Pre-Filter Tab The Cloud Pre-Filter tab contains widgets that display Cloud Pre-Filter message traffic and threat detections. Click New Tab. Adding Tabs Add tabs to the dashboard to provide a customized information matrix for your IMSVA network needs. IP Filtering Tab Widgets WIDGET DESCRIPTION IP Filtering Performance Displays the number of malicious messages and spam blocked by specific IP Filtering components and the time of blocking. Specify a meaningful title for the tab in the Title field. Procedure 1. Navigate to the Dashboard screen. IP Filtering Type Displays the number of malicious messages and spam blocked by specific IP Filtering components. 2. 4. Cloud Pre-Filter Violation Types Displays the number and type of Cloud Pre-Filter message violations. The New Tab screen appears. Cloud Pre-Filter Tab Widgets WIDGET DESCRIPTION Cloud Pre-Filter Traffic Summary Displays the number of messages processed by Cloud PreFilter. TABLE 22-4. Select a layout for the tab. 22-5 . Specify a meaningful title for the tab in the Title field. Click Save. 5. The Tab Settings screen appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note The number of widgets that you can add to a tab depends on the layout for the tab. Click Save. 22-6 . Procedure 1. you must remove a widget from the tab or create a new tab for the widget. Configuring Tab Settings You can change the default name of a tab using the Tab Settings screen. Tabs provide the layout and widgets provide the actual data for the dashboard. Click Add Widget to populate the tab with widgets. 6. 3. 4. Click Tab Settings. Understanding Widgets Widgets are the core components for the dashboard. The empty tab appears on the dashboard. Navigate to the Dashboard screen. 2. Once the tab contains the maximum number of widgets. tabs. Each user account has a completely independent dashboard. if a message matches more than one scanning condition. once in the total number for spam and a second time in the total number for attachment. and widgets from every other user account. this message will be counted twice. such as spam and attachment. Widget Help WIDGET TOPIC DESCRIPTION Overview Provides a description for the widget and how the widget can be used Widget Data Detailed information about the data that displays in the widget’s table Configure Description of settings that are readily visible on the widget Edit Description of settings that require clicking the edit icon to modify 22-7 . or widgets for a different user account.Working with the Dashboard and Widgets Note Customizing the dashboard. tabs. Using Widgets Each widget provides targeted security-related information. or widgets for one user account has no effect on the dashboard. tabs. In some widgets the total number of messages matching each scanning condition consists of overlaps. For example. Widgets can display this information in one of the following ways: • Bar chart • Pie chart • Table Click the help icon on a widget to view the following types of information: TABLE 22-5. The following table lists some examples of the widget settings administrators can modify. Display Modify how the data displays: • Bar chart • Pie chart • Table Editing Widgets Editing a widget means modifying settings for the widget that are not readily visible on the widget. Configuring Widgets SETTING Range DESCRIPTION Modify the time range for data that displays: • 1 hour • 6 hours • 12 hours • 24 hours Data aggregation Modify the aggregation for the data by specifying all IMSVAor a single IMSVA. Configuring Widgets Configuring a widget means modifying settings for the widget that are readily visible on the widget.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Detailed Widget Information Displaying widget data in a table provides an added benefit to users. TABLE 22-6. Click the edit icon to access these settings. The data in some columns can be clicked to view detailed information. Examples include: 22-8 . Navigate to the Dashboard screen. Click Save. Specify a meaningful title for the widget in the Title field. Specify values for any other settings available on the widget. 5.Working with the Dashboard and Widgets TABLE 22-7. Editing Widgets SETTING DESCRIPTION Title Modify the name that displays for the widget. Click OK. check the Help for that specific widget. 2. 3. 4. 6. The Edit screen appears. 22-9 . you must remove a widget from the tab or create a new tab for the widget. Others Some widgets provide settings to modify the amount of data a widget displays (range of entries) or the type of data that displays (security threat type or component type with the product type). Procedure 1. Note For more information about "other" settings. The widget reloads applying the new settings. Once the tab contains the maximum number of widgets. Adding Widgets The number of widgets that you can add to a tab depends on the layout for the tab. Click the Edit icon on the widget. Navigate to any tab on the dashboard. 3. Click Add and Reload. The Add Widget screen appears. Select one or more widgets to add to a tab. Click Add Widget. 2. 22-10 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. Click one of the following to filter the widgets that display: Category Description All Widgets Displays all widgets available System Displays only system widgets Message Traffic Displays only message traffic widgets IP Filtering Displays only IP Filtering widgets Cloud Pre-Filter Displays only Cloud Pre-Filter widgets 4. 5. Topics include: • Generating Reports on page 23-2 • Managing One-time Reports on page 23-5 • Using Scheduled Reports on page 23-8 23-1 .Chapter 23 Reports This section provides information on generating one time and scheduled reports. TABLE 23-2. IP Profiler. Also shows the number of messages matching specific scanning conditions. InterScan Messaging Security Virtual Appliance Summary Reports REPORT CONTENT 23-2 DESCRIPTIONS Traffic and policy summary Shows the total number and size of incoming and outgoing messages. Spam summary Shows a summary of the total spam message count by antispam engine.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Generating Reports Depending on your needs. you can choose to generate a one-time report on demand or schedule a report to be run at specific intervals. Types of Report Content You can choose from the following types of content to be included in the report: TABLE 23-1. . Also shows the number of messages matching specific scanning conditions. Cloud Pre-Filter Reports REPORT CONTENT Traffic and threat summary DESCRIPTIONS Shows the total number and size of incoming messages. and actions. Email reputation. IMSVA offers you the flexibility of specifying the content for each report and the option of viewing or saving the result in HTML or CSV format. Virus and malicious code summary Shows a summary of the virus message count by actions. InterScan Messaging Security Virtual Appliance Top 10 Reports REPORT CONTENT DESCRIPTIONS Top 10 traffic email addresses Top 10 email addresses ranked by the total sent and received message count. Top 10 virus names Top 10 virus names ranked by their detection count. Deep Discovery Advisor analysis summary Shows the total number of analyzed advanced threats by risk level. Encryption Reports REPORT CONTENT Decryption and encryption summary DESCRIPTIONS Shows the total number and size of encrypted and decrypted messages. The latter shows the total sender connections that reached Email reputation and are blocked by Email reputation. TABLE 23-4. The former shows a summary of the total number of sender connections that reached IP Profiler and are blocked by the different IP Filtering rules. 23-3 . Note Deep Discovery Advisor may not return a risk level if: • A server or connection error occurs • The attachment's file type is unsupported • Analysis has not been completed TABLE 23-3.Reports REPORT CONTENT DESCRIPTIONS Sender IP address blocking summary Includes "IP Profiler Summary" and "Email Reputation IP Blocking Summary". . Top 10 marketing message senders and receivers Top 10 email addresses ranked by their total received and sent marketing message counts. Top 10 compliance recipients and senders Top 10 recipients and senders ranked by regulatory compliance violations. Top 10 blocked IP addresses for viruses or malicious code Top 10 IP addresses ranked by the blocked count for viruses. Top 10 blocked IP addresses for spam Top 10 IP addresses ranked by the blocked count for spam. Top 10 Trend Micro Email Encryption recipients and senders Top 10 recipients and senders ranked by email encryption violations. Top 10 spam recipients Top 10 spam recipient addresses ranked by their total received spam message count.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide REPORT CONTENT 23-4 DESCRIPTIONS Top 10 blocked IP addresses for Directory Harvest Attack (DHA) Top 10 IP addresses ranked by the blocked count for DHA attack. Top 10 blocked IP addresses for bounced mail attack Top 10 IP addresses ranked by the blocked count for bounced mail attack. Top 10 senders of messages with suspicious URLs Top 10 sender addresses ranked by their total received messages that contained suspicious URLs. Top 10 most frequently triggered rules Top 10 rule names ranked by the number of messages that triggered each rule. Top 10 blocked IP addresses by Email reputation Top 10 blocked IP addresses ranked by the number of connections dropped by Email reputation. Top 10 virus recipients and senders Top 10 virus recipients and senders ranked by their total received and sent virus message counts. 23-5 . click any of the column headings that are underlined. select a new display value from the drop-down box at the bottom of the table. click the arrow buttons on top of the list to move to the next page or select a number from the drop-down box that represents which page to view. You can also enable IMSVA to automatically generate daily. To change the display. do any of the following: • To sort the table. weekly. In progress appears in the Output column if the report is still generating. • If too many items appear on the list. Go to Reports > One-time Reports. • CSV: Saves the report to a comma-separated value file that you can open with a spreadsheet application. The report takes several minutes to generate. IMSVA retains all one-time reports on this screen. click Add. 3. To generate a report. or monthly reports. 2. • To change the number of items that appear in the list at a time. Procedure 1. The One-time Reports screen appears with a list of the one-time reports that you previously generated. For future reference.Reports REPORT CONTENT Top 10 C&C email recipients and senders DESCRIPTIONS Top 10 recipients and senders of C&C email based on the addresses used in the SMTP session Managing One-time Reports Generate a one-time report for an at-a-glance summary of IMSVA protection. To view the report. click one of the following formats under Output: • HTML: Opens the report in another browser window. 4. 5. Adding One-time Reports You can generate one-time reports on demand to help monitor the traffic on your network. select the check box next to it and click Delete. For more information on activating them. Click Add.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note Email Encryption and compliance report content is not available unless you activate those products. To delete a report. Go to Reports > One-time Report. Procedure 1. The Add One-time Report screen appears. 23-6 . see Managing Product Licenses on page 29-20. 2. 6. Next to Dates. specify a descriptive name. 23-7 . Next to Name.Reports 3. select the time span that the report will cover. The message In progress appears in the report table. The report takes several minutes to generate. select the content to include in the report. Under Report Content. Click Save. 4. 5. Click CSV to export the report data to a CSV file. Procedure 1. 23-8 Click Reports > Scheduled Reports from the menu.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide After the report generates. Using Scheduled Reports Use scheduled reports to automate report generation. IMSVA provides daily. 8. . Report generation could require as much as five minutes in addition to the time required to aggregate reporting data and make the necessary calculations. 7. Report generation occurs once every five minutes. Click HTML to display the report in HTML format. weekly. and monthly reports. the hyperlinks HTML and CSV display in the report table. To change the display. • HTML: Opens the report in another browser window. Click the Settings link for one of the following report types: 23-9 . click one of the following formats under Output: 4. Click the Weekly or Monthly tab to view the corresponding reports. • CSV: Saves the report to a comma-separated value file that you can open with a spreadsheet application. select the check box next to it and click Delete. Configuring Scheduled Reports Scheduled reports generate automatically according to the schedules you configure. Procedure 1. To view the report. 3. Go to Reports > Settings. 2. To delete a report. • To change the number of items that appears in the list at a time. 2. 5.Reports The Schedule Reports screen appears with the Daily tab displayed. select a new display value from the drop-down box at the bottom of the table. do one of the following: • If too many items appear on the list. The Scheduled Report Settings screen appears. click the arrow buttons on top of the list to move to the next page. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Daily reports • Weekly reports • Monthly reports The Daily Report Settings screen appears. 23-10 . The report status changes. 6. September.Reports 3. or 31st day. if you select 31. 23-11 . For example. IMSVA will generate the report on the 28th (or 29th) in February. Specify your settings for the report. 30th. if you choose to generate the report on the 29th. IMSVA will generate the report on the last day of the month for months with fewer days. The Archived Scheduled Reports screen appears. 4. 7. Click Save. Note When configuring monthly report settings. Click Save. 5. Note The report has not generated yet. Specify the number for each type of report that you would like to retain. and on the 30th in April. June. Go to Reports > Scheduled Reports. and November. you can click HTML or CSV to view the report. 23-12 After the report generates.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 8. . Chapter 24 Logs This chapter provides you with general instructions on the tasks that you need to perform for the day-to-day maintenance of IMSVA. For more information on each field on the management console. refer to the Online Help. Topics include: • About Logs on page 24-2 • Configuring Log Settings on page 24-2 • Querying Logs on page 24-4 24-1 . Under Log Files.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About Logs Logs enable you to monitor various types of events and information flow within IMSVA. To enable logs and benefit from the information. Under Reporting Logs. Procedure 1. Selecting 60 means that IMSVA updates the logs once every hour. do the following: • Step 1: Configuring Log Settings on page 24-2 • Step 2: Querying Logs on page 24-4 Configuring Log Settings You can configure the level of detail that IMSVA writes to the logs and the length of time it stores them. 2. Select one of the following: . Select a number between 1 and 60 for the interval. configure the following: • 24-2 Application log detail level: The level of log detail. configure the following: • Database log update interval: IMSVA updates the logs regularly at every interval. In addition. you can set the update period that controls how frequently the scanner services write their local logs to the IMSVA admin database. The Log Settings screen appears. 3. • Number of days to keep logs for query: Specify a value between 1 and 60 that represents the number of days IMSVA preserves the report logs in the IMSVA admin database. Go to Logs > Settings. They also serve as an important resource for troubleshooting. • Diagnostic: Comprehensive information on each event or action. the policy matched. and the action taken. Debug logs are only recommended when troubleshooting. To remove any size restriction. All IMSVA processes write detailed information to the logs. Note Diagnostic or debug logs might consume excessive IMSVA resources and could reduce system performance. • Debug: The most complete and verbose level of detail. • Maximum log file size for each service: Select the check box and specify a number between 100 and 99999 that represents the size in MB for local log files for each type of process or service. 24-3 . clear the check box. the filter executed. including: POP3 session information. This level provides the basic information needed by an administrator for daily monitoring and maintenance. clear the check box.Logs • Normal: The standard level of detail. Diagnostic level logs include all information from the detailed level. To prevent IMSVA from deleting the log files. and the route match information that determined which policy was applied. plus SMTP routing information. • Number of days to keep log files: Select the check box and specify a number between 1 and 150 that represents the number of days IMSVA keeps the local log files. • Detailed: A high level of detail. • IP filtering: Provides the time when IMSVA started and stopped blocking messages from the queried IP address. • Policy events: Provides details on the policy rules that were triggered. IMSVA will delete the oldest file. 24-4 . Querying Logs You can perform queries on five types of events or information: • Message tracking: Records message details such as the sender. message size. If the log file size exceeds the maximum log file size for each service.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note IMSVA log files are stored in the folder /opt/trend/imss/logs. The <Count> suffix is incremented if there is more than one (1) log file per day. • System events: Tracks the time of system events such as user access. the actions taken. Click Save. • MTA events: Provides connection details of Postfix on the local computer where the central controller is installed.<Count>". changes in the way that users can query logs have been introduced. The query result also indicates the name and type of the policy rule that was triggered. modification of rules. recipient(s). and the message details. IP Profiler log files are stored in the folder /opt/trend/ipprofiler/logs. 4. registration of MCP agent and so on. Log Query Behavior With the inclusion of Cloud Pre-Filter to IMSVA. and the final action that IMSVA or Cloud Pre-Filter has taken. Daily log files for each event type are created at midnight and have the suffix "<Date>. com".com. a@a. This provides detailed information about those messages. General Query Information QUERY a@a. Result: • [email protected]. Result: [email protected] Message Tracking Enhancement IMSVA splits Message tracking logs in to: • IMSVA data only: These message tracking logs only contain data from IMSVA.com • [email protected][email protected] Displays all messages sent to any variant of "a@a. Query Behavior IMSVA provides the following log query behavior: TABLE 24-1.com IMSVA + CLOUD PREFILTER IMSVA ONLY Only the exact match is returned. • Cloud Pre-Filter + IMSVA data: These message tracking logs contain data from the Cloud Pre-Filter and IMSVA.com. IMSVA includes hyperlinks for quarantined. c@a. [email protected][email protected]. archived.com • b@a. including those with multiple recipients. and postponed messages in Message tracking logs.com.com 24-5 . a@a. com 24-6 IMSVA + CLOUD PREFILTER Not supported. Returns all messages Returns approximately 10000 query results Returns all messages Returns approximately 10000 query results All other query conditions left blank * in Message ID field IMSVA + CLOUD PREFILTER All other query conditions left blank TABLE 24-2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide QUERY Query conditions for Message tracking left blank • Subject • Message ID • Sender • Recipient * in Subject field IMSVA ONLY All query conditions can be left blank User must provide filtering criteria for at least one of the four query conditions. The wildcard "*" is not supported in the Sender field. Valid Sender value in IMSVA. complete or partial email address. "Sender" Query Information QUERY 5!#? *test@example. Not supported. though no results will be returned. User must provide a properly formatted. Returns: All variations ending with [email protected] IMSVA ONLY Valid Sender value in IMSVA. . com Only messages sent from [email protected]" 24-7 . Returns: Not supported.com TABLE 24-3. Valid Recipient value in IMSVA. Valid Sender value in IMSVA.com IMSVA ONLY IMSVA + CLOUD PREFILTER Valid Sender value in IMSVA.com Approximately 10000 results sent to all variations of test@example. Returns: Returns: Only messages sent to [email protected]*" in IMSVA Only data) Valid Recipient value in IMSVA. Returns: Returns: Only messages sent from [email protected]* Valid Recipient value in IMSVA. "Recipient" Query Information QUERY test@example. All variations starting with "[email protected] test@example. Not supported.com IMSVA ONLY IMSVA + CLOUD PREFILTER Valid Recipient value in IMSVA.Logs QUERY test@example. Returns: All variations ending with [email protected] (the same as using "*test@example. The wildcard "*" is not supported in the Recipient field.com *test@example. The wildcard "*" is not supported in the Recipient field. Use "test@example. Returns: All variations of [email protected] Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide QUERY *test@example. Querying Message Tracking Logs Note The data <server name>[127. though no results will be returned. indicates the default DNS server. from returned queries. The wildcard "*" is not supported in the Recipient field.0. Not supported Result: Tip Combined result of querying test@example. indicates the default DNS server.0.0.com* IMSVA ONLY Valid Recipient value in IMSVA.1].com instead.com" or "test2@example. 24-8 . test2@example. Note The data <server name>[127. complete or partial email address. Not supported. Tip Use [email protected] test@example. from returned queries.1].com %^$&^ Valid Recipient value in IMSVA.0.com " Valid Recipient value in IMSVA.com and test2@example. User must provide a properly formatted. IMSVA + CLOUD PREFILTER Not supported. select one of the following: • IMSVA data only: Displays all messages which are directed through IMSVA • Cloud Pre-Filter + IMSVA data: Displays all messages which are directed through Cloud Pre-Filter and IMSVA. select Message tracking. Go to Logs > Query. Specify any of the following additional information: • Subject • Message ID • Sender • Recipient(s) 24-9 . Next to Type. 3.Logs Procedure 1. Next to Dates. The query screen for message event logs appears. In the second drop-down box next to Type. 5. 4. The Log Query screen appears. This includes messages which are deleted by Cloud Pre-Filter. 2. select a date and time range. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note 6. recipient. a. Use the asterisk wildcard for partial searches on any field. Click Display Log. 7. • To print the query results. A timestamp. sender. . click Print current page. select a new display value from the drop-down box on the top of the table. 24-10 Click the timestamp link to see the following information: • Timestamp • Sender • Recipient • Subject • Source IP address • Message size • Message ID • Internal ID • Delivery IP address • Delivery feedback • Scanner that detected the message • Rule that detected the violation • Action details Perform any of the additional actions: • To change the number of items that appears in the list at a time. b. 8. and last known action appear for each event. The Subject and Message ID fields only display when IMSVA data only is selected. subject. and description appear for each event. A timestamp.Logs • To save the query result to a comma-separated value file. select one of the following: • All events: Displays the timestamp and descriptions for all system events. select the server to view. Click Display Log. • Updates: Displays the timestamp of all scan engines and pattern file updates from the ActiveUpdate server to the IMSVA admin database. Next to Type. Perform any of the additional actions: 24-11 . 7. • Errors: Displays the timestamp and descriptions for all errors that IMSVA encountered. click Export to CSV. 6. 2. Next to Description. In the third drop-down box next to Type. select System events. 8. The query screen for system event logs appears. Go to Logs > Query. component. • Service status: Displays the timestamp and descriptions when the scanner service is started or stopped. 5. 4. • Admin activity: Displays the timestamp and descriptions for major admin activities such as changing IMSVA settings. admin account log on and log off. In the second drop-down box next to Type. Querying System Event Logs Procedure 1. • Click the action link to view detailed information about the action. Next to Dates. 3. specify any special words to search for. select a date and time range. IMSVA displays two additional drop-down lists that contain website content categories. Go to Logs > Query. • To sort the table. • To print the query results.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • To change the number of items that appears in the list at a time. select Policy events. click the column title. 2. Select any category name to narrow down your log query. 3. select one of the following items related to the policy and the rules you configured for the policy: • All • Virus or malicious code • Probable advanced threats • Spyware/grayware • Spam/phish • C&C email • Web Reputation Note If you select Web Reputation. In the second drop-down box next to Type. The query screen for policy event logs appears. 24-12 . Viewing Policy Event Logs Procedure 1. click Export to CSV. click Print current page. • To save the query result to a comma-separated value file. Next to Type. select a new display value from the drop-down box on the top of the table. all results for that item appear. • DKIM enforcement • Attachment • Size • Content • Compliance • Others • Scanning exceptions • Spam Tagged by Cloud Pre-Filter Specify any of the following additional information: • Sender • Recipient(s) • Rule • Subject • Attachment(s) • Message ID If you leave any text box blank. and message ID appear for each event. action. 6. 5.Logs 4. Click Display Log. rule. A timestamp. Click the timestamp link to see the following information: • Timestamp • Sender • Recipient • Subject • Original size 24-13 . click the column title. click Print current page. select a new display value from the drop-down box on the top of the table. 24-14 • Rule type: Probable advanced threat or Analyzed advanced threat • Action: Status of Deep Discovery Advisor analysis • Risk rating: Risk level for the entire message (if received from Deep Discovery Advisor) Perform any of the additional actions: • To change the number of items that appears in the list at a time. IMSVA also displays the following information: 7. • To save the query result to a comma-separated value file. click Export to CSV. . IMSVA also displays the following information: • Rule type: Probable advanced threat If both ATSE and Deep Discovery Advisor are enabled. • To sort the table.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Violating attachments • Risk level • Rule type • C&C address • Rule(s) • Action • Message ID • Internal ID • Reason • Scanner If ATSE is enabled. • To print the query results. • To save the query result to a comma-separated value file.Logs Note • "*A*. 24-15 . Go to Logs > Query. 7. On the second drop-down menu next to Type. 5. click Print current page. Click Display Log. Next to Description. click Export to CSV. • "A*. select the IMSVA device to query. select a date and time range. select a new display value from the Results per page drop-down box on the top of the table. Next to Dates. • ". action. A timestamp. and message ID appear for each event.*B*" means a string that has A or B.*B" means a string that starts with A or ends with B. 4. 2. 3. specify the keyword to search for. • To print the query results. rule. 6. Next to Type. Querying MTA Event Logs Procedure 1. select MTA events. The query screen for MTA event logs appears. Perform any of the additional actions: • To change the number of items that appears in the list at a time." represents the OR operation. 2. select a new display value from the drop-down box on the top of the table. click Print current page. Information appears for the time that IMSVA both started and stopped blocking each IP address or domain. Go to Logs > Query. Next to Type. In the second drop-down box next to Type. • To save the query result to a comma-separated value file. Click Display Log. 6. . Perform any of the additional actions: 24-16 • To change the number of items that appears in the list at a time. select one of the following items related to IP Filtering: • Email reputation • DHA attack • Bounced mail • Virus • Spam • Manual: Refers to the IP addresses that you have specified in the blocked list. provide any IP address to search. Next to IP. 5.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Querying IP Filtering Logs Procedure 1. Next to Dates. select IP filtering. • All 4. click Export to CSV. 3. 7. select a date and time range. • To print the query results. 25-1 .Chapter 25 Mail Areas and Queues This chapter provides information about IMSVA and Cloud Pre-Filter quarantine and archive areas and mail queues. TABLE 25-1. • Postponed Queue: Stores messages that will be delivered at a specified time. Deferred Queue Parameters PARAMETER queue_run_delay DESCRIPTION Determines the time between deferred queue scans by the queue manager.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About Mail Areas and Queues IMSVA stores messages matching specific policy rule actions in the following areas and queues: • Quarantine Area: Stores messages that you would like to analyze before deciding whether to delete or release to the intended recipient(s). 25-2 . This time should be less than or equal to the minimal_backoff_time setting. This time should be equal to or greater than the queue_run_delay setting. the value of this setting is what determines when the first attempt to redeliver the message is made. minimal_backoff_time Determines the minimum time between attempts to deliver a deferred message. • Deferred Queue: Stores messages that IMSVA is unable to deliver to the next MTA. When a message is first placed in the deferred queue. • Archive Area: Stores messages for future reference. There are 4 values to control IMSVA (postfix) retries. maximal_queue_lifetime Determines the message life time in the deferred queue. 25-3 . the first retry attempt is after 15 minutes. the second retry is after 30 minutes.Mail Areas and Queues PARAMETER maximal_backoff_time DESCRIPTION Determines the maximum time between attempts to deliver a message. The time between each attempt to deliver a deferred message will grow exponentially until it reaches the value in this setting. the life time is 24 hours. messages in the deferred queue are returned to the sender with an "undelivered" notice. The default value for the parameters: • queue_run_delay = 900s • minimal_backoff_time = 900s • maximal_backoff_time = 3600s • maximal_queue_lifetime = 1d So for one deferred mail. The attempted deliveries are repeated at this value until the maximal_queue_lifetime is reached. Configuring Quarantine and Archive Settings Quarantine and archive settings allow you to manage quarantine and archive areas and allocate the amount of disk space per scanner for storing quarantined or archived messages. and all subsequent retries after 60 minutes. Once the this lifetime expires. That means there are about 25 retries before the maximal_queue_lifetime value is reached. Go to Mail Areas & Queues > Query. 5. and then select MB or GB from the drop-down box. The value is exclusive. to automatically save messages to the EUQ database . To modify the total disk size allowed for all quarantine areas or archive areas for each scanner service. 25-4 . specify the size of the area next to Disk quota (per scanner). specify a descriptive name. Select Synchronize all spam and email messages. 6. to the EUQ database (for this area only). 2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. Next to Name. Click the Quarantine tab (default) or Archive tab. Next to Delete messages older than. to add a quarantine or archive area. The Quarantine and Archive Settings screen appears. 3. or Web reputation rules. 4. For example. 7. Click Add. that do not violate virus. IMSVA deletes the quarantined messages on the 16th day. specify the number of days after which IMSVA deletes the quarantined or archived messages. The list of areas appears in the table below. to configure a quarantine area or an archive area. phishing. if you specify 15. click the name of the area and configure the settings above. The Quarantine and Archive Settings screen reappears. 10. 8. that do not violate virus. 11.Mail Areas and Queues Note After selecting Synchronize all spam and email messages. a check mark appears under the EUQ column of the table on the Quarantine and Archive Settings screen. such as messages that violate spam scanning conditions or messages that violate message content conditions. For details on managing the quarantine areas. Click Save. Managing Quarantine Areas IMSVA can quarantine messages on the server in the following directory: $IMSVA_HOME/queue/quarantine Tip Trend Micro recommends quarantining messages that you think you might want to analyze and possibly send to the intended recipient later. phishing or Web reputation rules. After modifying any settings. 9. select the check box next to it and click Delete. click Save. Create different types of quarantine areas for different types of messages. to the EUQ database (for this area only). To view or modify a quarantine or archive area. refer to the following: • Managing the Quarantine from the Actions Screen of a Policy Rule on page 25-6 • Managing the Quarantine from Mail Areas & Queues > Settings on page 25-7 25-5 . To delete a quarantine or archive area. Select Synchronize all spam and email messages. To add a new quarantine area. An edit screen appears. or Web reputation rules. 8. to the EUQ database (for this area only) to automatically save messages to the EUQ database. The Quarantines screen appears showing the available quarantine areas. IMSVA deletes the quarantined messages on the 16th day. that do not violate virus. phishing or Web reputation rules. do the following: Procedure 1. 5. click the area name and then click Edit. Next to Name. phishing. 6. Note After selecting Synchronize all spam and email messages. This number represents the number of days after which IMSVA deletes the quarantined messages. 4. if you specify 15. next to Delete messages older than. Click Done to continue selecting actions. To modify an existing quarantine area. Click Save to return to the Quarantines screen. 7. to the EUQ database (for this area only). a check mark appears under the EUQ column of the table on the Quarantine and Archive Settings screen. 25-6 . To quarantine messages.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Managing the Quarantine from the Actions Screen of a Policy Rule If you are configuring the actions for a rule. 2. specify the number of days from 1 to 60. click Add. specify the name of the quarantine area. The value is exclusive. For example. select the radio button next to Quarantine to under Intercept and select the desired quarantine area from the drop-down box. 3. To automatically delete quarantined messages after a certain number of days. Click Edit next to Quarantine to under Intercept actions. that do not violate virus. b. that do not violate virus. 3. or Web reputation rules. This number represents the number of days after which IMSVA deletes the quarantined messages. IMSVA deletes the quarantined messages on the 16th day. 2. To add a new quarantine area. Select MB or GB.Mail Areas and Queues Managing the Quarantine from Mail Areas & Queues > Settings Procedure 1. click Add. 25-7 . 4. next to Delete messages older than. to the EUQ database (for this area only) to automatically save messages to the EUQ database. click the area name. An edit screen appears. phishing. specify the name of the quarantine area. For example. Select Synchronize all spam and email messages. Next to Disk quota per scanner service. if you specify 15. Specify the maximum size for the area. Next to Name. 5. To modify an existing quarantine area. Go to Mail Areas & Queues > Settings. the oldest quarantined messages are deleted first to keep the size under the quota. specify the number of days from 1 to 60. The Quarantine and Archive Settings screen appears with the Quarantine tab displayed by default. Note When the total disk size for all the quarantined messages exceeds the quota on a scanner. 6. To automatically delete quarantined messages after a certain number of days. The value is exclusive. do the following: a. specify the name of the archive area. specify the number of days from 1 to 60. next to Delete messages older than. click the area name and then click Edit. 3. a check mark appears under the EUQ column of the table on the Quarantine and Archive Settings screen. Managing Archive Areas IMSVA can archive messages on the server in the following directory: $IMSVA_HOME/queue/archive For details on modifying archive areas. do the following: Procedure 1. 25-8 . An edit screen appears. 7. Next to Name.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note After selecting Synchronize all spam and email messages. phishing or Web reputation rules. 4. To automatically delete archived messages after a certain number of days. Click Edit next to Archive modified to under Monitor actions. refer to the following: • Managing the Archive from the Actions Screen of a Policy Rule on page 25-8 • Managing the Quarantine from Mail Areas & Queues > Settings on page 25-7 Managing the Archive from the Actions Screen of a Policy Rule If you are configuring the actions for a rule. that do not violate virus. Click Save to return to the Mail Areas & Queues Management screen. 2. To add a new archive area. click Add. To modify an existing archive area. The Archives screen appears showing the available quarantine areas. to the EUQ database (for this area only). click the area name. IMSVA deletes the archived messages on the 16th day. Managing the Archive from Mail Areas & Queues > Settings Procedure 1. Note When the total disk size for all the quarantined messages exceeds the quota on a scanner. The value is exclusive. 5. 5.Mail Areas and Queues This number represents the number of days after which IMSVA deletes the archived messages. Select MB or GB. Specify the maximum size for the area. if you specify 15. specify the name of the archive area. 4. do the following: a. An edit screen appears. To automatically delete archived messages after a certain number of days. For example. Click Save to return to the Archives screen. Click Done to continue selecting actions. b. select the radio button next to Archive modified to under Monitor and select the desired archive area from the drop-down box. Next to Name. 6. the oldest archived messages are deleted first to keep the size under the quota. To add a new archive area. next to Delete messages older than. Click Mail Areas & Queues > Settings. 2. 3. 25-9 . To modify an existing archive area. Next to Disk quota per scanner service. To archive messages. 7. click Add. The Quarantine and Archive Settings screen appears with the Quarantine tab displayed by default. specify the number of days from 1 to 60. . archived. Click Save. The value is exclusive. if you specify 15. IMSVA deletes the archived messages on the 16th day. Quarantine items that could pose a threat to your network. Trend Micro recommends archiving only items that you want to reference later. make sure that it does not pose a threat to your network. Querying the Quarantine Areas Procedure 1. Querying Messages You can perform a query on quarantined. Tip Trend Micro recommends quarantining items that could pose a risk to your network. such as messages and attachments that violated an antivirus rule. or deferred messages before deciding which action to perform.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide This number represents the number of days after which IMSVA deletes the archived messages. After viewing the message details. 25-10 Go to Mail Areas & Queues > Query. you can choose to release or delete archived messages from IMSVA. such as messages and attachments that violate antivirus rules. postponed. For example. 6. Click Save to return to the Mail Areas & Queues Management screen. 7. Before you resend any quarantined message. configure the following: • Search: Select the quarantine area. and the scanner that scanned the message. 5. do any of the following: 25-11 . and reason for quarantining the message. subject. the reason the message was quarantined. 2. If it does not display. • Dates: Select a date and time range. Click Display Log. To change the display. recipient. type *string* (where string is the name of one of the recipients or attachments). The Quarantine tab displays by default. Specify values for the following: • Sender • Subject • Recipient(s) • Attachment(s) • Rule • Message ID Note When querying a message containing multiple recipients or attachments.Mail Areas and Queues The Mail Areas & Queues Management screen appears. The results appear at the bottom of the screen showing the timestamp. sender. click Quarantine. Under Criteria. 4. 3. Doing so could put your network at risk. bypassing all rules except virus scan rules. 25-12 . click the timestamp for the item. • Reprocess: The message only bypasses the current rule. click the check box next to it in the query result table. • Deliver: The message is sent directly to the recipient. the attachment name will not be shown. To view details about any quarantined message. and then click Deliver or Reprocess. and may be quarantined again by other filters. click the arrow buttons on top of the list to move to the next page or select the desired page to view from the dropdown list.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • To sort the table. 7. select a new display value from the drop-down list at the bottom of the table. if the number of attachments in the message exceeds the maximum number specified in condition. 8. The Quarantine Query screen appears showing the message and all of its details. To resend any message. 6. and then click Delete. • If too many items appear on the list. Note IMSVA only records and shows the attachment names if you have specified Attachment as a scanning condition. • To change the number of items that appears in the list at a time. Tip Trend Micro does not recommend resending messages that violated antivirus filters. To delete any message. click the check box next to it in the query result table. click any of the column headings (except reason). However. Specify values for the following: • Sender • Subject • Recipient(s) • Attachment(s) • Rule • Message ID Note When querying a message containing multiple recipients or attachments. • Dates: Select a time range. Click the Archive tab. The Quarantine tab displays by default. recipient. configure the following: 4. click any of the column headings (except reason). and the scanner that scans the message. The results appear at the bottom of the screen showing the timestamp. 6. do any of the following: • To sort the table. the reason the message was archived. 2. sender. 3. • Search: Select the archive area. Click Display Log. 25-13 . Go to Mail Areas & Queues > Query. and reason for archiving the message. subject. 5.Mail Areas and Queues Querying the Archive Areas Procedure 1. type *string* (where string is the name of one of the recipients or attachments). Under Criteria. To change the display. Navigate to Mail Areas & Queues > Query. 3. The Quarantine tab displays by default. • If too many items appear on the list. if the number of attachments in the message exceeds the maximum number specified in condition.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 7. click the timestamp for the item. click the check box next to it in the query result table. • To change the number of items that appears in the list at a time. To view details about any archived message. • Dates: Select a date and time range. and then click Delete. Specify values for the following: • 25-14 Sender . the attachment name will not be shown. 8. • Search: Select the reason and device. 2. click the arrow buttons on top of the list to move to the next page or select the desired page to view from the dropdown list. Click the Postpone tab. The Archive Query screen appears showing the message and all of its details. Note IMSVA only records and shows names of attachments if you have specified Attachment as a scanning condition. configure the following: 4. To delete any message. Under Criteria. Querying Postponed Messages Procedure 1. select a new display value from the drop-down list at the bottom of the table. However. To resend any message. The results appear at the bottom of the screen showing the timestamp. To view details about any postponed message. click any of the column headings (except reason). Querying Deferred Messages Procedure 1.Mail Areas and Queues • Subject • Recipient(s) • Attachment(s) • Rule • Internal ID 5. and then click Delete. sender. The Quarantine tab displays by default. click the arrow buttons on top of the list to move to the next page or select the desired page to view from the dropdown list. 7. To delete any message. 25-15 . Click the Deferred tab. select a new display value from the drop-down list at the bottom of the table. click the check box next to it in the query result table. and then click Release. click the check box next to it in the query result table. 8. • If too many items appear on the list. Navigate to Mail Areas & Queues > Query. • To change the number of items that appears in the list at a time. subject. 2. do any of the following: • To sort the table. Click Display Log. To change the display. and reason for postponing the message. 9. recipient. 6. The message and all of its details appears. click the Timestamp for the item. Under Criteria. • If too many items appear on the list. sender. and the next retry time. click the check box next to it in the query result table. To resend any message. click the check box next to it in the query result table. 25-16 . To view details about any postponed message. size. and then click Release. Click Display Log. To delete any message. and then click Delete. The results appear at the bottom of the screen showing the timestamp. 7. the host (or device). click any of the column headings (except reason). do any of the following: • To sort the table.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. click the arrow buttons on top of the list to move to the next page or select the desired page to view from the dropdown list. Specify values for the following: • Sender • Recipient(s) • Reason 5. • To change the number of items that appears in the list at a time. recipient. The message and all of its details appears. To change the display. select a new display value from the drop-down list at the bottom of the table. click the Timestamp for the item. configure the following: • Search: Select the device. the reason for deferring the message. 9. • Dates: Select a date and time range. 8. 4. 6. Mail Areas and Queues Note If you reconfigure a device as a child device and it has deferred messages in its deferred queue. The Quarantine Query screen appears showing the following information: • Timestamp • Sender • Reason • Recipient • Rules • Subject • Scanner • Original Size • Message ID • Internal ID • Attachments If ATSE is enabled. then you register it to a parent device. IMSVA also displays the following information: 25-17 . Viewing Quarantined Messages All messages that IMSVA quarantines can be queried and viewed. Procedure 1. Handle all deferred messages before changing device roles. you will not be able to view any of the original deferred messages on the child device from the parent device management console. click the timestamp for the quarantined item in the query result table. After you perform a query for quarantined messages. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Reason: Probable advanced threat If both ATSE and Deep Discovery Advisor are enabled. 3. click the timestamp for the archived item in the query result table. • Deliver : Resend the message to its original recipients. • Download : Save the message to your computer. Click any of the following buttons: • Back to List: Return to the query screen. After you perform a query for archived messages. Procedure 1. Viewing Archived Messages All messages that IMSVA archives can be queried and viewed. The Archive Query screen appears showing the following information: • 25-18 Timestamp . • Delete: Delete the message. IMSVA also displays the following information: • Reason: Probable advanced threat or Analyzed advanced threat • Deep Discovery Advisor Status: Status of Deep Discovery Advisor analysis 2. Next to Message view. Tip Trend Micro does not recommend saving messages or attachments that violated an antivirus rule. click either Header or Message. • Reprocess: IMSVA scans the message again and acts accordingly. Next to Message view. 25-19 . IMSVA also displays the following information: • Reason: Probable advanced threat If both ATSE and Deep Discovery Advisor are enabled. click either Header or Message. Click any of the following buttons: • Back to List: Return to the query screen. • Delete: Delete the message.Mail Areas and Queues • Sender • Reason • Recipient • Rules • Subject • Scanner • Original Size • Message ID • Internal ID • Attachments If ATSE is enabled. • Download : Save the message to your computer. IMSVA also displays the following information: • Reason: Probable advanced threat or Analyzed advanced threat • Deep Discovery Advisor Status: Status of Deep Discovery Advisor analysis 2. 3. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Tip Trend Micro does not recommend saving messages or attachments that violated an antivirus rule. The query screen appears showing the following information: • Timestamp • Sender • Reason • Recipient • Rules • Subject • Scanner • Original Size • Message ID • Internal ID • Attachments If ATSE is enabled. IMSVA also displays the following information: • 25-20 Reason: Probable advanced threat . Procedure 1. After you perform a query for postponed messages. click the timestamp for the postponed item in the query result table. Viewing Postponed Messages All messages that IMSVA postpones can be queried and viewed. After you perform a query for deferred messages. Procedure 1. The query screen appears showing the following information: • Arrival Time • Sender • Recipient 25-21 .Mail Areas and Queues If both ATSE and Deep Discovery Advisor are enabled. Next to Message view. Tip Trend Micro does not recommend saving messages or attachments that violated an antivirus rule. click either Header or Message. • Delete: Delete the message. • Release: Resend the message to its original recipients. Viewing Deferred Messages All messages that IMSVA defers can be queried and viewed. IMSVA also displays the following information: • Reason: Probable advanced threat or Analyzed advanced threat • Deep Discovery Advisor Status: Status of Deep Discovery Advisor analysis 2. • Download : Save the message to your computer. click the timestamp for the deferred item in the query result table. Click any of the following buttons: • Back to List: Return to the query screen. 3. Configuring User Quarantine Access You can grant all or selected end users access to the EUQ management console. • Delete: Delete the message. Perform any of the additional actions: • To change the number of items that appears on a page at one time. • Delete with NDR: Delete the message and send a message to the recipient informing them of the deferred message. The End-User Quarantine screen appears. 25-22 Click the User Quarantine Access tab.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Host • Size • Postfix Queue ID Each recipient and corresponding reason appear at the bottom of the screen. • Release: Resend the message to its original recipients. 2. Go to Administration > End-User Quarantine. select a number from the drop-down box to the right. This allows them to manage the spam messages addressed to them by visiting https:// <target server IP address or hostname>:8447. 2. 3. select a new display value from the Display drop-down box on the upper right of the list. Procedure 1. or click one of the arrow icons. • To move to another page. . Click any of the following buttons: • Back to List: Return to the query screen. 25-23 .Mail Areas and Queues The User Quarantine Access screen appears. . 25-24 Select Enable access.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. Select Allow end user to deliver quarantined mail in EUQ directly to allow end users to deliver quarantined messages directly to the recipient. For example. Select Control the "auto add" approved Sender behavior when an end user reprocesses a message to allow or prevent end users from adding a sender automatically when a message is being processed. b. Select Allow end users to retrieve quarantined email messages with alias email addresses to allow end users to retrieve quarantined messages using alias email addresses configured in Microsoft Exchange. 7.exe -out filename -princ HTTP/instance@REALM -mapuser account -ptype KRB5_NT_PRINCIPAL -pass password Where: filename is where the generated keytab file will be stored. REALM is the uppercase name of the realm you want to authenticate with. Select Enable Kerberos to allow end users single sign-on access the EUQ management console using Kerberos authentication protocol. Create a new user account in your domain for the host on which IMSVA is installed. 5. 25-25 . 8. TEST. use the following command to generate a keytab file for IMSVA: C:\>ktpass. instance is the hostname of the computer where IMSVA is installed.com. c.COM. Select Enable NTLM to allow end users single sign-on access the EUQ management console using the NTLM authentication protocol. 6. The message bypasses all rules except virus scanning rules. imsva. 9.keytab. For example. normally the same with the domain name on DNS server. For example. To enable Kerberos single sign-on: a.test. Select Enable management of distribution list EUQ to allow users to manage the EUQ of distribution lists that they belong to. On the Active Directory domain controller.Mail Areas and Queues 4. C: \test. Under Select LDAP groups. For example. Select the maximum number of senders each end-user can approve when sifting through the quarantined messages. select Search LDAP groups. c. 13.com. 11.exe is not found.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide account is the account created for IMSVA. Click Upload to upload the keytab file to IMSVA. e. you can install support tools using the Windows server installation CD/DVD or download the file from the Microsoft website. Note If ktpass. d. select the check box next to Enable all to allow all LDAP group users to access quarantined spam. use the hostname for IMSVA when accessing the EUQ management console. If Kerberos single sign-on is enabled. e. Browse existing groups: . Click >>. The groups appear in the Selected Groups table. Click Browse… to locate the generated keytab file. user@test. Specify the group name. From the drop-down list. Click the LDAP groups to add. Click Search. clear the Enable all check box and do either of the following: • • 25-26 Search for groups: a. 14. Specify a logon page message that appears on the user's browser when he/she starts to access the quarantined messages. To add individual LDAP groups. Select the number of days to keep quarantined spam messages. The groups appear in the table below. b. password is the password of the account. d. 12. 10. 25-27 . select the check box next to Enable EndUser Quarantine. you can redistribute EUQ data across all devices to improve EUQ performance. The groups appear in the table below. Also redistribute data before you use the command line interface to remove a device with an EUQ service. The EUQ Management tab displays by default. Redistribute data after you start or stop an EUQ service on a device or add a new device that has an EUQ service. Procedure 1. b. Click >>. click Remove. Do the following: • Enable EUQ: To enable EUQ. From the drop-down list. 2. Click Save. • Redistribute EUQ data: If there are multiple devices with EUQ enabled on your network. c. Click the LDAP groups to add. • Clear the EUQ database: To remove all data (including spam and approved sender information) from all EUQ services in a group. and then click Save.Mail Areas and Queues a. The groups appear in the Selected Groups table. select Browse LDAP groups. Navigate to Administration > End-User Quarantine. you must enable and configure LDAP. Using EUQ To use EUQ. 15. 2. add senders to the approved senders list. some of the newly added approved senders might not appear. the administrator informs all end users to verify that the newly added approved senders are still available. click one of the following: • Only redistribute approved senders • Redistribute all (approved senders and spam) Click Redistribute. • that the administrator notifies all end users not to add EUQ approved senders list when the administrator is adding a child device and redistributing EUQ. Procedure 1. and then redistribute EUQ data. Under Redistribute EUQ Data.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Redistributing Data Tip Trend Micro recommends the following: • after redistributing EUQ. 25-28 . Note If you register an EUQ-enabled child device to its parent. For more information on each field on the management console.Chapter 26 Notifications This chapter provides you with general instructions on the tasks that you need to perform for the day-to-day maintenance of IMSVA. Topics include: • Event Notifications on page 26-2 • Configuring Delivery Settings on page 26-3 • Configuring Event Criteria and Notification Message on page 26-5 • EUQ Digest on page 26-8 • Editing Notifications on page 26-10 26-1 . refer to the Online Help. • Scanner Update Result: Alerts you when IMSVA is unable to update the engine or pattern files on any scanner. the IMSVA admin database will first check the update source for new engine or pattern files. 2. when a scanner service stops working. For example. IMSVA scanners will then check the admin database at regular intervals for updated components. Note Component update is a two-step process: 26-2 1. or when the number of messages in the delivery queue exceeds the desired quantity. • Scheduled Update Event: Alerts you when IMSVA is able or unable to perform a scheduled update of the scan engine or pattern files from the update source onto the admin database. At the scheduled time. The default interval is three minutes. • Deep Discovery Advisor Settings: Alerts you when Deep Discovery Advisor analysis is incomplete or invalid • Smart Scan Event: Alerts you when IMSVA reverts to Conventional Scan after an unsuccessful attempt to connect to the Smart Protection Network. .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Event Notifications You can configure IMSVA to send an email or SNMP notification to you or specific users upon the occurrence of the following categories of events: • System Status: Informs you when certain IMSVA performances fall below the desired level. The Events tab appears by default. 2. Click the Delivery Settings tab.Notifications FIGURE 26-1. 26-3 . Go to Administration > Notifications. Procedure 1. Scan engine and pattern file updates Configuring Delivery Settings The delivery settings allow you to specify email and SNMP trap settings to deliver system and policy event notification messages. • Message header: Specify the text to appear at the top of the notification. • SMTP server address: Specify the Fully Qualified Domain Name (FQDN) or the IP address of the SMTP server that delivers email on the network. • Sender's email address: Specify the email address to appear as the sender. Under SNMP Trap. configure the following: • Recipient: Specify the recipient email addresses. • Message footer: Specify the text to appear at the bottom of the notification. 4. • Preferred charset: IMSVA will use this setting to encode the notification messages.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. 26-4 Under Email Settings. • SMTP server port: Specify the port number that IMSVA uses to connect to the SMTP server. configure the following: . Procedure 1. Configuring Event Criteria and Notification Message You can set the criteria under which IMSVA will trigger a notification message and also customize the message content for each event. Note Community is the group that computers and management stations running SNMP belong to.Notifications Note SNMP Trap is the notification message sent to the Simple Network Management Protocol (SNMP) server when events that require administrative attention occur. To send the alert message to all SNMP management stations. refer to the SNMP documentation. The Events tab appears by default. 26-5 . specify 'public' as the community name. 5. • Community: Specify the SNMP server community name. click Next. Go to Administration > Notifications. If you are using the Configuration Wizard. For more information. • Server name: Specify the FQDN or IP address of the SNMP server. Click Save. . To edit each of the following notifications. Under System Status.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. • 26-6 Service on any scanner stops for more than: Specify the number of minutes. configure the following: • Notify every { } minutes: Specify the notification frequency for all performance notifications. click the link. This notification describes the breakdown in communication between IMSVA and Deep Discovery Advisor. click the Applying engine or pattern update fails on any scanner link to edit the notification. server. 4. • Delivery queue contains more messages than: Specify the number of messages. Scheduled Update Event is the event in which the latest engine and pattern files from the Update Source are updated onto the IMSVA admin database. Note The notifications Delivery queue contains more messages than and Retry queue folder contains more messages thanonly function when IMSVA runs with Postfix. • Retry queue folder contains more messages than: Specify the number of messages. 5. 3. IMSVA may send this notification because of: • A file or database operation error • A client. Under Scheduled Update Event. or network connection error • An invalid analysis report 26-7 . Under Deep Discovery Advisor Settings. • MTA queue free space on any host is less than: Specify the number of MB. Scanner Update Results are the results of updating the latest engine and pattern files from the IMSVA admin database onto the scanners. click the Unsuccessful and Successful links to edit notifications for component updates. Under Scanner Update Results.Notifications • Data partition free space on any host is less than: Specify the number of MB. click the Message analysis is incomplete or invalid link to edit the notification. Note IMSVA sends EUQ digests only if there are new quarantined messages since the last digest. 8. click Unable to connect to the Smart Protection Network to edit the notification. The EUQ digest provides the following information: • Total spam mail count: Number of new messages in EUQ since the last notification • Message list: Summary of new messages processed as spam 26-8 • Sender: Sender email address • Subject: Subject line • Size: Message size (including attachments) • Received: Date and time the message was received . Under Smart Scan Event. IMSVA does not send EUQ digests for distribution list addresses. To manage the quarantined messages of distribution lists. EUQ Digest The EUQ digest is a notification that IMSVA sends to inform users about messages that were processed as spam and temporarily stored in the EUQ.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 6. Select the Email and/or SNMP check boxes according to how you would like to receive the notification. Click Save. 7. This notification is sent when IMSVA reverts to Conventional Scan after several unsuccessful attempts to connect to the Smart Protection Network. users must log on to the EUQ management console. • Daily: Select the time of day from the drop-down boxes.Notifications • Inline action links: Links that users can click to apply actions to quarantined messages and to add senders to the Approved Senders list Note Inline action links display only if you enable this feature. Under Digest Schedule. Click Save. click the radio button next to one of the following frequencies: 5. To see a list of variables to include in the notification. • Weekly: Select the day and time of day from the drop-down boxes. 26-9 . 6. 7. Inline Action Links IMSVA enables users to apply actions to quarantined messages through links in the EUQ digest. 3. click Variables list. Under Digest Mail Template. Go to Administration > Notifications. 4. 2. Select the check box next to Enable EUQ Digest. Select Enable inline action to allow users to apply actions from the EUQ digest. Configuring EUQ Digest Settings Procedure 1. Users can select any of the following actions by clicking the corresponding link. Click Web EUQ Digest. The Events tab displays by default. specify the subject and notification content. click Variables list. To see a list of variables to include in the notification. 2. IMSVA may scan the message again or deliver it to the original recipients. Inline action links remain active in forwarded messages. or SNMP message. Note If you enabled the Control the ‘auto-add’ approved Sender behavior when end user reprocess a message feature. 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Delete: Deletes the message and all attachments. Go to Administration > Notifications. You can also manually delete and release messages from the IMSVA management console. IMSVA automatically deletes messages after a period that you specify. Click the notification to edit. • Add sender to Approved list: Prevents IMSVA from identifying messages from this sender as spam. Editing Notifications Procedure 1. Specify the subject and message. 4. IMSVA automatically adds senders of released messages to the Approved Senders list. . Important Trend Micro does not recommend forwarding notifications. Users cannot select actions for messages that have been deleted or released. • Release: Releases the message from quarantine. The edit screen for that notification appears. 26-10 Click Save. Part V Administering IMSVA . . 27-1 .Chapter 27 Backing Up. If you have deployed multiple IMSVA scanners and are using Trend Micro Control Manager simultaneously. you can also replicate IMSVA settings without having to reconfigure settings for each new scanner. Restoring. and Replicating Settings This chapter provides instructions on how to back up and restore IMSVA configuration settings. 5. Therefore. Importing and Exporting Settings Use the Import/Export screen to create a backup of IMSVA settings. the database will be locked.0 or IMSS 7. You can also replicate a configuration across several IMSVA 8. such as performing a mail trace. all IMSVA actions that depend on database access. export the settings from the management console. 27-2 . Note the following when importing/exporting settings: • You cannot import or export the component list and child device registration information.5 device if you experience any problems that require you to rescue the application. • Perform import/export when IMSVA is idle because importing and exporting affects IMSVA performance. In the event of system failure. you can restore the settings by importing the configuration file that you have backed up previously. will overwrite existing settings in the current IMSVA version.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Importing/Exporting To back up IMSVA settings.1 and subsequently imported into IMSVA 8. in order to recover from mistaken import processes. will not function. Keeping a backup allows you to easily re-apply your settings to an IMSVA 8.5 devices by importing the same configuration file into the desired devices. Trend Micro strongly suggests that you: • Adjust the component list and child device registration information after import if necessary • Back up a copy of the current configuration before each import operation. • SMTP Routing Settings that were exported from IMSVA 8. • When exporting/importing your settings. • Register/unregister any child devices into/from the group to which the device belongs. Click Export. Exporting Device Configuration Files During export. • Start/stop any services on the device or in the group to which the device belongs. Restoring.1 or IMSVA 8. and Replicating Settings To reuse the original configuration settings from IMSS 7. To return to the Import/Export screen. • Perform any database operations. Procedure 1. • Register/unregister any child devices into/from the group to which the device belongs. Go to Administration > Import/Export. 27-3 . • Start other export or import tasks. do not: • Access other management console screens or modify any settings. click Return. When the dialog box appears. import the configuration files that you have backed up previously.0 after upgrading to IMSVA 8.5. click Save and save it to your computer.Backing Up. 3. 4. 2. Importing Device Configuration Files During import. • Start/stop any services on the device or in the group to which the device belongs. • Perform any database operations. do not: • Access other management console screens or modify any settings. such as domain-based delivery settings. Click System Status. the configuration will roll back to the original settings before the import. 2. 3. will be deleted and replaced by the imported settings and rules. During import. Log on to the IMSVA management console. 6. If the import is unsuccessful. and locate the file. If the import is unsuccessful during the import of EUQ approved list settings. do not: 27-4 . Note Only services that were running while the import performs will restart. 5. The original IMSVA settings and rules.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Start other export or import tasks. Under Import Configuration Files. 7. All services on each device in the group restart to apply the imported settings and rules. Click Import. Wait until all services restart. Verify that no services are starting or stopping. Go to Administration > Import/Export. all settings rollback except for the EUQ approved list settings. If services are starting or stopping... click Browse. wait until the operation has completed. 4. you may click Download log file to view details of the import. Procedure 1. If the import is successful. • Start/stop any services on the device or in the group to which the device belongs. • Register/unregister any child devices into/from the group to which the device belongs. Importing your configuration backup will prevent you from having to configure all settings again. all settings rollback except for the EUQ approved list settings. Backing Up IMSVA Trend Micro recommends exporting your settings to: • Keep a backup: In case a problem occurs with the IMSVA application file and you need to rescue the application.Backing Up. • Perform any database operations. the configuration will roll back to the original settings before the import. • Replicate settings across several devices: If you have several devices on your network. If the import is unsuccessful. and Replicating Settings • Access other management console screens or modify any settings. you do not need to configure most settings on each of them separately.� If the import is unsuccessful during the import of EUQ approved list settings. Restoring. • Launch other export or import tasks. do not: • Access other management console screens or modify any settings • Perform any database operations • Start/stop any services on the device or in the group to which the device belongs 27-5 . Exporting Settings During export. 27-6 . 2. Navigate to Administration > Import/Export. 3. click Save to save the configuration file to your computer. When the File Download dialog box appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Register/unregister any child devices into/from the group to which the device belongs • Launch other export or import tasks Procedure 1. Click Export. 27-7 . do not: • Access other management console screens or modify any settings. click Return. Restoring. • Start/stop any services on the device or in the group to which the device belongs. • Register/unregister any child devices into/from the group to which the device belongs.Backing Up. and Replicating Settings 4. • Launch other export or import tasks. • Perform any database operations. Click System Status. Restoring IMSVA by Importing Settings During import. To return to the Import/Export screen. Procedure 1. Under Import Configuration Files. If services are starting or stopping. Settings That Cannot Be Restored • Control Manager Settings • Administrator Accounts & Password • ActiveUpdate server information • IP and network settings • Group member list TABLE 27-1. EUQ settings that do not import EXPORTING IMSVA 27-8 IMPORTING IMSVA EUQ SETTINGS Enabled Enabled All settings import Enabled Disabled/Stopped All settings import except EUQ approved senders Disabled Enabled No settings import Disabled Disabled No settings import . 3. Wait until all services are restarted.. Navigate to Administration > Import/Export.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. 4.. Verify that no services are starting or stopping. such as domain-based delivery settings. wait until they are stable. The original settings and rules. Click Import. will be deleted and replaced by the imported settings and rules. All services on each device in the group will be restarted to apply the imported settings and rules. click Browse. and locate the file. 5. and Replicating Settings Replicating Settings If you have installed multiple IMSVA scanners that do not share the same admin database. Go to Administration > IMSVA Configuration > Connections.Backing Up. • Step 2: Enable the MCP agent. 2. For details. Enabling MCPAgent IMSVA automatically installs the Trend Micro Management Communication Protocol agent during installation. it is not necessary to replicate settings. If the scanners share the same admin database. To integrate with Control Manager. 27-9 . see Backing Up IMSVA on page 27-5. Procedure 1. you can use Trend Micro Control Manager to replicate settings across these scanners without having to configure each scanner separately. Restoring. • Step 3: Replicate settings from the Control Manager management console. provide the Control Manager server details and enable the agent from the management console. The TMCM Server Settings screen appears. Click the TMCM Server tab. The Components tab appears by default. Do the following if you intend to replicate settings using Control Manager: • Step 1: Back up IMSVA settings. 27-10 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. Provide the required information. 5. Select the check box next to Enable MCP Agent. you can start to replicate IMSVA settings by logging on to the Control Manager management console. Replicating Settings from Control Manager After enabling the Management Communication Protocol agent from the IMSVA management console. Click Save. 4. Click Products from the Control Manager menu. 4. A drop-down list appears.Backing Up. 27-11 . and Replicating Settings Procedure 1. 2. Click the Replication button. The Product Directory screen appears. Select the check box next to the target server. 3. Mouseover Configure. 6. Select Configuration Replication from the drop-down list. 5. Restoring. Locate the source IMSVA scanner from the Product Directory tree. . Chapter 28 Using End-User Quarantine This chapter explains how to use End-User Quarantine (EUQ). 28-1 . Deleted messages cannot be recovered.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide About EUQ IMSVA provides web-based EUQ to improve spam management. Messages that are determined to be spam are quarantined. These messages are indexed into a database by the EUQ agent and are then available for end users to review. then click the LDAP tab. IMSVA automatically deletes messages that are not released from quarantine. SMTP authentication: Specify recipient domains and server addresses on the EUQ Management screen during the enabling process. Configuring End-User Quarantine (EUQ) To allow end-users to access quarantined spam items that IMSVA might have misidentified as spam. Enabling EUQ on page 28-3 2. see Step 6: Configuring LDAP Settings on page 4-10. You can specify the period to keep messages in the quarantine. Starting the EUQ Service on page 28-7 28-2 . configure LDAP settings using any of the following ways: • Go to Administration > IMSVA Configuration > Connections. delete. do the following: 1. or approve for delivery. • Go to Administration > IMSVA Configuration > Configuration Wizard. The web-based EUQ service allows end users to manage the spam quarantine of their personal accounts and of distribution lists that they belong to. EUQ Authentication Enabling EUQ requires one of the following authentication methods: • • LDAP authentication: Before enabling EUQ. For details. Select an authentication method. • Use LDAP for EUQ authentication: This option is disabled if LDAP settings are not configured. see Starting the EUQ Service on page 28-7. 28-3 . Select Enable End-User Quarantine. • Use SMTP Server for authentication: When selected. Opening the End-User Quarantine Management Console Remotely on page 28-13 Enabling EUQ Enabling EUQ requires one of the following authentication methods: • LDAP • SMTP For details about EUQ authentication. 2. For more information.Using End-User Quarantine 3. Specify recipient domains and server addresses. Procedure 1. Note After enabling EUQ. 3. see EUQ Authentication on page 28-2. Go to Administration > End-User Quarantine. the EUQ service starts automatically. If LDAP settings are configured. this is the default authentication method. The EUQ Management tab appears. see Configuring SMTP Server Settings on page 28-5. the SMTP settings section appears. Enabling End-User Access on page 28-9 4. To manually start the service. do not navigate away from the page without clicking Save.5 supports only SMTP servers that use the plain and login authentication mechanisms. Click Save. What to do next • The EUQ service automatically starts. see Starting the EUQ Service on page 28-7. To avoid losing your information. 4. • Optional: Redistribute EUQ data after saving your settings. IMSVA 8. Note Your settings will not be saved automatically. 28-4 .5 does not support secure connections when using SMTP servers for authentication. To manually start the service.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note IMSVA 8. On the EUQ Management screen. 2. 28-5 . Go to Administration > End-User Quarantine. select Use SMTP Server for EUQ authentication.Using End-User Quarantine Redistribute data among multiple EUQ-enabled devices in a group to improve EUQ performance. Redistribute data: • After you start or stop an EUQ service on a device • After you add a new EUQ-enabled device • Before you use the command line interface to remove an EUQ-enabled device Tip Trend Micro recommends that you do the following after redistributing EUQ data: • Verify that the newly added approved senders are still available. Configuring SMTP Server Settings Procedure 1. The EUQ Management tab appears. • Instruct end users not to add approved senders to the list while you are adding a child device and redistributing EUQ. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The SMTP settings section appears. . The SMTP Server Configuration screen appears. Specify the following information: • 28-6 Recipient domains to be used in managing quarantined messages: Indicate domains that will be used to access the EUQ console. 3. IMSVA uses the recipient's domain to determine the SMTP server to be used for authentication. 4. Click Add. Starting the EUQ Service After configuring EUQ settings. Procedure 1. However.com • *.company. Only unique domains will be added to the list. more than one domain can be mapped to an SMTP server. Deleted items cannot be recovered. Note Deleting all domain and server information disables EUQ.com • *: Any domain A domain can only be listed once. The information appears in the SMTP settings table. start the EUQ service. Only one SMTP server can be assigned to a domain. • SMTP server address and port to be used in authenticating the specified domain: Indicate the server address and port that will be used to assign the server address for the destination domain. Click OK. Go to System Status. 5.Using End-User Quarantine Note You can use the following formats to specify domains: • company. Note Use the default port 25 or specify a different port. 28-7 .com: Any subdomain of company. 28-8 . After a moment. In the Managed Services table. Select System Status from the menu and verify that the EUQ service is active (or inactive). The EUQ Management tab appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The System Status screen appears. 4. 5. Go to Administration > End-User Quarantine. Click Redistribute to redistribute the EUQ data among the devices in the group. 3. click Start under EUQ Service. 2. the EUQ service starts. The User Quarantine Access screen appears. 2. 28-9 . add their individual and distribution list email addresses to the list of users on your LDAP server. Click the User Quarantine Access tab.Using End-User Quarantine Enabling End-User Access Enable end user access to allow the users to access quarantined spam items that IMSVA might have misidentified as spam. you do not need to configure LDAP settings. The displayed screen depends on the authentication method you selected during the enabling process. The EUQ Management tab appears. When using SMTP authentication. Procedure 1. The clients use LDAP or SMTP authentication to access the IMSVA EUQ service. Go to Administration > End-User Quarantine. Note To allow users to manage messages on the EUQ management console. LDAP authentication 28-10 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE 28-1. SMTP authentication 3. Select Allow end user to deliver quarantined mail in EUQ directly to allow end users to deliver quarantined messages directly to the recipient. 28-11 .Using End-User Quarantine FIGURE 28-2. Select Control the "auto-add" approved sender behavior when an end user reprocesses a message and select a value from the drop-down list. The message bypasses all rules except virus scanning rules. Select Enable NTLM to allow end users single sign-on access the EUQ management console using the NTLM authentication protocol. Select Enable management of distribution list EUQ to allow users to manage the EUQ of distribution lists that they belong to. 5. 8. Select Allow end users to retrieve quarantined email messages with alias email addresses to allow end users to retrieve quarantined messages using alias email addresses configured in Microsoft Exchange. 7. Select Enable access. 6. 4. account is the account created for IMSVA. imsva.com. REALM is the uppercase name of the realm you want to authenticate with. Create a new user account in your domain for the host on which IMSVA is installed.COM. Select the maximum number of approved senders for each end-user. TEST. 28-12 . If ktpass. c. b. To enable Kerberos single sign-on: a. Select Enable Kerberos to allow end users single sign-on access to the EUQ management console using Kerberos authentication protocol. d.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 9. Click Browse… to locate the generated keytab file.keytab.test.exe is not found. For example. Select the number of days to keep quarantined spam. use the following command to generate a keytab file for IMSVA: C:\>ktpass. For example. 10. user@test. For example. password is the password of the account. use the hostname for IMSVA when accessing the EUQ management console. 11. instance is the hostname of the computer where IMSVA is installed. C: \test. normally the same with the domain name on DNS server. Click Upload to upload the keytab file to IMSVA. If Kerberos single sign-on is enabled.com. On the Active Directory domain controller. you can install support tools using the Windows server installation CD/DVD or download the file from the Microsoft website. e.exe -out filename -princ HTTP/instance@REALM -mapuser account -ptype KRB5_NT_PRINCIPAL -pass password Where: filename is where the generated keytab file will be stored. For example. Using End-User Quarantine 12. 13. Click >>. c. From the drop-down list. 14. Click the LDAP groups to add. Click the LDAP groups to add. The groups appear in the Selected Groups table. Ensure that JavaScript is enabled on your browser. Opening the End-User Quarantine Management Console Remotely You can view the EUQ management console remotely across the network or from the computer where the program was deployed. d. Click Save. select Search LDAP groups. The groups appear in the table below. b. Click >>. Browse existing groups: a. select the check box next to Enable all to allow all LDAP group users to access quarantined spam. c. Under Select LDAP groups. The groups appear in the Selected Groups table. e. clear the Enable all check box and do either of the following: • • Search for groups: a. Primary EUQ service https://<target server IP address>:8447 28-13 . Specify a logon page message that appears on the user's browser when he/she starts to access the quarantined messages. From the drop-down list. b. select Browse LDAP groups. Click Search. Specify the group name. The groups appear in the table below. To add individual LDAP groups. 15. dc=test1. Logon Name Format The format of the logon name used when accessing the EUQ management console depends on the selected authentication type. ou=people.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Secondary EUQ service https://<target server IP address>:8446 WARNING! To successfully access all management consoles on secondary EUQ services.com Microsoft Active Directory Open Catalog • Without Kerberos: user1@domain. dc=com .com (UPN) or domain\user1 • With Kerberos: user1@domain. dc=domain. • Domino: user1/domain • Microsoft Active Directory • 28-14 • Without Kerberos: user1@domain. EUQ Logon Name Formats AUTHENTICATION TYPE LDAP LOGON NAME FORMAT The format of the logon name depends on the type of LDAP server you selected when configuring LDAP settings. dc=com • Sun iPlanet Directory: uid=user1. synchronize the system time of all EUQ services on your network.com • OpenLDAP: cn=manager. TABLE 28-1. Following are examples of valid logon name formats. An alternative to using the IP address is to use the target server’s fully qualified domain name (FQDN).com (UPN) or domain\user1 • With Kerberos: user1@domain. Distribution List EUQ Management IMSVA enables users to manage the EUQ of distribution lists that they belong to. single-use authentication code • Authentication code expiration date Note Authentication codes expire after five minutes by default. To specify a new expiration period. The notification contains the following information: • Requesting user's address • Distribution list address • Unique. add the following section in the imss. Note Note: You can enable distribution list EUQ management only when using LDAP authentication.Using End-User Quarantine AUTHENTICATION TYPE SMTP LOGON NAME FORMAT Use any valid email address for the logon name. IMSVA sends a notification to the distribution list address.ini file: [EUQ] expired_interval=5 28-15 . This feature supports the following LDAP server types: • Domino • Microsoft Active Directory • Microsoft AD Global Catalog When a user requests management rights. . A new screen appears and the system sends a notification to the distribution list. Specify the email address of the distribution list. Log on to your personal Email Quarantine. 28-16 • By the requesting user • Once • Before the specified expiration date Click Log On. 4. and • Chooses to force the current user to log off Managing Distribution List EUQ Provide the following instructions to the user. IMSVA forces the current user to log off if another user: • Requests management rights. The authentication code can be used only: 6. A new screen appears.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Only one user can manage the EUQ at any given time. 5. Specify the authentication code provided in the notification. Note The Distribution List EUQ Management link displays only if you enable this feature. Click Distribution List EUQ Management. 2. Procedure 1. Click Next. 3. The EUQ Management screen appears. click Remove on the EUQ Management tab. To do so. Procedure 1. Optional: Remove all EUQ data from each device to save disk space. Clear the End-User Quarantine check box. Go to Administration > End-User Quarantine. 3.Using End-User Quarantine Disabling EUQ Before disabling EUQ. Click Save. 28-17 . inform your users that they should manage their quarantined spam. 4. 2. . and using the backup data port. such as managing accounts.Chapter 29 Performing Administrative Tasks This chapter explains how to perform important administrative tasks. changing a device IP address. 29-1 . The Admin Accounts screen appears. • Read: Users can view features and settings contained in the menu item. but cannot modify them. Click Add.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Managing Administrator Accounts To reduce bottlenecks in administering IMSVA. • None: Users will not see the menu item. Adding Administrator Accounts Created accounts have three permission settings for IMSVA features: • Full: Users have complete access to the features and settings contained in the menu item. 2. Procedure 1. The Add Administrator Account screen appears with the Authentication tab displaying. 29-2 . you can delegate administrative tasks to other staff by creating new administrator accounts. After creating the accounts. preventing them from viewing or configuring any of the settings in the menu item. assign the desired permissions to the various areas of the management console. The default "admin" account has access to all IMSVA features. Go to Administration > Admin Accounts. and the new password confirmation. and the new password confirmation. • LDAP authentication: Specify the LDAP user name. Specify Authentication settings: a. new password. new password. Select Enable account. Select an authentication type: • IMSVA Authentication: Specify the user name. Click the Permissions tab.Performing Administrative Tasks 3. • IMSA Authentication: Specify the user name. 29-3 . b. The Permissions screen appears. 4. . b. Read. 29-4 Select Full.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 5. or None for each of the following access areas that appear on the IMSVA management console menu: • Summary • Cloud Pre-Filter • Policy • IP Filtering • Reports • Logs • Quarantine & Archive • Administration • Command Line Interface Click Save. Specify Permissions settings: a. contact Trend Micro technical support to reset the password. Make the required changes. The Admin Accounts screen appears. 29-5 . Custom administrator accounts with full administration rights can only change their own IMSVA passwords. 3. If you forget the default administrator account password. Click the account name hyperlink. 2. Go to Administration > Admin Accounts. Select the check box next to the account to be removed. 2. Custom administrator accounts cannot do so even if you assign full permission to the Administration area. 4. Procedure 1. Click Delete. b.Performing Administrative Tasks Note a. Deleting Administrator Accounts You can delete the permissions of a custom administrator account whenever there is a revision of roles or other organizational changes. Editing Administrator Accounts You can change the permissions of a custom administrator account whenever there is a revision of roles or other organizational changes. Only the default IMSVA administrator account can add new administrator accounts. Procedure 1. Click Save. Procedure 1. Note You can only delete custom administrator accounts. The Components tab appears by default. Go to Administration > IMSVA Configuration > Connections. Configuring Connection Settings To enable the scanner to receive messages.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 3. not the default IMSVA administrator account. 29-6 . configure the connection settings. Click OK. • Maximum number of backlogged requests: Specify a number that represents the maximum number of requests IMSVA will preserve until it can process them later. Click Save. If more than one LDAP server is used. the time and date appear in the Last 29-7 . • Keep-alive: Select the check box to enhance policy retrieval by maintaining a constantly active connection between the scanner and policy services. administrator privileges. When synchronization completes. You cannot configure more than one LDAP server from the Configuration Wizard. The time required for synchronization between the servers depends on the number of accounts on your LDAP servers.Performing Administrative Tasks 2. IMSVA synchronizes the account information from the LDAP servers to the IMSVA local cache. or end-user quarantine authentication. Configure multiple and mixed type LDAP servers from the Administration > IMSVA Configuration > Connections | LDAP screen. Under Settings for All Policy Services. About LDAP Settings Configure LDAP settings for user-group definition. configure the following: • Protocol: Select the type of protocol the scanner uses to communicate with the policy service (HTTP or HTTPS). 3. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Synchronized column. 2. The LDAP Settings screen appears. 4. Navigate to one of the following to access the LDAP tab: • Administration > IMSVA Configuration > Connections | LDAP • Administration > IMSVA Configuration > Configuration Wizard | Step 6: LDAP Settings Click Add. End-User Quarantine and EUQ single sign-on cannot be enabled. You can manually trigger synchronization by clicking Save & Synchronize. select the type of LDAP servers on your network: • 29-8 Domino . Note If more than one LDAP server is enabled. If the LDAP settings on the Administration > Connections > LDAP screen are not configured. the following LDAP related features will not work: • Policy > Internal Addresses > [search for LDAP groups] • Policy > [any rule] > [sender or recipient] > [search for LDAP user and groups] • Administration > End-User Quarantine > User Quarantine Access > [select groups from LDAP search below] • Administration > Admin Accounts > Add > [specify LDAP authentication] Adding LDAP Servers Procedure 1. 3. Next to LDAP server type. IMSVA automatically synchronizes the accounts daily. Specify a meaningful description for the LDAP server. the corresponding password and the base distinguished name. 8. Next to Enable LDAP 1. Refer to the table below for assistance on what to specify under this section according to the LDAP server type: TABLE 29-1. 9. However. thus reducing performance. Next to Listening port number. Under LDAP cache expiration for policy services and EUQ services. Configure the settings under LDAP 2 if necessary. Next to LDAP server. specify the port number that the LDAP server uses to listen to access requests.Performing Administrative Tasks • Microsoft Active Directory • Microsoft AD Global Catalog • OpenLDAP • Sun iPlanet Directory 5. A shorter duration means that IMSVA has to perform the LDAP query more often. 7. LDAP Server Types LDAP SERVER Active Directory LDAP ADMIN ACCOUNT (EXAMPLES) Without Kerberos: [email protected] m (UPN) or domain\user1 BASE DISTINGUISHED NAME (EXAMPLES) dc=domain. Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. select the check box. specify the administrator account. specify the server name or IP address. 10.co m 29-9 . dc=com AUTHENTICATION METHOD Simple Advanced (with Kerberos) With Kerberos: user1@domain. specify the Time to live in minutes. Specifying a longer duration enhances LDAP query during policy execution. the policy server will be less responsive to changes in the LDAP server. 6. Under LDAP admin. dc=com dc=domain1.co m BASE DISTINGUISHED NAME (EXAMPLES) dc=domain. the Windows domain name must be upper case (Kerberos is case-sensitive). For Active Directory. dc=com dc=domain. Select an authentication method: • Simple • Advanced: Uses Kerberos authentication for Active Directory.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide LDAP SERVER Active Directory Global Catalog LDAP ADMIN ACCOUNT (EXAMPLES) Without Kerberos: user1@domain. Click Add. For Active Directory use. 29-10 .co m (UPN) or domain\user1 With Kerberos: user1@domain. • KDC port number: The associated port number. dc=com Simple Lotus Domino user1/domain Not applicable Simple Sun iPlanet Directory uid=user1. dc=domain. click Next. dc=test1.dc=co m (if mutiple unique domains exist) AUTHENTICATION METHOD Simple Advanced (with Kerberos) OpenLDAP cn=manager. • KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. dc=com Simple 11. Configure the following: • Kerberos authentication default realm: Default Kerberos realm for the client. If you are using the Configuration Wizard. dc=com dc=test1. 12. ou=people. • Default domain: The Internet domain name equivalent to the realm. it is usually the domain controller. 13. Next to Enable LDAP 1. 6. 3. select the type of LDAP servers on your network: • Domino • Microsoft Active Directory • Microsoft AD Global Catalog • OpenLDAP • Sun iPlanet Directory 5. 4. Click Save & Synchronize. specify the port number that the LDAP server uses to listen to access requests.Performing Administrative Tasks Note Only Active Directory and Active Directory Global Catalog support Kerberos Authentication. Next to LDAP server. 8. 2. Next to LDAP server type. Specifying a longer duration enhances LDAP query during policy 29-11 . 7. Configuring LDAP Settings Procedure 1. Under LDAP cache expiration for policy services and EUQ services. Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. Next to Listening port number. 9. Configure the settings under LDAP 2 if necessary. specify the server name or IP address. specify the Time to live in minutes. Click a server name from the LDAP server table. Specify a meaningful description for the LDAP server. Go to Administration > IMSVA Configuration > Connections > LDAP tab. select the check box. dc=com Simple Advanced (with Kerberos) With Kerberos: user1@domain. the corresponding password and the base distinguished name. dc=com dc=domain. dc=com dc=test1.dc=co m (if mutiple unique domains exist) Simple . dc=domain. dc=test1.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide execution. Refer to the table below for assistance on what to specify under this section according to the LDAP server type: TABLE 29-2. dc=com Simple Lotus Domino user1/domain Not applicable Simple Sun iPlanet Directory uid=user1.co m (UPN) or domain\user1 With Kerberos: user1@domain. dc=com Simple 11. Select an authentication method: • dc=domain1. 10.co m 29-12 Advanced (with Kerberos) OpenLDAP cn=manager. A shorter duration means that IMSVA has to perform the LDAP query more often.co m (UPN) or domain\user1 BASE DISTINGUISHED NAME (EXAMPLES) AUTHENTICATION METHOD dc=domain. dc=com Simple dc=domain. ou=people.co m Active Directory Global Catalog Without Kerberos: user1@domain. specify the administrator account. thus reducing performance. LDAP Server Types LDAP SERVER Active Directory LDAP ADMIN ACCOUNT (EXAMPLES) Without Kerberos: user1@domain. However. the policy server will be less responsive to changes in the LDAP server. Under LDAP admin. ) or ( ) under the Status column in the LDAP The icon changes state. Click Save & Synchronize. Click Add. For Active Directory use. Note Only Active Directory and Active Directory Global Catalog support Kerberos Authentication. 29-13 . Configure the following: • Kerberos authentication default realm: Default Kerberos realm for the client. 2. Go to Administration > IMSVA Configuration > Connections > LDAP to access the LDAP tab.Performing Administrative Tasks • Advanced: Uses Kerberos authentication for Active Directory. • KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. Click the corresponding icon ( server table. For Active Directory. • Default domain: The Internet domain name equivalent to the realm. it is usually the domain controller. the Windows domain name must be upper case (Kerberos is case-sensitive). Procedure 1. Enabling and Disabling LDAP Servers LDAP servers can be enabled or disabled depending on the requirements for your network. • KDC port number: The associated port number. 12. 13. 3. IMSVA can scan POP3 messages at the gateway as your clients retrieve them. 4. 6. c. Click the POP3 tab. To configure a connection from unknown POP3 servers on the Internet. modify the message that IMSVA sends to users if messages that they are trying to receive trigger a filter and are quarantined or deleted. 2. d. specify the port number IMSVA uses for incoming POP3 connections under Generic POP3 Connection. the POP3 server IP address. and the POP3 server port number. Click OK. do the following: a. 29-14 . click the connection name. enable Accept POP3 connection from System Status screen. 5. The Dedicated POP3 Connection window appears. Click Add under Dedicated POP3 Connections. Click Save.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Configuring POP3 Settings In addition to SMTP traffic. Procedure 1. To configure connections from specific POP3 servers. Tip To use the POP3 message filter. b. This option is not selected by default. Under Message Text. To modify an existing connection. Go to Administration > IMSVA Configuration > Connections. The Components tab displays by default. Specify the port IMSVA uses for incoming POP3 connections. 168. IMSVA uses this service for a POP3 logon and for any type of logon using the 29-15 .252. Specify user name test123#192. Example 1: To connect user "User1" to server "Server1". 2. Configuring POP3 generic services For a generic POP3 service.Performing Administrative Tasks Note The incoming port on your scanners must be idle or the IMSVA daemon might not function properly. 3. and the UserServerSeparator character is "#". the POP3 service always connects to a specific POP3 server. Specify the POP3 server address with IMSVA scanner IP 192.147. Set POP3 port to 110. The following example shows how to configure generic POP3 settings for Outlook: Procedure 1.11. the client issues the following USER command: USER User1#Server1 Example 2: To connect to port 2000 on Server1. the following command is used: USER User1#Server1#2000 Note If you do not specify a port number.11. IMSVA uses the default value of 110. Configuring POP3 Dedicated Services For a POP3 dedicated service.168. the POP3 client logs on using the USER command and specifies the actual POP3 server and optional port number along with the user's name using the UserServerSeparator character to separate the values. 3. Go to Administration > IMSVA Configuration > Connections. The following example shows how to configure dedicated POP3 settings in Microsoft Outlook: Procedure 1. Specify the POP3 server address with IMSVA scanner IP 192. For this service. configure proxy settings.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide AUTH command. Set the POP3 port to 1100. Procedure 1. If a firewall is between the Control Manager server and IMSVA.168. The Components tab displays by default. a separate port on the proxy has to be set up for each specific POP3 server that any client might want to connect. 2. Specify user name test123. 3. which is the port that the IMSVA dedicated POP3 service is listening on. Note For additional information about Control Manager. 2. specify the following parameters: 29-16 .147. see the Control Manager documentation. Click the TMCM Server tab. Configuring TMCM Settings To use Trend Micro Control Manager (TMCM) 5. enable the Control Manager/MCP agent on the IMSVA server and configure Control Manager server settings. configure port forwarding to work with the firewall's port-forwarding functionality. Under TMCM Server Settings.5 or above to manage IMSVA.11. If a proxy server is between the Control Manager server and IMSVA. Web server authentication Specify the credentials to access the Control Manager web server. 5. port number. Server Specify the Control Manager IP address or FQDN. Go to Administration > IMSVA Configuration > Connections.Performing Administrative Tasks 4. Password The password for the specified user name. and the user name and password. Option Description Enable MCP Agent Select the check box to enable the agent. click Next. or SOCKS5. it will soon register to the Control Manager server. If you are using the Configuration Wizard. SOCKS4. 29-17 . If you disabled the agent. Port The port for the specified proxy server. Proxy type Select the protocol that the proxy server uses: HTTP. Under Proxy Settings. Click Save. Communication protocol Select HTTP or HTTPS and specify the corresponding port number. specify the following parameters: Option Description Enable proxy Select the check box to enable the proxy server. IMSVA will soon log off from the Control Manager server. and the default port number for HTTPS is 443. User name The user name to access the specified proxy server. Unregistering from Control Manager Procedure 1. If you enabled the agent. Verify the change on the Control Manager management console. The default port number for HTTP access is 80. Proxy server Specify the proxy server FQDN or IP address. 4. Add all IP addresses of child devices in the current group to this list before you register these child devices to the parent. 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Components tab displays by default. Click >>. Navigate to Administration > IMSVA Configuration > Connections. The Components tab displays by default. 5. Click the Child IP tab. 29-18 Navigate to Administration > IMSVA Configuration > Connections. 3. Click the Un-register All Agents button. To synchronize the computer clock of an IMSVA device with the clock of an NTP server. . 2. Configuring NTP Settings The Network Time Protocol (NTP) synchronizes the clocks of computer systems across the Internet. Procedure 1. Click Save. configure the NTP setting. 2. Configuring Child IP Settings Devices in the Child IP address list can access each other for internal communications in a group. Procedure 1. The address appears in the table. Under Add IP Address. Click the TMCM Server tab. specify the child device IP address. Procedure 1. 29-19 . Navigate to Administration > Database Maintenance. As re-indexing can impact the scanner performance. 4. Select the Enable NTP check box. Specify the domain name or IP address of the NTP server. Click the NTP Setting tab. Trend Micro recommends that you do this during off-peak hours.Performing Administrative Tasks The Components tab displays by default. Click Save. 3. 2. Configuring Database Maintenance Schedule You may want to re-index the IMSVA database tables if you encounter slow performance when performing queries. 5. Select the Re-index database tables check box. • IP Filtering Service: Automatically blocks known spam senders.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Database Maintenance Schedule screen appears. Managing Product Licenses IMSVA can use the following components: • Cloud Pre-Filter: Provides message approved and blocked list filters and scanning for spam. • Spam Prevention Solution (SPS): A built-in filter that helps IMSVA identify content typically found in spam. IP Filtering includes the following: • 29-20 Email reputation: Trend Micro Email reputation technology was designed to be used to identify and block spam before it enters a computer network by routing Internet Protocol (IP) addresses of incoming mail connections to . 4. Click Save. viruses. • Trend Micro Antivirus and Content Filter: Basic scanning and filtering functionality. and other threats before the messages reach your network. Select the weekly or monthly schedule from the drop-down boxes. You can think of this product as the IMSVA program itself. 3. 2. • Directory Harvest Attack (DHA): A method spammers use to add your user's email addresses to spam databases.Performing Administrative Tasks Trend Micro Smart Protection Network server for verification against extensive reputation databases. • Trend Micro Email Encryption: Trend Micro Email Encryption integrates with IMSVA to encrypt and decrypt messages and to block messages that cannot be decrypted. including Trojan programs. • Viruses: Various virus threats. its features are disabled. • IP Profiler: IP Profiler allows you to configure threshold settings and determine the action IMSVA performs when it detects any of the four potential Internet threats: • Spam: Messages with unwanted advertising content. If the product remains inactive. • Regulatory Compliance: Compliance templates provide administrators with regulatory compliance for the following: • GLBA • HIPAA • PCI-DSS • SB-1386 • US PII You can activate IMSVA products through the management console. renew the license. obtain a new Activation Code. and specify the code through the management console. If a product license expires. • Bounced Mail: Messages returned to the sender because the messages were sent with the sender’s domain in the sender address. 29-21 . Viewing Your Product Licenses Monitor your product licenses from the Product Licenses screen. • Evaluation: Indicates that you are using an evaluation version of the product that expires after an elapsed time. 2. The evaluation period varies according to the Activation Code you have obtained. Fourteen (14) days before the expiration of the evaluation period. Click View detailed license online for the license you want to view. purchase a licensed version of IMSVA and specify the new Activation Code. • Status: Indicates whether the product has expired or has been activated. • Activation Code: A 31 alphanumeric character code in the format: xx-xxxxxxxxx-xxxxx-xxxxx-xxxxx-xxxxx. You can then copy and paste this Activation Code on the Product License page. Trend Micro will send you an Activation Code by email when you register a product online.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. Go to Administration > Product Licenses. • Seats: The number of endpoints/servers the license supports. 3. you will see a warning message on the management console. Click Check Status Online to check the status of your license agreement on the Trend Micro web site. 29-22 . A brief summary of each license appears: • Product • Version • Full: Indicates that you have purchased the full licensed product. contact your sales representative to renew your license. To ensure that your network is protected against the latest web threats. • Maintenance expiration: The date when you will no longer be able to download the latest scan engine and virus pattern files from the Trend Micro ActiveUpdate server. To continue using IMSVA after the evaluation period. verify your network settings and try again. 29-23 . 2. Renewing a License Using a New Activation Code Procedure 1. 4. Go to Administration > Product Licenses. Extend the life of an existing Activation Code Contact your sales representative to extend the lifetime of your Activation Code. The management console might access the Trend Micro web site to activate the license. The Enter a New Code screen appears. A brief summary of each license appears. Next to New Activation Code. Click Enter a new code next to Activation Code. Click Activate. If you are unable to reach the Trend Micro web site. and then specify the code on the Product Licenses screen.Performing Administrative Tasks Renewing or Activating a License There are two ways to renew a license: Obtain a new Activation Code Contact your sales representative to obtain a new Activation Code. and then either manually update the license status or wait until IMSVA automatically updates it. 3. specify the new code. If you are unable to reach the Trend Micro web site. 60. Click Check Status Online. The management console accesses the Trend Micro web site to activate the license. Activating Products If you do not have an Activation Code. Tip You can wait for IMSVA to update the license status automatically.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Renewing a License Using an Existing Activation Code Procedure 1. and every day after the expiration of the current license. 3. Once renewed. use the Registration Key that came with your product to register online. 2. Go to Administration > Product Licenses. A brief summary of each license appears. and 0 days before the expiration of the current license. Trend Micro recommends that you manually update it as soon as you extend the lifetime of the Activation Code. IMSVA checks the status of your license 90. Click View detailed license online to view detailed information about the license. verify your network settings and try again. IMSVA automatically updates the stored license information. 30. However. Activate products from one of the following screens: • From Product Activation in the Configuration Wizard • From Administration > Product Licenses 29-24 . 2. Go to Administration > Product Licenses. Upon successful registration.Performing Administrative Tasks Activating from the Configuration Wizard Procedure 1. 2. 3. Trend Micro will send you the Activation Code in an email message. 3. click Register Online. If you do not have an Activation Code. 29-25 . Specify the new code next to New Activation Code. Specify the Activation Code to activate any of the following: • Cloud Pre-Filter • Trend Micro Antivirus and Content Filter • Spam Prevention Solution • Trend Micro Email Encryption • Regulatory Compliance Click Next. Note The Activation Code comes in the format: XX-XXXX-XXXXX-XXXXX-XXXXXXXXXX-XXXXX. Activating from the Product Licenses Procedure 1. Click Enter a new code next to Activation Code. A brief summary of each license appears. The Enter a New Code screen appears. Navigate to Administration > Smart Protection Network. Select Enable Trend Micro Smart Feedback. 3. verify your network settings and try again. This provides better protection for your network because Trend Micro is able to quickly identify and address new threats. If you are unable to reach the Trend Micro web site.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 4. Procedure 1. and Web Reputation are all part of the Smart Protection Network. 29-26 . The management console may access the Trend Micro web site to activate the license. Click Activate. Note Email Reputation. 2. Click Save. The Smart Protection Network Settings screen appears. File Reputation. Configuring Smart Protection Network Settings Enable Trend Micro Smart Feedback to share threat information with the Trend Micro Smart Protection Network. and configuration tasks.Chapter 30 Using the Command Line Interface This chapter describes the Command Line Interface (CLI) commands that you can use in the InterScan™ Messaging Security Virtual Appliance (IMSVA) product to perform monitoring. debugging. Topics include: • Using the CLI on page 30-2 • Entering the CLI on page 30-2 • CLI Overview on page 30-3 • Entering the OS Shell on page 30-3 • Command Line Interface Commands on page 30-4 30-1 . troubleshooting. Procedure 1. If scroll lock is enabled. you cannot enter data. Verify the computer you are using can ping IMSVA’s IP address.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Using the CLI Use the CLI to do the following: • Configure initial settings. 3. Entering the CLI If the IMSVA becomes a child device. Use the password for the parent device. the passwords for admin and enable that were set during installation are not available. Use an SSH client to connect to IMSVA’s IP address and TCP port 22. Log on with the following: 4. such as the device IP address and host name • Restart the device • Rescue the application • View device status • Debug and troubleshoot the device Note Do not enable scroll lock on your keyboard when using HyperTerminal. 30-2 • User name: admin • Password: The password used for logging on to the management console Type logout and press ENTER to terminate the SSH session. 2. . Procedure 1. 2. it displays the following: Entering the OS Shell WARNING! Enter the shell environment only if your support provider instructs you to perform debugging operations. Verify the computer you are using can ping IMSVA’s IP address. 3.Using the Command Line Interface CLI Overview After you open the CLI menu. Log on with the following: • User name: root • Password: The password used for the OS shell when installing the product 30-3 . Use an SSH client to connect to IMSVA’s IP address and TCP port 22. a. The prompt changes from > to #. CLI Command Reference The following tables provide information regarding the CLI commands available for IMSVA. c. b. Entering Privileged Mode Procedure 1. Privileged commands provide full configuration control and advanced monitoring and debugging features. Root commands are basic commands that allow the administrator to obtain specific low security risk information and to perform simple tasks. Use a SSH client to connect to IMSVA’s IP address and TCP port 22. Type the password used for the CLI when installing the product and press ENTER. 3. Verify the computer you are using can ping IMSVA’s IP address. type enable and press ENTER. Enter CLI. Privileged commands are protected by an additional layer of credentials: the Enable account and password.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Command Line Interface Commands IMSVA’s CLI commands are separated into two categories: root and privileged commands. 30-4 . Log on with the following: • User name: admin • Password: The password used when logging on to the management console 2. At the prompt >. Syntax: configure module IMSVA adminUI enable all 30-5 . Syntax: configure module IMSVA adminUI enable <interface> View Privileged Parameters <interface>: Name of the NIC Examples: To enable the IMSVA management console for the NIC eth0: configure module IMSVA adminUI enable eth0 configure module IMSVA adminUI enable all Enables the IMSVA management console on all network interface cards (NIC). Syntax: configure module IMSVA adminUI disable View Privileged Parameters None Examples: To disable the IMSVA management console on all NICs: configure module IMSVA adminUI disable configure module IMSVA adminUI enable Enables the IMSVA management console on one specific network interface card (NIC).Using the Command Line Interface configure module IMSVA adminUI disable Disables the IMSVA management console on all network interface cards (NIC). Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide View Privileged Parameters None Examples: To enable the IMSVA management console for all NICs: configure module IMSVA adminUI enable all configure system date Configures the time and date and saves the data in CMOS. 2010 and the time to 3:40 PM: configure system date 2010-08-12 15:40:00 configure network dns TABLE 30-1. Syntax: configure network dns ipv4 <dns1> <dns2> View 30-6 Privileged . Syntax: configure system date <date> <time> View Privileged Parameters <date>: Set the date using the following format: yyyy-mm-dd <time>: Set the time with the following format: hh:mm:ss Examples: To set the date to August 12. configure network dns ipv4 Configures IPv4 DNS settings for the IMSVA device. 21 192.168. Examples: 30-7 .22 TABLE 30-2.Using the Command Line Interface Parameters <dns1>: Primary IPv4 DNS server <dns2>: Secondary IPv4 DNS server Note Use a space to separate the primary and secondary DNS value. Syntax: configure network dns ipv6 <dns1> <dns2> View Privileged Parameters <dns1>: Primary IPv6 DNS server <dns2>: Secondary IPv6 DNS server Note Use a space to separate the primary and secondary DNS value.22 configure network dns ipv4 192.10.10.168.10.21 • Secondary DNS: 192.168.168.168.10.10.21: configure network dns ipv4 192.21 To configure the primary and secondary DNS with the following values: • Primary DNS: 192.168.10. Examples: To configure the primary DNS with an IP address of 192. configure network dns ipv6 Configures IPv6 DNS settings for the IMSVA device. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide To configure the primary DNS with an IP address of 2001:db8::21: configure network dns ipv6 2001:db8::21 To configure the primary and secondary DNS with the following values: • Primary DNS: 2001:db8::21 • Secondary DNS: 2001:db8::22 configure network dns ipv6 2001:db8::21 2001:db8::21 configure network hostname Configures the host name for the IMSVA device.com configure network interface TABLE 30-3.imsva. Syntax: configure network interface ipv4 <interface> <ip> <mask> View 30-8 Privileged . configure network interface ipv4 Configures the IPv4 address for the network interface card (NIC).com: configure network hostname test. Syntax: configure network hostname <hostname> View Privileged Parameters <hostname>: The host name or fully qualified domain name (FQDN) for the IMSVA device Examples: To change the host name of the IMSVA device to test.imsva. 255. Syntax: configure network interface ipv6 <interface> <ip> <mask> View Privileged Parameters <interface>: NIC name <ip>: IPv6 address for the interface <mask>: Network mask for the NIC Examples: To configure an NIC with the following values: • Interface: eth0 • IP address: 2001:db8:: • Subnet mask: 64 configure network interface ipv6 eth0 2001:db8:: 64 30-9 . configure network interface ipv6 Configures the IPv6 address for the network interface card (NIC).0 TABLE 30-4.10.Using the Command Line Interface Parameters <interface>: NIC name <ip>: IPv4 address for the interface <mask>: Network mask for the NIC Examples: To configure an NIC with the following values: • Interface: eth0 • IP address: 192.255.168.0 configure network interface ipv4 eth0 192.255.10 • Subnet mask: 255.10.168.255.10 255. 24: configure module IMSVA role change-parent 192. Syntax: configure system password enable View Privileged Parameters None Examples: To change the password required to enter Privileged mode configure system password enable configure module IMSVA role change-parent Changes the parent IP or used to reconnect a child device to a parent device Syntax: configure module IMSVA role change-parent <new_parent_ip> View Privileged Parameters <new_parent_ip>: IP address for a new parent server Examples: To change the parent IP address of the current device to 192.10. Syntax: configure module IMSVA role unregister 30-10 .168.168.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide configure system password enable To change the password required to enter Privileged mode.24 configure module IMSVA role unregister Unregisters a child IMSVA device from a parent IMSVA device.10. Using the Command Line Interface View Privileged Parameters None Examples: To unregister a child IMSVA device from a parent IMSVA device: configure module IMSVA role unregister configure network route add TABLE 30-5.1 eth1 TABLE 30-6.0/24 192.10.10. configure network route ipv6 add Adds a new route entry Syntax: configure network route ipv6 add <ip_prefixlen> <via> <dev> View Privileged 30-11 .168.10. configure network route ipv4 add Adds a new route entry Syntax: configure network route ipv4 add <ip_prefixlen> <via> <dev> View Privileged Parameters <ip_prefixlen>: Destination network ID with format IPv4_Address/ Prefixlen <via>: IPv4 address of the next hop <dev>: Device name Example: To add a new route entry: configure network route ipv4 add 172. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Parameters <ip_prefixlen>: Destination network ID with format IPv6_Address/ Prefixlen <via>: IPv6 address of the next hop <dev>: Device name Example: To add a new route entry: configure network route ipv6 add 2001:db8:10ff::ae:4/64 2001:db8::1 eth1 configure network route default TABLE 30-7. configure network route ipv4 default Sets the default route for an IMSVA device Syntax: configure network route ipv4 default <gateway> View Privileged Parameter <gateway>: IPv4 address of default gateway Example: To set the default route for an IMSVA device: configure network route ipv4 default 192. configure network route ipv6 default Sets the default route for an IMSVA device Syntax: configure network route ipv6 default <gateway> View Privileged Parameter <gateway>: IPv6 address of default gateway Example: 30-12 .168.10.1 TABLE 30-8. 0/24 192.10.1 eth1 TABLE 30-10.10. configure network route ipv6 del Deletes a route for an IMSVA device Syntax: configure network route ipv6 del <ip_prefixlen> <via> <dev> View Privileged Parameters <ip_prefixlen>: Destination network ID with format IPv6_Address/ Prefixlen <via>: IPv6 address of the next hop <dev>: Device name 30-13 .10.168. configure network route ipv4 del Deletes a route for an IMSVA device Syntax: configure network route ipv4 del <ip_prefixlen> <via> <dev> View Privileged Parameters <ip_prefixlen>: Destination network ID with format IPv4_Address/ Prefixlen <via>: IPv4 address of the next hop <dev>: Device name Example: To delete a route for an IMSVA device: configure network route ipv4 del 172.Using the Command Line Interface To set the default route for an IMSVA device: configure network route ipv6 default 2001:db8::1 configure network route del TABLE 30-9. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Example: To delete a route for an IMSVA device: configure network route ipv6 del 2001:db8:10ff::ae:4/64 2001:db8::1 eth1 configure service ssh disable Disables SSH on all network interface cards (NIC). Syntax: configure service ssh disable View Privileged Parameters None Examples: To disable SSH on all NICs: configure service ssh disable configure service ssh enable Enables SSH on one specific network interface card (NIC). Syntax: configure service ssh enable <interface> View Privileged Parameters <interface>: The name of the NIC Examples: To enable SSH on NIC eth0: configure service ssh enable eth0 30-14 Using the Command Line Interface configure service ssh enable all Enables SSH on all network interface cards (NIC). Syntax: configure service ssh enable all View Privileged Parameters None Examples: To enable SSH on all NICs: configure service ssh enable all configure system timezone Configures the time zone used by the IMSVA device. Syntax: configure system timezone <region> <city> View Privileged Parameters <region>: Region name <city>: City name Examples: To configure the IMSVA device to use the time zone for the following location: Region: America City: New York configure system timezone America New_York 30-15 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide TABLE 30-11. Time Zone Setting Examples REGION/COUNTRY Africa CITY Cairo Harare Nairobi America Anchorage Bogota Buenos_Aires Caracas Chicago Chihuahua Denver Godthab Lima Los_Angeles Mexico_City New_York Noronha Phoenix Santiago St_Johns Tegucigalpa 30-16 Using the Command Line Interface REGION/COUNTRY Asia CITY Almaty Baghdad Baku Bangkok Calcutta Colombo Dhaka Hong_Kong Irkutsk Jerusalem Kabul Karachi Katmandu Krasnoyarsk Kuala_Lumpur Kuwait Magadan Manila Muscat Rangoon Seoul Shanghai Singapore Taipei Tehran Tokyo Yakutsk 30-17 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide REGION/COUNTRY CITY Atlantic Azores Australia Adelaide Brisbane Darwin Hobart Melbourne Perth Europe Amsterdam Athens Belgrade Berlin Brussels Bucharest Dublin Moscow Paris Pacific Auckland Fiji Guam Honolulu Kwajalein Midway 30-18 Using the Command Line Interface REGION/COUNTRY US CITY Alaska Arizona Central East-Indiana Eastern Hawaii Mountain Pacific enable Enters privileged mode so privileged commands can be provided. Syntax: enable View Root Parameters None Examples: To enter privileged mode: enable exit Exits privileged mode. Exits the session for those not in privileged mode. 30-19 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Syntax: exit View Root/Privileged Parameters None Examples: To exit privileged mode or to exit the session when not in privileged mode: exit help Displays the CLI help information. Syntax: help View Privileged/Root Parameters None Examples: To display the CLI help information: help history Displays the current session's command line history. Syntax: history [limit] View 30-20 Privileged/Root Using the Command Line Interface Parameters [limit]: Specifies the size of the history list for the current session Specifying "0" retains all commands for the session. Examples: To specify six commands for the size of the history list: history 6 logout Logs out of the current CLI session. Syntax: logout View Root Parameters None Examples: To logout from the current session: logout ping Pings a specified host. Syntax: ping [-c num_echos] [-i interval] <dest> View Root 30-21 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Parameters [-c num_echos]: Specifies the number of echo requests to be sent. Default value is 5. [-i interval]: Specifies the delay interval in seconds between each packet. Default value is 1 second. <dest>: Specifies the destination hostname or IP address Examples: To ping the IP address 192.168.1.1: ping 192.168.1.1 To ping the host remote.imsva.com: ping remote.imsva.com ping6 Pings a specified host. Syntax: ping6 <host> View Root Parameter <host>: IPv6 address Example: To ping the IP address 2001:db8::21: ping6 2001:db8::21 start task postfix drop Deletes a specified message or all messages in the email message queue. Syntax: start task postfix drop { <mail_id> | all } 30-22 Using the Command Line Interface View Privileged Parameters <mail_id>: Specifies the message ID in the postfix queue to delete Examples: To delete email message D10D4478A5 from the email message queue: start task postfix drop D10D4478A5 To delete all email messages from the email message queue: start task postfix drop all start task postfix flush Attempts to deliver all queued email messages. Syntax: start task postfix flush View Privileged Parameters None Examples: To deliver all queued email messages: start task postfix flush start task postfix queue Displays all email messages queued in postfix. Syntax: start task postfix queue View Privileged Parameters None 30-23 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Examples: To display all postfix queued email messages: start task postfix queue start service postfix Starts the postfix mail system Syntax: start service postfix View Privileged Parameters None Examples: To start the postfix mail system: start service postfix stop service postfix Stops the postfix mail system. Syntax: stop service postfix View Privileged Parameters None Examples: To stop the postfix mail system: stop service postfix 30-24 Using the Command Line Interface reboot Reboots the IMSVA device immediately or after a specified delay. Syntax: reboot [time] View Privileged Parameters [time]: Specifies the delay, in minutes, to reboot the IMSVA device Examples: To reboot the IMSVA device immediately: reboot To reboot the IMSVA device after 5 minutes: reboot 5 start task rescue Rescues the application software. Syntax: start task rescue View Privileged Parameters None Examples: To rescue the application software: start task rescue 30-25 com: resolve parent.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide resolve Resolves an IPv4 address from a hostname or resolves a hostname from an IPv4 address.com resolve6 Resolves a hostname from an IPv6 address.imsva.imsva.1: resolve 192.168.10.168. Syntax: resolve6 <dest> View Privileged Parameter <dest>: IPv6 address to resolve Example: To resolve the hostname from IP address 2001:db8::21: resolve6 2001:db8::21 30-26 .10. Syntax: resolve <dest> View Privileged Parameter <dest>: Specifies the IPv4 address or hostname to resolve Examples: To resolve the hostname from IP address 192.1 To resolve the IP address from hostname parent. Syntax: {start | stop | restart} service IMSVA View Privileged Parameters start: Starts all IMSVA services stop: Stops all IMSVA services restart: Restarts all IMSVA services Examples: To start all IMSVA services: start service IMSVA To stop all IMSVA services: stop service IMSVA To restart all IMSVA services: restart service IMSVA show module IMSVA service-status Displays the current status of all IMSVA application services. Syntax: show module IMSVA service-status View Root Parameters None Examples: 30-27 .Using the Command Line Interface service IMSVA Starts. or restarts all IMSVA application services. stops. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide To display the status for all IMSVA services: show module IMSVA service-status show storage statistic Displays the file system disk space usage. Examples: To display the file system disk space usage of the IMSVA device: show storage statistic show network Displays various IMSVA network configurations. Syntax: show network [arp | connections | dns | firewall | hostname | interface | open-ports | route] View 30-28 Root . Syntax: show storage statistic [partition] View Root Parameters [partition]: Specify a partition. This is optional. route: Displays IP address route table Examples: To display the ARP tables: show network arp To display the IMSVA device’s current network connections: show network connections To display the DNS configuration: show network dns To display the firewall configuration settings of the IMSVA device: show network firewall To display the hostname of the IMSVA device: show network hostname To display the NIC status and configuration: show network interface 30-29 . hostname: Displays the IMSVA device’s hostname. connections: Displays the IMSVA device’s current network connections. interface: Displays the network interface card (NIC) status and configuration. firewall: Displays firewall’s configuration. dns secondary: Displays the IMSVA device’s secondary IP address. open-ports: Displays the listening ports on the IMSVA device. dns: Displays the IMSVA device’s IP address.Using the Command Line Interface Parameters arp: Displays the Address Resolution Protocol (ARP) tables. dns primary: Displays the IMSVA device’s primary IP address. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide To display the listening ports of the IMSVA device: show network open-ports To display the IP address route table: show network route show kernel Displays the IMSVA device’s OS kernel information. Syntax: show kernel {messages | modules | parameters | iostat} View Root Parameters messages: Displays kernel messages modules: Displays kernel modules parameters: Displays kernel parameters iostat: Displays CPU statistics and I/O statistics for devices and partitions Examples: To display the OS kernel’s messages: show kernel messages To display the OS kernel’s modules: show kernel modules To display the OS kernel’s parameters: show kernel parameters To display IMSVA device CPU statistics and I/O statistics: show kernel iostat 30-30 Using the Command Line Interface show module IMSVA log Displays various IMSVA log data. Syntax: show module IMSVA log {imssd | imssmgr | imssps | postfix} [num] View Root Parameters imssd: Displays IMSVA scanner logs imssmgr: Displays IMSVA manager logs imssps: Displays IMSVA policy server logs postfix: Displays postfix logs [num]: Displays the specified number of latest log entries. Default value is 25 Examples: To display the latest 25 IMSVA scanner logs: show module IMSVA log imssd To display the latest 50 IMSVA policy server logs: show module IMSVA log imssps 50 show service Displays the IMSVA service status. Syntax: show service [ntp <enabled | server-address> | ssh] View Root 30-31 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Parameters ntp enabled: Displays the system NTP service status. ntp server-address: Displays the system NTP service server address. ssh: Displays the status of SSH. Examples: To display the NTP service status: show service ntp To display the SSH status: show service ssh show process Displays the status of IMSVA processes currently running. Syntax: show process [top] View Root Parameters [top]: Displays the status of IMSVA processes currently running and system related processes Examples: To display the status of IMSVA processes currently running: show process show module IMSVA role Displays the role (parent or child) of the IMSVA device in a group. Syntax: show module IMSVA role 30-32 Using the Command Line Interface View Root Parameters None Examples: To display the role of the IMSVA device: show module IMSVA role show memory Displays the IMSVA device’s system memory information. Syntax: show memory [vm | statistic] View Root Parameters vm: Displays virtual memory statistics statistic: Displays system memory statistics Examples: To display IMSVA device virtual memory statistics: show memory vm To display IMSVA system memory statistics: show memory statistic show module IMSVA status adminUI Displays the status of the IMSVA management console. Syntax: show module IMSVA status adminUI View Root 30-33 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Parameters None Examples: To display the IMSVA management console status show module IMSVA status adminUI show system Displays various IMSVA system settings. Syntax: show system [date | timezone | uptime | version] View Root Parameters date: Displays the current time and date. timezone: Displays the IMSVA device’s timezone settings. uptime: Displays how long the IMSVA device has been running version: Displays version number for the IMSVA device. Examples: To display the current time and date of the IMSVA device: show system date To display the IMSVA device’s timezone settings: show system timezone To display how long IMSVA has been running: show system uptime To display IMSVA’s version number: show system version 30-34 Using the Command Line Interface shutdown Specifies shutting down the IMSVA device immediately or after a specified delay. Syntax: shutdown [time] View Privileged Parameters [time]: Shuts down the IMSVA device after a specified delay in minutes Examples: To shut down the IMSVA device immediately: shutdown To shut down the IMSVA device after a 5 minute delay: shutdown 5 stop process Stops a specific IMSVA process. Note Use the command show process on page 30-32 to display the <pid> for each process. Syntax: stop process [core] <process name> View Privileged Parameters [core]: Stops a specific process and generates a core file <process name>: Specifies the process to stop Examples: 30-35 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide To stop the IMSVA process imssmgr: stop process imssmgr traceroute Displays the tracking route to a specified destination. Syntax: traceroute [-h hops] <dest> View Root Parameters [-h hops]: Specifies the maximum number of hops to the destination. The minimum number is 6. <dest>: Specifies the remote system to trace Examples: To display the route to IP address 172.10.10.1 with a maximum of 6 hops: traceroute 172.10.10.1 To display the route to IP address 172.10.10.1 with a maximum of 30 hops: traceroute -h 30 172.10.10.1 traceroute6 Displays the tracking route to a specified destination. Syntax: traceroute6 [-h hops] <dest> View Root Parameters [-h hops]: Specifies the maximum number of hops to the destination. The minimum number is 6. <dest>: Specifies the remote system to trace 30-36 Using the Command Line Interface Examples: To display the route to IP address 2001:db8::21 with a maximum of 6 hops: traceroute6 2001:db8::21 To display the route to IP address 2001:db8::21 with a maximum of 30 hops: traceroute6 -h 30 2001:db8::21 30-37 Chapter 31 Modifying IMSVA Deployment This chapter explains how to perform important maintenance tasks, such as changing the device role (parent to child or child to parent), changing a device IP address, and using the backup data port. Topics include: • Adding and Removing Devices on page 31-2 • Changing Device Roles on page 31-5 • Changing the Deployment on page 31-6 • Changing IP Addresses on page 31-7 31-1 Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Internal Communication Port IMSVA supports multiple network interface cards (NIC) as data ports, which means one IMSVA device can have several IP addresses. In a group scenario, for communication to occur between an IMSVA parent device and child devices, each IMSVA device must specify a single IP address. The single IP address is used to identify each IMSVA device. With each device capable of having multiple IP addresses, this creates a problem for communication. In order to resolve this issue, the concept of Internal Communication Port has been introduced. Once an Internal Communication Port is specified on an IMSVA device, the IP address of the port identifies the IMSVA device. For example: A parent device has two NICs installed with the following IP addresses: • eth0: 192.168.10.1 • eth1: 192.168.20.1 With eth0 specified as the Internal Communication Port, a child IMSVA device registering to the parent must specify the parent IP address as 192.168.10.1. Child devices also have an Internal Communication Port. Both parent and child devices must communicate with each other through their Internal Communication Port. Note The default Internal Communication Port for all IMSVA devices is eth0. Adding and Removing Devices This section explains how to add or remove a device from a group. 31-2 Modifying IMSVA Deployment Adding a Child Device to a Group Procedure 1. Determine the device settings for the new device (IP address, net mask, gateway IP address, DNS server IP address, NTP server IP address if necessary). 2. Follow the instructions in . Removing a Child Device from a Group This section explains how to remove a device from a group. If the device is active, you must first stop all services running on it. If it is inactive, you can unregister it directly. Note When you remove a device that has EUQ enabled, all messages in the EUQ quarantine area are deleted. Trend Micro suggests notifying your users to handle the messages in the EUQ quarantine area before you remove the device. Procedure 1. Navigate to Dashboard. The Dashboard appears. 2. Check the Mail Queues widget on the System Overview tab. Verify that there are no messages in the delivery queue or deferred queue for the device you want to remove. If there are messages in the delivery queue or deferred queue, wait momentarily for IMSVA to process them. 3. Click System Status. The System Status screen appears. 4. Under Managed Services, stop all services on the device you want to remove. When the services stop, the Unregister button appears. 31-3 Use the configure module IMSVA role unregister to unregister the child device. Connect to the child devices through an SSH connection. Use the clish command to enter the CLI. 3. Back up the folder opt/trend/imss/queue to another machine so that all messages quarantined or archived will not be deleted during rescue. Use the start task postfix flush command to flush postfix queue.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Note If the device was using EUQ. 5. Tip Trend Micro recommends that you notify your users to not add members to the EUQ approved list while you are adding a child device and redistributing EUQ data. Click Redistribute. b. Log on to the OS shell as root. you must reset all child devices and select one of them as the parent. Then register all other devices to the parent. The child device then changes to a parent automatically. The child will be automatically removed from the group. 2. Resetting Child Devices When the Parent-Child Connection is Broken If the parent device is broken. 6. 7. 31-4 . redistribute the data across the remaining EUQ databases before you unregister the child device: 5. Use the enable command to enter privilege mode. Procedure 1. Click Unregister. 4. Navigate to Administration > End-User Quarantine. a. Connect to the child device through an SSH connection.Modifying IMSVA Deployment Changing Device Roles This section explains how to change device roles. Use the enable command to enter privilege mode. Register the former parent device to another parent device. 31-5 . The device automatically becomes a parent. Changing the Device Role from Parent to Child Procedure 1. Procedure 1. d. Log on to the CLI as admin. • Use the CLI: a. simply unregister it from its parent. Remove all child devices from the group (see Removing a Child Device from a Group on page 31-3). c. Unregister the child from the parent by doing one of the following: • Use the management console (see Removing a Child Device from a Group on page 31-3). Use the configure module IMSVA role unregister command to unregister from the parent. 2. b. Changing the Device Role from Child to Parent To change a device from a child to a parent. 5. Changing the Deployment from Non-Gateway to Gateway Note IMSVA can use IP Filtering in a gateway setup only. . Navigate to Administration > IMSVA Configuration > Configuration Wizard. 31-6 Navigate to Administration > IMSVA Configuration > Configuration Wizard. Procedure 1. 4. On the last wizard screen. click Finish. Skip the rest of the wizard steps.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. Changing the Deployment This section explains how to change the deployment to and from a gateway/nongateway setup. Clear the Gateway deployment check box. Register other child devices to this device if necessary. 2. 3. Changing the Deployment from Gateway to Non-Gateway Note IMSVA cannot use IP Filtering in a non-gateway setup. Go to Step 2: Deployment Settings. Procedure 1. Use the clish command to enter the CLI. Go to Step 2: Deployment Settings. Log on to the OS shell as root. Changing IP Addresses This section explains how to change the IP address of parent and child devices. the IP change script may not execute completely. Note When changing IP addresses in the Command Line Interface (CLI) through Secure Shell (SSH). 2. 4. Otherwise. Connect to the parent device through an SSH connection and do the following from the CLI: a. c. 3. Log on to the CLI as admin. Use the enable command to enter privilege mode. 5. click Finish. causing inconsistencies in the settings. On the last wizard screen. Change the IP address using the configure network interface command. b. Changing the Parent’s Internal Communication Port IP Address Procedure 1. 31-7 . Select the Gateway deployment check box. Skip the rest of the wizard steps. Connect to each child device through an SSH connection and do the following: a.Modifying IMSVA Deployment 2. b. do not close the SSH client until the connection times out. d. Change the IP address. b. Navigate to Administration > IMSVA Configuration > Connections. Use the enable command to enter privilege mode. Verify that parent-child communication uses the Internal Communication Port. do the following from the IMSVA management console: a. e. 2.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide c. add the new IP address. Use the enable command to enter privilege mode. . b. d. On the parent device. Log on to the CLI as admin. Enter the updated IP address. Change the IP address using the configure network interface command. Select 2) Network Settings > 2) Change network settings. Procedure 1. c. c. Use the configure module IMSVA role change-parent command to change the parent IP to the updated one. Under Add IP Address. check the route table on the parent and child device using the command show network route in the CLI. 3. Connect to the child device through an SSH connection and do the following from the CLI: a. e. Changing the Child Internal Communication Port IP Address If the parent or child devices have multiple network interface cards (NIC). On the parent device. 31-8 Navigate to Administration > IMSVA Configuration > Connections. do the following: a. Click the Child IP tab. remove the old child IP address.Modifying IMSVA Deployment b. Under Add IP Address. 31-9 . Click the Child IP tab. c. . Chapter 32 Updating and Rescuing the System and Application This chapter explains how to update and rescue the system and application files when Trend Micro releases patches. and other updates. Topics include: • Updating the System and Application on page 32-2 • Rescuing IMSVA on page 32-4 32-1 . service packs. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Updating the System and Application When new operating system and application files become available from Trend Micro. deploy them to a parent IMSVA device and all of its child devices. Under Upload. Click Upload. 2. click Browse and locate the file. By default. child devices will be updated before the parent device. 3. Navigate to Administration > Updates > System & Applications. Updating devices is a two-step process: • Step 1: Uploading a New System or Application File on page 32-2 • Step 2: Deploying the System or Application File on page 32-3 Uploading a New System or Application File Procedure 1. 32-2 . 2. After an operating system update or upgrade. If you have applied some patches on a child device. 3. and later unregister this child device from the parent device. the package type. Due to the re-application of the patches. If IMSVA rebooted. build number. b. Deploying the System or Application File Procedure 1. If a device check box is grayed out. 4. you cannot deploy the files to the device because the device: • Already has the updated files. 32-3 . • Has more up-to-date files than the ones you are trying to deploy. Accept the license agreement. you can click Cancel to stop the update of the next device. Click Update.Updating and Rescuing the System and Application After the file finishes uploading. During an update. IMSVA automatically rescues the system and application files. IMSVA reboots. Navigate to Administration > Updates > System & Applications to view the summary screen. and title appear under Latest uploaded package. Select the check boxes next to the devices to which you want to deploy the update. wait for it to start up and log on again. do not modify any other settings. If you are updating several devices. An application upgrade might force IMSVA to automatically reboot. Note a. 5. it might take some time before the management console for the new parent device (unregistered child device) becomes available. then re-applies the patches during unregistration. Viewing the Update History for Any Device or Rolling Back an Update Procedure 1. A summary screen appears showing the updates and related log information.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Is a child device and the patch requires you to upload the files and deploy them to the parent first. • Rescuing: Replaces all application files and deletes all settings. 3. Rescuing the application is not the same as applying a patch. 2. 32-4 . • Applying a patch: Updates the existing application files to enhance features. You can only roll back the latest application updates. To go back to the main screen. click the name of the device you want to view. click OK. Application Rescue Overview You might need to rescue the application if application files become corrupt. Under Host Name. Rescuing IMSVA Rescuing IMSVA means that you reinstall the application. carry out filter actions. click Rollback. To remove an update. and create logs. Rescuing the application reinstalls the IMSVA application that instructs IMSVA to scan traffic. or vice versa. Before rescuing the application. Type enable and provide the password to enter privileged mode. 7. Rescuing the Application Procedure 1. 2. After the rescue process completes. Enter the CLI as admin (see Entering the OS Shell on page 30-3). Re-activate Trend Micro Antivirus and Content Filter and Spam Prevention Solution (SPS) using the Activation Code. 5. 4. and will take several minutes. log on to the IMSVA management console and import your saved settings. 6. 3. Type y to confirm. 32-5 .Updating and Rescuing the System and Application WARNING! All settings you configure through the management console are deleted when you rescue the application. Log on to the IMSVA management console as admin and export your current settings. create a backup of your settings. Type start task rescue. IMSVA rescue begins. . 33-1 .Chapter 33 Troubleshooting. and contact support. and Support Information This chapter explains how to troubleshoot common IMSVA issues. FAQ. search the Trend Micro Knowledge Base. Start the database process. For more details. If you have additional problems. For troubleshooting and FAQ information pertaining to the deployment of IMSVA.sh. S99ADMINUI. restart the Central Controller process. No access to the management console 33-2 The management console URL is not a trusted site in Internet Explorer. . do the following: 1. before starting the Central Controller process. refer to Using IMSVA Scripts on page B-2. 2. see Troubleshooting Issues on page 33-2. S99ADMINUI. Add the URL to the trusted sites. check the Trend Micro Knowledge Base.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Troubleshooting For common issues that you might encounter when configuring or administering IMSVA. Troubleshooting Issues DESCRIPTION AND RESOLUTION ISSUE General Unable to access the management console or other components. refer to the IMSVA Installation Guide. If you are unable to access the management console. dbctl. The target port is not in the firewall approved list. If you are still unable to access the management console. Open the ports as shown in IMSVA Ports on page 33-15 in the firewall. 2. 2. if a DNS server is not available or has connection problems. activation will fail. To activate Email Reputation. Enter the command line interface through a serial or SSH connection. FAQ. 3. IMSVA needs to connect to Trend Micro. verify your proxy settings. This process requires a DNS query. To verify your DNS settings from the CLI: 1.Troubleshooting. To verify your DNS settings from the management console: 1. Therefore. and Support Information DESCRIPTION AND RESOLUTION ISSUE Unable to activate products If a proxy server is on your network. 33-3 . Use the command show network dns to verify the current DNS setting. Navigate to Administration > Configuration Wizard > Local System Settings > Network Settings. Modify the IP address of your DNS server if necessary. Use the command configure network dns <dns IP address> to modify the IP address of your DNS server if necessary. Verify your DNS server settings. verify that your proxy settings are correct. To verify your proxy settings: 1. Next to Preferred Charset. select the character set in which the messages will be encoded. and IMSVA must use a proxy server. If your computer is running a non-English operating system and the notification message was not written in English. IMSVA is unable to connect to the update source. 2. the Trend Micro ActiveUpdate server).Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE Unable to update components IMSVA uses the HTTP protocol to connect to the update source (by default. Modify the character set through the management console. . Email notifications do not display properly. Verify your network settings and connections and try again. Go to one of the following: • Administration > Configuration Wizard > Update Source > Proxy Setting • Administration > Proxy Modify the proxy server settings if necessary. it may appear distorted. 2. To modify the character set: 33-4 1. If you update the components manually and Unknown appears under Availability on the Update Now screen. If a firewall is located between IMSVA and the Internet. Go to Administration > Notifications > Delivery Settings. FAQ. 4. select Enable. Click Custom Level. • The IMSVA manager service has stopped.Troubleshooting. Check your firewall settings for the Manager Service listening port. Cannot query message logs in IMSVA. On the Internet Explorer menu.0 or 7. synchronize the date/time on all computers with IMSVA. IMSVA scanner records the log with local time. navigate to Tools > Internet Options. Server displays as disconnected in the System Status screen. and Support Information DESCRIPTION AND RESOLUTION ISSUE Unable to export configuration files You will not be able to export configuration files if: • Your computer is running Windows 2003 SP1 or Windows XP SP2 • Internet Explorer (IE) 6. Click OK and save your settings. • Network connection issue has occurred. Click the Security tab. A managed server could become disconnected for any of the following reasons: • The scanner was removed from your network. 5. To query message logs. Under Downloads > Automatic prompting for file downloads. 33-5 .0 has default security settings You must change the default security settings on Internet Explorer. 2. To change the IE security settings: 1. 3. Web Reputation queries.Verify the HTTP connectivity from the IMSVA scanner to the external network. Check whether the DNS server is configured correctly. The Proxy screen appears. IMSVA records attachment information only when the scanning conditions for a policy is set to attachment. When attachment is not specified as a scanning condition. and Trend Micro Email Encryption check box. Web Reputation needs to query the Trend Micro Web Reputation servers. Cloud Pre-Filter. 2. For Web Reputation issues. Select the Use a proxy server for updates to patterns. When there is no attachment in the quarantined or archived messages. the scan time for messages increases significantly. attachment information is sometimes not available After enabling Web Reputation. configure proxy settings on the Proxy screen: 1. engines. 3. 3. . Click Save. Cannot enable LDAP with Kerberos authentication End-User Quarantine Issues 33-6 Synchronize the date/time for all IMSVA devices. check the wrsagent. Configure the proxy settings.* files under the /opt/trend/imss/log folder. Even when you have selected attachment as one of the scanning conditions. licenses. This issue occurs under the following circumstances: 1. 4. Click Administration > Proxy.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE When viewing detailed information for quarantined or archived messages. 2. this issue will also occur if the number of attachments in the quarantined or archived messages has exceeded the maximum number specified in the conditions. If it requires a proxy server to connect to the Internet. FAQ. go to: https://<target server IP address>:8447 33-7 . and Support Information DESCRIPTION AND RESOLUTION ISSUE Unable to access the EUQ management console Do the following: • Verify that you are using the correct URL and port number.Troubleshooting. To view the console from another computer on the network. On the LDAP server.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE Users are unable to log on to EUQ management console Do the following: 1. ensure that the time for all IMSVA computers and the LDAP server is synchronized. Verify LDAP and User Quarantine Access settings through the IMSVA management console: 3. Only user accounts in the approved group can access EUQ. 33-8 . users will not be able to consistently log on to the EUQ management console. Verify that users are using the correct logon name and password. Verify all settings. b. c. Select Enable User Quarantine Access. Go to Administration > IMSVA Configuration > Connections > LDAP. If a user's account exists only on one of the LDAP servers. e. Note IMSVA uses LDAP2 servers as backup for LDAP 1 servers. a. 2. Go to Administration > End-User Quarantine. d. especially the LDAP type and server information. Verify that the correct LDAP groups appear under Selected Groups and that the user account belongs to the selected groups. verify that the user accounts are in the correct group. Ensure the LDAP 1 and LDAP 2 servers are synchronized. If you are using Kerberos authentication. c. and Support Information DESCRIPTION AND RESOLUTION ISSUE Users are unable to log on to EUQ management console using NTLM single sign-on (SSO) Logging on to the EUQ management console using SSO requires the following: 1. The Local Security Settings screen appears. Go to Security Settings > Local Policies > Security Options > Network security: LAN Manager authentication level > Local Security Setting. The account provided on the LDAP Settings screen has permission to look up all accounts for authentication. 2. FAQ. The endpoint operating system supports (and enables) NTLMv1 in LMcapabilityLevel settings.msc. b. • Using FireFox: The about:config link is configured to add the NTLM trusted host list. 3. • Using Internet Explorer: The EUQ management console is added to the internal site list. 4. 33-9 . Select Send LM & NTLM responses and save. • Using Internet Explorer: The Windows integrated authentication setting in Internet Explorer is enabled.Troubleshooting. Note To configure the LMCapabilityLevel: a. LDAP1 or LDAP2 servers are enabled and specified as in use for Active Directory (IP or domain name or FQDN). Go to Start > Run and type secpol. The LMCapabilityLevel of Active Directory is configured to support NTLMv1. Kerberos protocol requires time synchronization between the Kerberos server and IMSVA. 2. This allows end users to view and manage the messages from the EUQ management console. 2. Go to Mail Areas & Queues > Settings. 3. Next to Preferred charset. Synchronize the date/time for all computers with IMSVA. Select the check box next to Sync mails quarantined by content filter to EUQ database (for this area only). To make quarantine areas visible to end users: 1. On the EUQ management console. Click the link of the quarantine area that you want to synchronize to EUQ. Go to Administration > Notifications > Delivery Settings. 33-10 . or Web Reputation) quarantined in this area synchronize with the EUQ database. End users cannot access malicious messages. Cannot enable LDAP with Kerberos authentication. anti-phishing conditions. users can only access the quarantined messages if the administrator configures EUQ to allow access. all non-malicious messages (messages that do not trigger antivirus rules.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE The EUQ digest does not display quarantined message information correctly Some quarantined messages are not appearing on the EUQ management console Verify that the correct character set is selected: 1. Check whether the DNS server is configured correctly. After enabling this option. select the character set that will properly display the digest information. LDAP1 or LDAP2 servers are enabled and specified as in use for Active Directory (IP address or domain name or FQDN). 2. use the hostname as the instance when generating a keytab file.Troubleshooting. The account provided on the LDAP Settings screen has permission to look up all accounts for authentication. 3. • Using Internet Explorer: The EUQ management console is added to the internal site list. • Using Windows Vista or above. use the parent device’s 8447 port to access EUQ. The endpoint operating system supports (and enables) Kerberos authentication: • Time should be synchronized between IMSVA and the Kerberos authentication service. IP Filtering Issues 33-11 . The DNS server configured for IMSVA contains the record of the Kerberos service. and Support Information DESCRIPTION AND RESOLUTION ISSUE Users are unable to log on to the EUQ management console using Kerberos single sign-on (SSO) Logging on to the EUQ management console using SSO requires the following: 1. • The Windows integrated authentication setting in Internet Explorer is enabled. SSO will not work if a child’s port is used. SSO will not work. If EUQ is deployed in a parent-child deployment. If the instance is mapped to more than one user. • Using FireFox: The about:config link is configured to add the negotiate-auth trusted url list. 5. 6. FAQ. Only one EUQ management console instance can be mapped to one user account. 4. it performs a DNS query on FoxDNS. Change the value for log_level to 4. Go to the directory where IP Profiler is installed (by default: /opt/trend/ipprofiler/config).ini. FoxProxy processes messages slowly When FoxProxy receives messages. 33-12 Start the service if it is not running. Verify that the bind service is running on the computer where FoxDNS is installed: 1. 2. Restart FoxProxy by typing the following: /opt/trend/ipprofiler/script/foxproxyd restart 5. If Bind is not running. To find out the reason.**** Unable to connect to FoxProxy Verify that FoxProxy is running and that it binds on port 25. 4. FoxProxy continues to wait until the DNS query times out. Type the following command: ps –ef | grep named 2. 3. To view IP Profiler logs: 1. Open the log file by typing the following: /opt/trend/ ipprofiler/logs/foxproxy-general. .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE FoxProxy cannot start up There are several reasons why FoxProxy might not start. view the IP Profiler logs. Open foxproxy. Open foxproxy. FoxProxy sends information about blocked connections to the IMSVA server. and Support Information DESCRIPTION AND RESOLUTION ISSUE Unable to view connections that FoxProxy is blocking Every five (5) minutes. FAQ. 3. Verify that the BIND service is running: 1. Wait for at least five minutes before viewing the connection information. 2. Restart FoxProxy by typing the following: /opt/trend/ipprofiler/script/foxproxyd restart FoxDNS is not functioning. To change this time value: 1. Modify the value for report_send_interval. 33-13 . Specify the following command: ps –ef | grep named 2. Start the service if it is not running.ini.Troubleshooting. Go to the log directory where IMSVA is installed (by default: /opt/trend/imss/log/).**** • foxnullmsg. If the files are not present. Email Reputation shares the same Activation Code with IP Filtering Service. activate IP Filtering Service and then activate Email Reputation. In the table t_foxhuntersetting.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide DESCRIPTION AND RESOLUTION ISSUE No IP Profiler log information exists The following IP Profiler-related log files are in the IMSVA admin database: • foxmsg. • The computer on which the scanning service is installed cannot access the Internet. Check if FoxProxy is running: ps –ef |grep foxproxy 4. use the following command to check if imssmgr is running: ps –ef | grep imssmgr 3. Confirm that the computer where the scanner service is installed has access to the Internet. 33-14 .**** • foxreport. 2.**** Verify that the log files exist: 1. Email Reputation may not work due to the following reasons: • IP Filtering Servicewas not activated. MTA cannot get a response for the DNS query for Activation Code validation. Activate IP Filtering Service and confirm IMSVA can access the Internet. Verify that IP Profiler is enabled. the following should exist: record: ‘Type’ = 1 and ’enable’ = TRUE Email Reputation does not work after being enabled from the management console. If IP Filtering Service was not activated. The scanner uses this port to accept POP3 request and scan POP3 mails for all POP3 servers. IMSVA Ports The following table outlines all ports used by IMSVA in their default configuration. Go to Administration > IMSSVA Configuration > SMTP Routing > Connections.Troubleshooting. Wait one (1) minute before checking the list again. Blocked IP address does not display in the Overview page The Overview page displays the top 10 blocked IP addresses by type for the last 24 uninterrupted hours. at 16:12 today the Overview page displays data from 16:00 yesterday to 16:00 today. Go to Administration > IMSSVA Configuration > Connections > Components. FAQ. The scanner will connect to this port to query matched rules for every message. and Support Information DESCRIPTION AND RESOLUTION ISSUE IP profiler does not block IP addresses in the Blocked List. For example. TABLE 33-1. Go to Administration > IMSSVA Configuration > Configuration > Connections > POP3. 5060 Policy Server listening port. This port must be opened at the firewall. or the server is not able to accept mails. 33-15 . IMSVA Ports PORT NUMBER COMPONENT AND ROLE CONFIGURATION LOCATION 25 The MTA service port. 110 IMSVA scanner generic POP3 port. The mail server will listen at this port to accept messages. The changes require about one (1) minute to take effect. View the Overview page after an hour. {IMVA}\UI\adminUI\conf\ server.xml:Server\Service \Connector\port 8447 EUQ service listening port with load balance. This port is used to perform load balancing between several Tomcat servers and the Apache HTTP server.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide PORT NUMBER COMPONENT AND ROLE CONFIGURATION LOCATION 8005 IMSVA management console server (Tomcat) management port that can handle Tomcat management command. {IMSVA}\UI\euqUI\conf \server.3)\port 8015 Tomcat management port that can handle Tomcat management command.xml: Server\Service \Connector (protocol=AJP \1.xml: Server\port 8009 EUQ management console Tomcat AJP port.xml: Server\Service \Connector\port 8445 Management console listening port. {IMSVA}\UI\adminUI\conf \server. {IMSVA}\UI\euqUI\conf \server. {IMSVA}\UI\euqUI\conf \EUQ. {IMSVA}\UI\euqUI\conf\ server. This port is used to handle requests sent to Tomcat.conf:Listen\VirtualHost \ServerName 33-16 . You need to open this port to log on to the management console using a web browser.conf: Listen \VirtualHost 8446 EUQ service listening port. {IMSVA}\UI\php\conf \widget.xml:Server\port 8442 Management console Tomcat port. Troubleshooting. Messages released from the central quarantine area in the admin database and from the EUQ database will be sent to this port for reprocessing. You are not required to open this port at the firewall. Due to security considerations.0.0. The manager also provides quarantine/archive query results to the management console and the EUQ management console through this port.cf 15505 IMSVA Manager listening port. It is therefore not accessible from other computers. imss.) All messages sent to this port will not be scanned by IMSVA. The manager uses this port to accept management commands (such as service start/stop) from the management console. IMSVA uses the following ports when you enable related service: 33-17 . the port is only bound at IMSVA server's loopback interface (127.ini\[Socket_3]\proxy_port 10026 The IMSVA "passthrough" SMTP port for internal use (such as the delivery of notification messages generated byIMSVA. IMSVA_HOME/postfix/ect/ postfix/master. FAQ. Go to Administration > IMSVA Configuration > Connections > Components.1). and Support Information PORT NUMBER COMPONENT AND ROLE CONFIGURATION LOCATION 10024 IMSVA scanner reprocessing port. How do I Open an IMSVA Port? Procedure 1. Not configurable on the IMSVA server. Not configurable on the IMSVA server. Log on the operating system with the root account using the SSH Client Tool. 443 Microsoft IIS HTTPS listening port. as the Control Manager Server depends on Microsoft IIS. 80 Microsoft IIS HTTP listening port.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide PORT NUMBER COMPONENT AND ROLE CONFIGURATION LOCATION 389 LDAP server listening port. 88 KDC port for Kerberos realm. WARNING! Do not modify the port number. Use the following command to add or delete a port in the firewall: 33-18 . Go to Administration > IMSVA Configuration > Connections > TMCM Server. Go to the following directory: /opt/TrendMicro/GoldenGate/bin. 53 The Bind service listening port. as the Control Manager Server depends on Microsoft IIS. Use this port if you are using Control Manager to manage IMSVA. Go to Administration > IMSVA Configuration > Connections > TMCM Server. 3. Go to Administration > IMSVA Configuration > Connections > LDAP. 2. Use this port if you are using Control Manager to manage IMSVA. Add the IP addresses or domains that you do not want blocked to the Approved List. 2. Procedure 1. Email Reputation How do I configure Email reputation to not block certain IP addresses or domains? Add the IP addresses/domains to the Email reputation approved list by doing the following: Note If the domain cannot be resolved by the DNS service. Log on to the management console./fwportconf add udp 161 or ./fwPortConf [add/del] [tcp/udp] [port_num] Example: .Troubleshooting. the domain will not work in the approved list. and Support Information ./fwportconf del udp 161 Frequently Asked Questions This section answers various Frequently Asked Questions. FAQ. 3. Click IP Filtering > Approved List. 33-19 . Therefore.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide IP Profiler Why is the domain name of an IP address that was added to the blocked/approved list always N/A? IMSVA does not determine the domain name of an IP address that was added to the blocked/approved list (IMSVA does resolve the IP address of an added domain name). Quarantine and Archive Can I use special characters to perform queries? Yes. To search for email addresses.tld Valid representation of the whole name or the domain (not the top level domain (TLD)). refer to the following examples: TABLE 33-2. . You can use the asterisk (*) to search for email addresses or file names. the previous connections for this IP address. Why does the IP Filtering Suspicious IP screen also display the connection information of blocked IP addresses? The IP Filtering > Suspicious IP screen shows all information for successful connections. name@*. you can use the following special characters to perform queries: • Asterisk (*): Used as a wildcard character to search for characters.tld. which have not been blocked. although an IP address is now in the blocked list. Search for email addresses EXAMPLE 33-20 DESCRIPTION * Valid representation of all email addresses. are shown. *@domain. tld DESCRIPTION Valid representation of both the name and the domain (not the TLD). Semicolon (. Kerberos requires the format: user_name@domain. To search for file names. *.* Valid representation of files with a specific name but of any extension. End-User Quarantine If I am using Kerberos. why are users unable to log on to the EUQ console with a short name: “domain\user_name”? Kerberos servers cannot accept user names in the format: Domain\user_name. FAQ. and Support Information EXAMPLE *@*. refer to the following examples: TABLE 33-3.* Valid representation of all files. Search for file names EXAMPLE • DESCRIPTION *.Troubleshooting. how do I enable EUQ to check multiple mail addresses for one user? If you installed one Microsoft Exchange Server together with Active Directory. name. you can do the following: 33-21 .extension Valid representation of all files of a certain extension.): Used as a separator when searching for multiple recipients or attachments.xxx If I installed Microsoft Exchange Server and have set multiple mail addresses for each user. 3. How can I speed up LDAP access if the LDAP server is Active Directory? There are two methods to speed up access. Click Administration > IMSVA Configuration > Connections. Use port 389 if your company has only one domain or if port 3268 is unavailable. LDAP queries directed to the global catalog are faster because they do not involve referrals to different domain controllers.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Procedure 1. If one item cannot be queried in one domain controller. Open the table tb_global_setting inIMSVA administrator database and replace the value of LDAP-->mail_attr from "mail" to "proxyAddresses". 2. Click the LDAP tab. Restart all IMSVA services. The Connections screen appears. 33-22 . Using Port 3268 for LDAP Queries Procedure 1. Note Trend Micro recommends using port 3268 for LDAP queries to Active Directory. Active Directory uses port 389 for LDAP query. it uses the LDAP referral mechanism to query another domain controller. 2. Select the LDAP server to modify. The method you use depends on the port number you can use: port 389 or port 3268. Active Directory uses port 3268 for the Global Catalog. Troubleshooting. Click Administration > IMSVA Configuration > Connections. and Support Information 4. FAQ. Configure the LDAP listening port value: 389. • Example 2 (pre-Windows 2000): IMSSTEST\bob Note The pre-Windows 2000 format is not supported by Kerberos authentication. 2. Configure the LDAP listening port value: 3268. Select the LDAP server to modify.com Note The logon name is not an email address (though it appears as one). The Connections screen appears. Click the LDAP tab. Why are some users unable to use Kerberos SSO? Users who are bound to SPN (Service Principal Name) cannot use Kerberos SSO. What user logon name formats does IMSVA support for Active Directory? Active Directory supports the following logon name formats: • Example 1: bob@imsstest. 4. 3. Using Port 389 for LDAP Queries Procedure 1. 33-23 . Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Spam Protection Service How is the spam catch rate determined? Specify a threshold value between 3. A high threshold value means that a message must be very "spam-like" to be classified as spam (this decreases the spam catch rate but reduces the likelihood of false positives).0 for IMSVAto classify a message as spam. Control Manager How do I verify that IMSVA is registered to Control Manager? Unregistered from Control Manager? There are three ways to verify: • From the Control Manager management console • From the OS shell • From the IMSVA management console 33-24 . ActiveUpdate How do I roll back a pattern file? Click the Rollback button on the System Status screen. A lower threshold value means that a message only needs to be slightly "spam-like" to be classified as spam (this increases the spam catch rate and may lead to more false positives).0 and 10. FAQ. 2. 2. Verifying that IMSVA is registered from the OS shell Procedure 1. Log on to the Control Manager management console. Click Products. Check the Connections Status. Log on to the OS shell. Log on to the IMSVA web console. Navigate to Administration > Connections > TMCM Server. The Product Directory screen appears.Troubleshooting. and Support Information Verifying that IMSVA is registered from the Control Manager management console Procedure 1. Type the following command: /opt/trend/imss/script/S99CMAGENT isregistered Verifying that IMSVA is registered from IMSVA management console Procedure 1. 3. 2. Check the Product Directory Local Folder forIMSVA. 3. 33-25 . com I use Sun iPlanet as my LDAP server. modify the value in /opt/trend/imss/config/imss. verify that the DNS server is configured correctly.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide LDAP I cannot add an LDAP server using the correct admin account. Next.ini controls how IMSVA processes partial messages. Why? First. Why? First. If the ServicePrincipalName has changed.ini. Increase the value of "nsslapdlookthroughlimit" on the Directory Server > Directory > cn=config > Plugins > ldbm database > config > General Editor screen. For example: [LDAP-Setting] server-spn=ad2008@domain. Then check the ServicePrincipalName of Active Directory 2008 Kerberos. but my accounts are not synchronizing correctly to Cloud Pre-Filter. verify the LDAP server type and logon name format are configured correctly. Active Directory 2008 cannot use Kerberos authentication. 33-26 . verify that the LDAP server can be connected to IMSVA. Why? If you have more that 2000 account on Sun iPlanet LDAP server you need to make some changes to the Sun iPlanet LDAP server. Other FAQs How does IMSVA process a partial message? The key BypassMessagePartial in theIMSVA configuration file imss. Policy settings will be reloaded in no longer than three (3) minutes. Why are newly created administrator accounts not able to access the User Quarantine Access. and Product License pages? Only the default IMSVA admin account has the permission to access the User Quarantine Access. modify the policy_server=>dbChangePollIntervalInSecs setting in the tb_global_setting table of the IMSVA administrator database as desired. Admin Accounts. FAQ. Why are changes to the IMSVA configuration settings not applied immediately? There is a lapse between the time you modify the configuration settings from the management console and the time modifications are actually updated on the IMSVA server.Troubleshooting. Note Trend Micro recommends that you do not send mail to IMSVA immediately after modifying the configuration settings from the management console. If you want the settings to load faster. imssmgr will take no longer than one (1) minute to reload the new settings modified from the management console. If the key is set to yes (default setting). Custom admin accounts cannot access these pages. IMSVA will bypass partial messages.ini file. Are there limits on the following items? • Senders and recipients for each rule • Mail addresses in one address group 33-27 . For other general settings. and Product License pages. Admin Accounts. and Support Information IMSVA rejects partial messages as a malformed message if BypassMessagePartial=no in the imss. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Approved/Block Senders for SPS rule The total size of each rule cannot exceed 640KB. The total size includes the rule route (senders/recipients). 2. In this situation. Why are messages from some senders always received as attachments? Why is the message body replaced by the disclaimer or stamp? When the character set of the stamp is different from the character set of the message content. and rule action. however. IMSVA will encounter issues inserting the stamp into the message body after scanning the message. The message content. 33-28 . The maximum number of mail addresses for one address group is 10. insert the stamp into the message body. Go to Policy > Policy List. IMSVA can support at least 10. Click the link for an existing rule to edit the rule. Trend Micro recommends that you use "^(\s)*$" (without the quotation marks). How can I specify a keyword expression to represent a blank header for matching fields such as "From". rule filter (scanning condition). and attach the original message. Assuming that each email address/LDAP account consists of 20 characters. edit a rule’s scanning condition as follows: Procedure 1. The expression "^(\s)*$" (without the quotation marks) represents a blank header or whitespace characters. if you want to check if a message’s From header is blank. will not be changed.000 senders/recipients for the rule route. For example.000. "To". or "Subject" when creating rules with the content filter? If you are going to use a regular keyword expression to represent a blank header. IMSVA will create a new message. The maximum number of Approved/Block Senders for SPS rule is 5000. Troubleshooting. Most scan conditions do not apply. 4. Click And scanning conditions match. Port 9000 is the default port that Cloud Pre-Filter uses to connect to the Cloud service. Why does the message size scan condition not work for encrypted messages? IMSVA treats encrypted messages as a special type of message.emailsecurity. 5. 33-29 . IMSVA requires the use of the encrypted message scan condition to scan or perform actions on encrypted messages. and Support Information 3.trendmicro. Click Add to create a new keyword expression. Open port 9000 if the firewall does not allow connection to the port. Click Header keyword expressions under the Content section.com 9000 • If you use a proxy server to connect to Cloud Pre-Filter. try the following: • If there is a firewall on your test segment. use the following command from IMSVA to verify that IMSVA can connect to Cloud PreFilter: telnet ws. Troubleshooting Cloud Pre-Filter Unable to Connect to Cloud Pre-Filter If you cannot connect to Cloud Pre-filter. Add the content as "^(\s)*$”" (without the quotation marks). • If you do not use a proxy server for connection to Cloud Pre-Filter. verify the proxy server allows access through port 9000. FAQ. 6. verify that the firewall allows access through port 9000. trendmicro. share experiences. Procedure 1. consider visiting the following Trend Micro online resources. enthusiasts. 3. go to: http://community. The Technical Support product page appears. Support Information Troubleshooting Resources Before contacting technical support.com.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Unable to Receive Messages from Cloud Pre-Filter If you can connect to Cloud Pre-Filter but cannot receive the messages. 2. verify the status of Cloud Pre-Filter by clicking the Cloud Pre-Filter Status and Scheduled Maintenance Information link on the Cloud Pre-Filter Policy List screen. and discuss security concerns with other users. . ask questions.trendmicro. and security experts. Select a product or service from the appropriate drop-down list and specify any other related information. 33-30 Use the Search Support box to search for available solutions.com/ Using the Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Trend Community To get help. Go to http://esupport. cloud and virtualization security. YouTube. If no solution is found. and other social media • Threat reports. and data encryption. or submit a support case here: http://esupport. podcasts.aspx A Trend Micro support engineer investigates the case and responds in 24 hours or less. Go to http://www. malicious URLs. spam. and known vulnerabilities.two or more technologies combined to bypass computer security protocols.com/us/security-intelligence/index. click Submit a Support Case from the left navigation and add any relevant details. FAQ. research papers.trendmicro. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats. Twitter.Troubleshooting. apps. Go to http://www. Threat Encyclopedia Most malware today consists of "blended threats" .com/vinfo to learn more about: • Malware and malicious mobile code currently active or "in the wild" • Correlated threat information pages to form a complete web attack story • Internet threat advisories about targeted attacks and security threats • Web attack and online trend information 33-31 . Trend Micro combats this complex malware with products that create a custom defense strategy. and Support Information 4.trendmicro. Facebook. Security Intelligence Community Trend Micro cyber security experts are an elite security intelligence team specializing in threat detection and analysis. and newsletters from global security insiders • Free tools. including known malware. and widgets.trendmicro.com/srf/SRFMain. and spotlight articles • Solutions.html to learn about: • Trend Micro blogs. Contacting Trend Micro In the United States. fax. and any additional hardware connected to the endpoint • Amount of memory and free hard disk space • Operating system and service pack version • Endpoint client version • Serial number or activation code 33-32 .com Speeding Up the Support Call To improve problem resolution. have the following information available: • Steps to reproduce the problem • Appliance or network information • Computer brand. Inc.html • Trend Micro product documentation: http://docs.trendmicro. or email: Address Trend Micro.com • Worldwide support offices: http://www. 10101 North De Anza Blvd.com/us/about-us/contact/index.com Email address [email protected] Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide • Weekly malware reports. CA 95014 Phone Toll free: +1 (800) 228-5651 (sales) Voice: +1 (408) 257-1500 (main) Fax +1 (408) 257-2003 Website http://www..trendmicro.trendmicro. model. Trend Micro representatives are available by phone. Cupertino. Email Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: https://ers. Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Micro for further analysis. and Support Information • Detailed description of install environment • Exact text of any error message received.sitesafety.trendmicro.aspx Record the case number for tracking purposes.com/solution/en-us/1059565.com/solution/en-us/1055473.Troubleshooting.trendmicro. or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): http://global.aspx Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site.com/ If the assigned rating is incorrect. send a re-classification request to Trend Micro.trendmicro. File Reputation Services Gather system information and submit suspicious file content to Trend Micro: http://esupport. FAQ.com/ Refer to the following Knowledge Base entry to send message samples to Trend Micro: http://esupport. 33-33 .trendmicro. and timely and seamless solutions delivery.com/ Download Center From time to time. innovative techniques. The Readme file also contains installation instructions. attack prevention. TrendEdge Find information about unsupported. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micro partners. and best practices for Trend Micro products and services.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Other Resources In addition to solutions and support. there are many other helpful resources available online to stay up to date. Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. go to: http://www. To find out whether any patches are available. and be aware of the latest security trends. tools. open the Readme file to determine whether it is relevant to your environment. TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. learn about innovations. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect. The daily culmination of 33-34 . and eliminate attacks.trendmicro. preempt. TrendLabs TrendLabs℠ is a global network of research.trendmicro. Serving as the backbone of the Trend Micro service infrastructure.com/download/ If a patch has not been applied (patches are dated). development. and action centers committed to 24x7 threat surveillance. See the latest information added to TrendEdge at: http://trendedge. and other interested parties. employees. Troubleshooting. and Support Information these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements.trendmicro.html#trendlabs 33-35 . FAQ. Learn more about TrendLabs at: http://cloudsecurity.com/us/technology-innovation/experts/ index. . Appendices Appendices . . A-1 .Appendix A Default Directory Locations This appendix provides information on the default directory locations that IMSVA uses for mail processing. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Default Mail Queues The following table shows the various mail directories that store the mail messages managed by IMSVA. /opt/trend/imss/queue/ quarantine A-2 queue_notify= queue_notify_big= /opt/trend/imss/queue/ notify /opt/trend/imss/queue/ notifybig queue_postpone= queue_postpone_big= /opt/trend/imss/queue/ postpone /opt/trend/imss/queue/ postponebig queue_deliver= queue_deliver_big= /opt/trend/imss/queue/ deliver /opt/trend/imss/queue/ deliverbig queue_reprocess= queue_reprocess_big= /opt/trend/imss/queue/ reprocess /opt/trend/imss/queue/ reprocessbig Stores notification messages. /opt/trend/imss/queue/ archive queue_quarantine = Stores quarantined messages. . queue_malform= /opt/trend/imss/queue/ malform queue_archive= Stores archived messages. Stores postponed messages. TABLE A-1. Stores messages pending reprocessing. Stores messages for final delivery. Default Mail Locations QUEUES FOR REGULAR MAILS QUEUES FOR LARGE MAILS DESCRIPTIONS Stores malformed messages. /var/spool/postfix/ deferred Stores messages that could not be delivered on the first attempt. /var/spool/postfix/ corrupt Unreadable or damaged queue files are moved here for inspection. /var/app_data/imss/ dtas_upload Stores messages pending submission to the Deep Discovery Advisor server.Default Directory Locations QUEUES FOR REGULAR MAILS QUEUES FOR LARGE MAILS queue_handoff= queue_handoff_big= /opt/trend/imss/queue/ handoff /opt/trend/imss/queue/ handoffbig queue_undeliverable= /opt/trend/imss/queue/ undeliverable queue_unnotify= /opt/trend/imss/queue/ unnotify DESCRIPTIONS Stores messages pending handoff. Stores undeliverable messages. or from the /var/spool/postfix/ maildrop directory. A-3 . /var/spool/postfix/ active Stores messages that the queue manager has opened for delivery. /var/spool/postfix/hold Stores messages that are kept "on hold" until someone releases them. /var/spool/postfix/ incoming Stores incoming mail from the network. Stores undeliverable notification messages. Virus and Program Logs Many modules in IMSVA write log information for troubleshooting purposes to the following folder: /opt/trend/imss/log and /var/log Temporary Folder IMSVA stores all application-generated temporary files in the temporary folder: /opt/trend/imss/temp/ and /tmp Note This directory is not configurable.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide eManager. Notification Pickup Folder IMSVA stores all notification messages. and then delivers them to a specified SMTP notification server: /opt/trend/imss/queue/notify/ and /opt/trend/imss/queue/notifybig A-4 . picks them up from the following folders. Note The queue_notify_big queue is for large mail messages.Default Directory Locations Configuring the SMTP Notification Server Procedure • Go to Administration > Notifications > Delivery Settings. A-5 . . Appendix B IMSVA Scripts This appendix provides you with a list of IMSVA scripts and their respective parameters that you can invoke from the command line. B-1 . Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Using IMSVA Scripts IMSVA scripts provide a convenient and alternative means of performing administrative tasks from the command line. the respective parameters and the functions that the scripts perform. Note All scripts listed in the table (except foxproxyd) are located in: /opt/trend/imss/script foxproxyd is located in: /opt/trend/imss/ipprofiler/script TABLE B-1.sh start / stop / status / reload / restart Postgres database service db_maintain. [vacuum] . [reindex] .sh {vacuum|reindex|analyze| all} Used by S99SCHEDULED for database maintenance. The following table lists the IMSVA scripts. euqtrans B-2 all / approved sender Transfers EUQ database data or approved senders . IMSVA Scripts SCRIPT PARAMETERS DESCRIPTION dbctl. Note Do not run this script on its own.Reindex admin db and all euq db. [all] . [analyze] .Analyze admin db and all euq db.Vacuum admin db and all euq db.Vacuum && Reindex && Analyze. sh DBDSN username password Notifies the policy server to reload the policy settings foxproxyd start / stop / restart IP Profiler service ibe_server.sh start / stop / restart Open LDAP local cache service postfix start / stop / reload / restart Postfix daemon regippro. imssstart. S99ADMINUI start / stop / restart Central Controller S99CLEANEU Q Removes expired quarantined data from the EUQ and admin databases as configured under the Administration > User Quarantine Access area of the management console.sh Forces all IMSVA services to stop.sh start / stop / restart Trend Micro Email Encryption service imssctl.sh start / stop / stop_others / restart / restart_others / status Controls all IMSS services imsstop.sh reg / unreg Register or unregister IP Profiler to or from the admin database.sh Start all IMSS services openldap. S99CLEANEX PIRE Removes expired quarantined and archived data from the EUQ and admin databases as configured under the Quarantine & Archive > Settings area of the management console.IMSVA Scripts SCRIPT PARAMETERS DESCRIPTION forceUpdate. S99CMAGENT start / stop / restart / unregister / isregistered S99DIGEST S99DTASAGE NT CMAgent service Sends the EUQ digest message start / stop / restart Deep Discovery Advisor agent service B-3 . Note Do not run this script on its own. [option]: • -s: generates centralized reports (covers all one-time and scheduled reports configured on the management console) • Note Do not run this script on its own. S99UPDATE start / stop / restart Used by S99SCHEDULED to run the scheduled update.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide SCRIPT PARAMETERS DESCRIPTION S99EUQ start / stop / restart EUQ service S99FOXDNS start / stop / restart Foxdns service S99IMSS start / stop / restart IMSS scanner service S99MANAGER start / stop / restart Manager service S99MONITOR start / stop / restart Manager monitor service S99MSGTRAC ING start / stop / restart Message Tracing service S99POLICY start / stop / restart Policy service S99REPORT [option] start / stop / restart Used by S99SCHEDULED to generate related reports. B-4 . -h: generates hourly individual traffic data • -t: generates hourly traffic data • -d: performs database log maintenance S99SCHEDUL ED start / stop Starts the scheduled task. IMSVA Scripts SCRIPT S99WRSAGEN T PARAMETERS start / stop / restart DESCRIPTION WRS agent service B-5 . . Appendix C Creating a New Virtual Machine Under VMware ESX for IMSVA This appendix describes how to create a new virtual machine for IMSVA. Topic included: • Creating a New Virtual Machine on page C-2 C-1 . memory and hard disk space selected should reflect the requirements for your deployment. The number of CPUs. .1/4.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Creating a New Virtual Machine The actual installation of ESX 4. Please use the following steps as a guideline for creating the virtual machine for your environment. NIC cards. The values entered here are for instructional purposes. select File > New > Virtual Machine.0 is not covered in this document. C-2 From the menu bar. The steps outlined below detail the process to create a new virtual machine under VMware ESX to install IMSVA. Please refer to VMware's product documentation to install this product. Procedure 1. 3. leave the Typical radio button selected. Click Next. Under Virtual Machine Configuration. FIGURE C-1. Virtual Machine Configuration 2.Creating a New Virtual Machine Under VMware ESX for IMSVA The New Virtual Machine Wizard appears. C-3 . . FIGURE C-2. C-4 In the Name field.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Name and Location screen appears. type an appropriate machine name and then click Next. Select a Name and Location for this Virtual Machine 4. Creating a New Virtual Machine Under VMware ESX for IMSVA The Datastore screen appears. Virtual Machine Datastore 5. Click Next. Select the datastore where the virtual machine will reside. 6. FIGURE C-3. C-5 . . Click Next.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Virtual Machine Version screen appears. Specify the virtual machine version to use. 8. C-6 7. FIGURE C-4. Virtual Machine Guest Operating System 9.Creating a New Virtual Machine Under VMware ESX for IMSVA The Guest Operating System screen appears. 10. For the guest operating system. Click Next. C-7 . select Linux > Other Linux (64-bit). C-8 . Virtual Machine CPU 11. Click Next. FIGURE C-5. 12.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The CPUs screen appears. Select the number of processors for the virtual machine. so select the maximum number of virtual processors available. IMSVA takes advantage of the Virtual SMP. Virtual Machine Memory 13.Creating a New Virtual Machine Under VMware ESX for IMSVA The Memory screen appears. Trend Micro recommends at least 8192MB of RAM. Allocate 4096MB of memory as a minimum for IMSVA. 14. Tip For improved performance. C-9 . Click Next. FIGURE C-6. FIGURE C-7.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Network screen appears. Virtual Machine Network 15. Click Next. 16. Accept the default network settings. C-10 . 18. C-11 .Creating a New Virtual Machine Under VMware ESX for IMSVA The SCSI Controller screen appears. Click Next. 17. Select LSI Logic Parallel. 20.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Select a Disk screen appears. Click Next. Select Create a new virtual disk. C-12 . 19. IMSVA requires at least 120GB disk space.Creating a New Virtual Machine Under VMware ESX for IMSVA The Create a Disk screen appears. Click Next. See for more information on disk space allocation. FIGURE C-8. C-13 . Tip Trend Micro recommends 250GB or more of disk space for message quarantine and logging purposes. 22. Specify at least 120GB of disk space. Virtual Disk Capacity 21. Click Next. 24. 23. Usually these options do not need to be changed. C-14 .Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Advanced Options screen appears. Specify the advanced options if required. Ready to Complete 25.Creating a New Virtual Machine Under VMware ESX for IMSVA The Ready to Complete screen appears. 26. If you want to modify the system component settings. The new Virtual Machine is now ready and configured to be powered on and begin the installation process. Verify your settings and then click Finish. FIGURE C-9. C-15 . check the Edit the virtual machine settings before submitting check box and then click Continue. Click Continue. . Topics include: • Understanding Hyper-V Installation on page D-2 • Installing IMSVA on Microsoft Hyper-V on page D-2 • Using Para-Virtualization Mode on page D-18 • Using NTP on IMSVA on page D-21 D-1 .Appendix D Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA This appendix describes how to create a new virtual machine for IMSVA under Microsoft Hyper-V. memory. IMSVA Support for Hyper-V IMSVA only supports Hyper-V on Windows Server 2008 R2 and Windows Server 2008 R2 with SP1 or later. This appendix provides step-by-step instructions to install IMSVA on Hyper-V based virtual machines. and hard disk space selected should reflect the requirements for your deployment. The values provided are for instructional purposes. The number of CPUs. The procedure outlined in this appendix describes how to install IMSVA on a Windows 2008 Server R2 Hyper-V server. Refer to Microsoft product documentation to install Hyper-V. The actual installation of Hyper-V is not covered in this document. Hyper-V Virtualization Modes Hyper-V provides two virtualization modes that support IMSVA: • Full-virtualization • Para-virtualization Tip Trend Micro recommends installing IMSVA in para-virtualization mode. NIC cards.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide Understanding Hyper-V Installation IMSVA supports installation on Microsoft Hyper-V based virtual platforms. D-2 . IMSVA provides the necessary integrated Hyper-V drivers to support the installation under Hyper-V as a para-virtualization virtual machine. Installing IMSVA on Microsoft Hyper-V Use the following steps as a guideline for creating a virtual machine for your environment. This allows IMSVA to achieve much higher throughput performance and supports enterprise networking environments. A menu appears. Connect to Server 2. FIGURE D-1. Creating a Virtual Network Assignment Procedure 1. Select Connect to Server. From the Hyper-V Server Manager menu.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA Note Creating a New Virtual Machine on page D-6 only covers installing IMSVA on Hyper-V in full-virtualization mode. right-click Hyper-V Manager. Using Para-Virtualization Mode on page D-18 describes how to convert full-virtualization to para-virtualization. D-3 . 4. Location of Virtualization Server 3. Right-click the Windows 2008 R2 server and select Virtual Network Manager.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide A dialog box appears prompting you to select the location of the virtualization server that you want to connect to. D-4 Create a new virtual network by selecting External from the list of options and clicking Add. . Select Virtual Network Manager 5. FIGURE D-2. FIGURE D-3. Specify the location of the virtualization server and click OK. Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA FIGURE D-4. select the physical network adaptor you want to connect to. D-5 . From the External drop-down menu. Note The physical adaptor must be connected to the network and have access to the corporate network and the Internet. Adding the “External” Virtual Network 6. right-click the Windows 2008 R2 server. . Physical Network Adaptor Selection Creating a New Virtual Machine Procedure 1. and select New > Virtual Machine. D-6 From the Hyper-V Server Manager menu.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE D-5. New Virtual Machine Wizard 2. Click Next. D-7 . FIGURE D-6.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA The New Virtual Machine Wizard appears. If you plan to store the virtual machine to another folder. Click Next. In the Name field. . Specify Name and Location D-8 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Specify Name and Location screen appears. select Store the virtual machine in a different location and provide the correct location. type a meaningful machine name. 4. FIGURE D-7. 6.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA The Assign Memory screen appears. D-9 . Click Next. Tip Trend Micro recommends allocating 8192MB of RAM. Assign Memory 5. FIGURE D-8. Allocate at least 4096MB of memory for IMSVA. D-10 . 8. Configure Networking 7. Click Next.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Configure Networking screen appears. Keep the default network settings Not Connected. FIGURE D-9. Connect the Virtual Hard Disk 9. D-11 . 10. Tip Trend Micro recommends 250GB or more of disk space for message quarantine and logging purposes. FIGURE D-10. and click Next. Specify at least 120GB disk space for IMSVA.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA The Connect Virtual Hard Disk screen appears. Specify a location to store the virtual hard disk. and click Next. Keep the default setting Install an operating system later.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The Installation Options screen appears. Installation Options 11. D-12 . FIGURE D-11. The Settings for test screen appears. and select Legacy Network Adapter. Verify your settings and click Finish. Click Add Hardware.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA The Completing the New Virtual Machine Wizard screen appears. and select Settings. D-13 . Completing the New Virtual Machine Wizard 12. Some manual configuration is still required. Right-click your new Virtual Machine. 13. 14. FIGURE D-12. Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE D-13. 16. Click OK. D-14 . Select the correct virtual network adapter. Add Hardware: Legacy Network Adapter 15. Click OK. Remove the Network Adapter from the Hardware list. D-15 . 18. Configure Legacy Network Adapter 17.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA FIGURE D-14. Click OK. D-16 . 20. Remove Network Adapter 19. Select the image file for IMSVA from the DVD Drive in the Hardware list.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE D-15. Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA FIGURE D-16. Add Image file into DVD Drive D-17 . Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide The virtual machine is now ready to be powered on to begin the installation process. FIGURE D-17. you can enable the appropriate drivers to make IMSVA enter Para-Virtualization Mode. D-18 . IMSVA installed on a Hyper-V virtual machine Using Para-Virtualization Mode If IMSVA has been installed on a Hyper-V virtual machine with Full-Virtualization Mode. 6. Checking for new synthetic nics… Hyper-V Driver Installation finished.2. 2.img Done.6. D-19 . IMSVA provides the necessary integrated Hyper-V drivers to support the installation under Hyper-V as a para-virtualization virtual machine.img.OpenVA.2.18-128.6. This allows IMSVA to achieve much higher throughput performance and supports enterprise networking environments.0.OpenVA. Open the CLI console and backup your current network configuration.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA Tip Trend Micro recommends using IMSVA in Para-Virtualization Mode.1020. Updated /boot/initrd-2.1.1.0.0.18-128.1020.18-128.OpenVA.1020.backup0 Done.img to /boot/initrd-2. Procedure 1.1. Enable Hyper-V Para-Virtualization drivers using the following commands: [root@imsva8 ~]# enable-hyperv.sh Backing up /boot/initrd-2.2. Move to Para-Virtualization Mode 3.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide FIGURE D-18. Reconfigure the Virtual Network Adapter on the Virtual Machine Settings screen. • D-20 Remove the Network Adapter . Shut down IMSVA: [root@imsva82 ~]# poweroff 4. The virtual machine is now in Para-Virtualization Mode. Change Network Adapter 5. FIGURE D-19. Disable the time synchronization service in Hyper-V. Power on the virtual machine. Using NTP on IMSVA Procedure 1.Creating a New Virtual Machine Under Microsoft Hyper-V for IMSVA • Add a network adapter with the correct virtual network adapter. Open the CLI console and reconfigure the network configuration. D-21 . Add the following to the appropriate kernel line: notsc divider=4 For example: title IMSVA (2.conf). Use an SSH client to connect to IMSVA and modify the kernel boot options by editing the GRUB configuration file (/boot/grub/grub.OpenVA.18-128.1. a. On another SSH session. $ hwclock --systohc 5. Synchronize the system time manually.OpenVA.6.0. b. Navigate to the Hyper-V settings screen.0.2. 3. $ service ntpd stop $ ntpdate [ntp server] 4.2. set the hardware clock to the newly synchronized time.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide 2. disable Time synchronization.0) kernel /vmlinuz-2.6. Under Integration Services. D-22 Reboot the IMSVA device.1.1067) root (hd0.18-128. .1067 ro root=/dev/IMSVA/Root2 quiet notsc divider=4 Note The divider accepts only values between 1 and 4. xvii centralized policy. 15-5 delete. 3-2. 31-3 reset when connection broken. 15-2 administrator accounts add. 31-4 Cloud Pre-Filter configure DNS MX records. 29-18 Internal Communication Port. 17-29 audience. 15-9 address groups examples of. 29-5 edit. 31-5 configure IP Settings. 1-2 activate IMSVA. xvii centralized logging. 31-5 Web console password. 20-13 attachment size scanning conditions. 3-2. 17-20 archive. 29-23 product. 10-21 approved senders list configure. 31-3 change to parent. 17-12 centralized archive and quarantine. 3-2. 25-8 archived messages view. 15-2 understand. 29-2 address group add. 3-5. 9-14 IN-1 . 29-2 delete. 10-22 blocked senders list configure. 29-2 Advanced Threat Scan Engine. 25-3 archive areas manage. 4-17 license. 32-5 approved list add IP addresses. 1-11 antivirus rule. 25-18 asterisk wildcard use. 29-5 manage. xvii change device roles. 17-20 bounced mail settings configure. 10-16 C C&C email. xix B back up IMSVA. 31-8 remove from group. xvii configure settings. 27-5 blocked list add IP addresses. 2-7 child add to group. 3-5. 13-4 application rescuing. 29-24 add administrator accounts.Index A about IMSS appliances. 15-9 edit. 7-2 adware. 17-10 APOP. 15-26 configuration wizard. 9-14 IN-2 Email reputation. 9-18 troubleshoot. 19-2 scheduled reports. 11-2 SMTP settings. 30-2 entering the shell environment. 11-7 notification messages. 26-8 configure event criteria. 4-4 Direct Harvest Attack (DHA) settings. 10-8 IP Filtering bounced mail settings. 18-2 . 10-10 IP Filtering virus settings. 30-3 using. 11-11 Message Rule settings. 17-21 System Settings. 4-2 configure approved senders list. 6-2 verify it works. 4-7 other scanning exceptions scan actions. 1-17 command line interface accessing. 15-28 using. 25-3 blocked senders list. 19-7 expressions. 22-5 Command & Control (C&C) Contact Alert Services. 29-16 update source. 19-7 security setting violation scan actions. 16-2 IP Filtering.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide create account. 25-22 Web EUQ Digest settings. 10-18 encrypted message scan actions. 30-2 commands. 9-14 Cloud Pre-Filter tab. 33-29 understand. 24-2 Messaged Delivery settings. 6-5 create policy. 13-4. xviii Configuration Wizard accessing. 4-15 database maintenance schedule. 4-5. 19-5 POP3 settings. 29-7 log settings. 26-3 Deployment Settings. 4-10. 26-5 notification settings. B-2 community. 29-14 quarantine settings. 29-6 Control Manager server settings. 17-7 scan exceptions. 17-20 child IP settings. 19-3. 4-8 User Quarantine Access. 26-5 configuring Encryption settings. 30-3 overview. 4-13. 10-16 IP Filtering spam settings. 19-4 SMTP routing. 25-3 route. 29-19 delivery settings. 15-14 internal addresses. 4-3 TMCM settings. 9-2 suggested settings with IMSVA. 10-12 LDAP settings. 9-4 policies. 23-9 security setting violation exceptions. 29-18 connection settings. 11-3. 17-20 archive settings. 11-2 spam text exemption rules. 33-30 compliance templates predefined expressions. 10-13 DNS MX records. 26-3 Deployment Settings configure. xix domains display. 22-2 database configure maintenance schedule. 8-4. 11-7 Email reputation. 8-2 email relay. 1-5 enable Control Manager agent. 8-5 E edit address group. 27-9 replicate settings. 7-4 default tabs. 15-9 administrator accounts. 10-23 suspicious IP addresses. 31-5 dialers. 15-28 Deep Discovery Advisor. 25-21 delete address group. 10-10 POP3 scanning. 10-18 enable. 31-5 device roles change.Index connection settings configure. 29-5 Email Encryption managing domains. 28-9 IP Profiler. 13-3 encrypting messages. 10-8 End-User Access. 8-5 understand. 29-6 Control Manager enable agent. 22-3 deferred messages view. 3-5. 15-9 administrator accounts. 10-3 configure. 27-10 see Trend Micro Control Manager. 3-5. 10-23 Email Encryption. 8-4 registering domains. 31-5 parent to child. 29-5 delivery settings configure. 2-12 D dashboard using. 18-3 Encryption settings IN-3 . 10-13 display domains. 29-19 data protection compliance templates predefined expressions. 27-9 Email reputation. 1-5 unproductive messages. 4-4 device rescuing. 1-12 Control Manager server settings configure. 11-3. 10-8 email threats spam. 32-5 device role change child to parent. xviii Administration Console. 32-4 application. 4-15 Conventional scan. 10-8 IP Profiler rules. 10-23 documentation IMSVA related. 1-11 Direct Harvest Attack (DHA) settings configure. 18-2 End-User Access enable. 10-2 IP Filtering tab. 31-7 IP Filtering configure. 10-2 using. 23-2 IN-4 H hacking tools. 4-13. 10-12 IP Filtering Service about. 1-15 filtering. 10-16 configure Direct Harvest Attack (DHA) settings. 27-5 rescue. 33-21 IP Profiler. 33-20 quarantine. 31-8 parent. 15-13 expressions configure. 26-2 export notes. 25-27. 33-20 File Reputation Services. 10-8 configure bounced mail settings. 15-19 F FAQ archive. 28-7 web console. 27-2 expression lists manage. 1-7 filters examples of. 29-7 . 28-17 open the console. 15-2 G generate reports. 27-7 scripts. 1-11 I import notes. 33-20 ERS. 28-2 authentication. 10-10 configure virus settings. 27-2 IMSS appliances about. 32-4 restore. 28-13 start. 10-2 EUQ. 33-19 EUQ. 10-8 enable rules. 15-14 regular. 28-9 ERS MTA settings. 26-5 event notifications. 28-13 event criteria configure. xviii enable. 16-2 Internal Communication Port child. xvii. 10-10 J joke program. 10-13 configure spam settings. 1-11 L LDAP settings configure. B-2 internal addresses configure. 1-2 IMSVA backing up. 4-10. how it works.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide configuring. 22-4 IP Profiler. 28-2 disable. 29-23 renew. 24-11 M manage administrator accounts. 11-11 Message Rule settings configure. 26-2 notification settings configure. 14-1 product licenses. 29-2 expression lists. 23-5 online community. 3-2. 17-30 message traffic tab. 11-7 message size scanning conditions. xii notes export. 31-7 password Web console. 17-28 MTA with ERS. 24-4 query IP filtering. 26-5 notifications event. 29-23 logs. 24-12 query system event. 16-7 license activate. 24-2 configure settings. 33-30 online help. 15-37 O one-time reports manage. 8-4 manual update. 15-37 one-time reports. 11-11 Message Delivery settings configure. xix other rule. xvii. 27-2 notification messages configure. 1-6 message delivery. 24-15 query policy event. 17-12 P parent change role. xviii N new features. 5-2 permitted senders. 15-13 notifications list.Index LDAP User or Group search for. 27-2 import. 4-7 notifications list manage. opportunistic TLS. 11-10 policies add. 24-8 query MTA event. 5-4 mass mailing viruses pattern. 29-20 manage domains for Email Encryption. 22-4 MIME content type scanning conditions. 31-5 Internal Communication Port. 1-11 pattern files update. 23-5 policies. 24-16 query message tracking. 2-7 password cracking applications. 17-2 IN-5 . 10-2 MTA features. 24-2 query. xvii content. 29-21 product services. 17-7 specify. 17-45 manage. 25-13 deferred messages. 13-2 POP3 scanning enable. 13-4. 24-8 IN-6 MTA event logs. 15-38 POP3 messages scan. 24-4 messages. 29-23 replicating settings. 11-1 scan actions . 15-28 Pre-Filter. 29-20 view. 24-15 policy event logs. 32-4 rescue mode. 5-5 route configure. 13-3 POP3 settings configure. 32-5 rescuing the device. 25-17 query archive areas. 25-3 quarantine and archive. 25-20 predefined expressions. 25-2 quarantine areas manage. 32-4 rescuing the application. 25-5 quarantined messages view. 20-4 finalize. 24-12 postponed messages. 8-5 remote access tools. 23-5 scheduled reports. 23-2 manage one-time. 27-9 reports. 32-4 restore IMSVA. 25-10 system event logs.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide example 1. 25-10 message tracking logs. 17-2 S scan POP3 messages. 24-16 logs. 27-7 roll back components. 2-10 Q quarantine. 1-11 renew license. xiv product licenses manage. 24-11 R readme file. 15-38 edit. 23-8 rescue IMSVA. 25-14 quarantine areas. 14-1 policy. 29-14 postponed messages view. 25-15 IP filtering logs. xvii configure settings. xx register domains for Email Encryption. 13-2 SMTP messages. 23-2 generate. xvii policy notification add. 23-9 use. 1-11 risks and threats. 17-9 true file type. 2-11 scanning conditions. 23-8 scheduled updates. 19-7 configure other scanning exceptions settings. 5-2 scan exceptions configure. 17-29 extensions. 27-8 shell environment. xviii spam settings configure. 1-10 adware. 5-3 spyware/grayware. 17-18 specify. 19-5 scan engine update. 17-2 scanning conditions. 1-11 hacking tools. 11-1 SMTP routing. 11-2 configure. 19-3. 1-17 Smart Scan. 1-11 password cracking applications. 19-7 configure scan actions. 2-10 IP Filtering Service. 19-2 Scan methods. 5-6 security risks spyware/grayware. 1-11 joke program. 10-2 settings that cannot be restored. 1-11 entering the network. 33-34 suspicious IP addresses display. 11-2 spam prevention. 1-10 security setting violations configure exceptions. 17-9 update source. 1-11 remote access tools. 2-12 SMTP notification server. 19-4 services. 17-27 attachment number. 33-30 resolve issues faster. 17-30 attachment size. 17-29 scheduled reports configure. 17-30 MIME content type. 17-27 message size. 10-10 spam text exemption rules configure. 33-32 TrendLabs. A-5 SMTP messages scan. 17-35 route. 10-23 system overview tab. 17-29 attachment names. 22-3 IN-7 . 11-2 SMTP settings configure. 1-11 start EUQ. 4-5. 1-15 Smart Protection Network.Index configure encrypted message settings. 28-7 support knowledge base. 1-11 dialers. 17-21 specify actions. 17-28 spam. 30-3 Smart Protection. 5-2 scan engine. 29-16 transport layer. 33-34 Trend Micro Control Manager. 22-7 . 33-10 true file type. 33-2 email notifications. 5-2 system and application. 5-6 manually. 22-3 understand. 1-12 troubleshooting. 25-20 product licenses. 29-21 quarantined messages. 22-2 tag subject add. 2-7 Web EUQ. 33-11 Web EUQ digest. 25-17 virus settings configure. 22-6 using a widget. 22-8 understanding. 25-22 V view archived messages. 5-8 IN-8 automatically. 5-8 update source configure.Trend Micro InterScan™ Messaging Security Virtual Appliance Administrator’s Guide System Settings configure. 26-8 Web Reputation Services. 33-4 EUQ quarantined messages. 10-12 W Web console password change. 22-3 IP Filtering. 22-9 configure a widget. 21-2 T tabs add a tab. 4-3 System Status screen. 22-6 update application files. 22-5 configure a tab. 22-8 edit a widget. 17-29 U understand Email Encryption. 22-6 default tabs. 33-10 EUQ web console access. 11-6 TrendLabs. xvii Web EUQ Digest configure settings. 8-2 widgets. 5-3 User Quarantine Access configure. 25-21 postponed messages. 17-44 TMCM settings configure. 22-5 Cloud Pre-Filter. 1-16 what’s new. xii widgets add a widget. 5-4 pattern files. 4-8 specify. 1-12 agent. 32-2 system files. 1-12 server. 33-8 IP Filtering. 22-4 system overview. 25-18 deferred messages. 22-4 message traffic.
Copyright © 2024 DOKUMEN.SITE Inc.