Mcafee Email and Web Security Appliance Version 5.5 Product Guide

McAfee Email and Web Security Appliance version 5.
5 Product Guide
COPYRIGHT Copyright 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.
McAfee Email and Web Security 5.5
Contents
Introducing Appliance Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Optional components and related products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Product features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Using this information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 How to get product information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Contact information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Basic concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Introduction to policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 How the appliance controls email access and content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Choosing the operational mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 The interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Protocol support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Recommended network topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Cluster management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Protocol presets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Transparent exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Appliance security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Types of reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Monitoring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Maintaining the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Troubleshooting on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Fail-Open Unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Controlling your appliance with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 What is ePolicy Orchestrator (ePO)?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Installing the Email and Web Security ePO extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Enabling ePolicy Orchestrator management on your appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Common tasks within the interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Enabling each feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Making changes to the appliance's configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Making and viewing lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Contents
Adding information to a list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Removing many items from a list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Removing single items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Changing information in a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Viewing information in a long list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Ordering information in a list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Ordering information alphabetically in a list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Importing prepared information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Exporting prepared information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring the protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Intercept ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Listening ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Reverse lookup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Enabling and disabling protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Understanding policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 How to use policy groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Issues with policies applied to network sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Policy planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Spend time planning your policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Considering legal implications for email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Considering legal implications for web access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 General guidelines for policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Actions against threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 FTP actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 HTTP actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 ICAP actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Email (POP3) actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Email (SMTP) actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Priority in policies and settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Understanding priorities in policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Example of priority in policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring activity on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

About the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 About counters for blocked connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Contents
Viewing reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Email Reports menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Transport logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Web Reports menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Example of an HTML report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Example of PDF report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Preventing email threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Email Configuration menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Protocol Configuration menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Receiving Email menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 DKIM signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Retryer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Choices for delivering email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Email Policies menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Email Scanning Policies menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 How multiple policies affect an email message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 What is a content filter dictionary?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Best practices for content scanning of email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Quarantine Configuration menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 McAfee Quarantine Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Quarantine digests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Quarantine menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Email queues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 How email messages are processed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Preventing web threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Web Configuration menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Web Configuration menu HTTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Web Configuration menu ICAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Web Configuration menu FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Data trickling its advantages and disadvantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Web Policies menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Web Scanning Policies menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 What is a content filter dictionary?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configuring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Appliance Management menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Access by Secure Shell (SSH). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 About out-of-band management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Contents
About the Remote Access Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Spanning Tree Protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Stopping and starting the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 UPS support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Cluster Management menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Why you need to restore system settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Reviewing changes to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Setting date and time on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Management of a group of appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Users, Groups and Services menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 How to use policy groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Authentication group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 User authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Understanding administrators and roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Protocol details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Setting up the browser for authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Setting up Kerberos for use with Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Configuring Kerberos authentication via Active Directory 2003. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Formats of user names for authentication services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Certificate Management menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Creating a TLS certificate using OpenSSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Virtual host management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Logging, Alerting and SNMP menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Overview of logging and alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 How to monitor events on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 About the appliance's SNMP alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 How to get reports from SmartReporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Logging and reporting with SmartReporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 About alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Types of events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Considerations when overriding events for alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Component Management menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 How the appliance updates your protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Automatic updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 What is ePolicy Orchestrator (ePO)?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Troubleshooting on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Tools menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Contents
How to manage the appliance's disk space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Reports menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configuring mail clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Setting up the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Handling spam with Lotus Domino Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Handling spam with Microsoft Outlook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Troubleshooting FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Performance issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Substitution variables for alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Use of word separators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Word delimiters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Word separators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Character set encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Features of the Alert Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Files that are always scanned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Formats for network and domain names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 CIDR notation for IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 CSV file formats for importing to lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Communication port numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Acronyms and Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 KnowledgeBase articles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Additional License Terms for ePolicy Orchestrator Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Introducing Appliance Security

The McAfee Email and Web Security appliances protect your network from viruses, undesirable content, spam, and other threats. They can be installed at key points in your network, typically at the Internet gateway. Contents Optional components and related products Product features Using this information How to get product information Contact information
Optional components and related products

The appliances have several components and related products. Some components can be fully integrated into the appliances. Other products provide a central point for monitoring and managing several McAfee products, including the appliances. The next table describes the optional components and related products. For more information, see the McAfee website. Table 1: Products
Component/ Product Description Compatible with type of appliances Email Email+Web All
McAfee Quarantine Consolidates quarantine management for many McAfee products, including Manager the appliances. McAfee ePolicy Orchestrator Provides a central control point for reporting activity on several appliances.
Some appliances support auxiliary hardware: Table 2: Auxiliary hardware

Auxiliary hardware Accelerator card Fiber card Remote Access card Features Appliance
Higher throughput for HTTP protocol. Connection via optical fiber instead of copper wire. Remote access and some management of the appliance. For example, the card can re-image the appliance remotely using a CD in another computer.
3400 3300, 3400 3300, 3400
Introducing Appliance Security Product features
The following combinations of software and hardware are possible: Table 3: Combinations of software and hardware
Appliance 3000 3100 3200 3300 3400 Combined Email and Web Yes Yes Yes Yes No Email only No No No No Yes Web only No No No No Yes
Product features
The appliances have the following main features:
Email Web Yes Yes Yes Yes Both Yes Yes Feature Anti-virus scanning Anti-spyware scanning Description Scans all protocols HTTP, FTP, ICAP, SMTP, and POP3. Scans for Potentially Unwanted Programs (PUPs) such as Spyware, Adware, and Cookies. Uses several techniques to reduce spam: Yes Yes No Yes Yes Yes Anti-phishing Compliance Anti-spam engine, the anti-spam and anti-phishing rule sets. The spam-learning feature helps improve spam detection. Lists of permitted and denied senders. Sender Authentication (DKIM, SPF, and Sender ID) TrustedSource reputation service. Blacklists and whitelists, defined by users and administrators.
Yes
No
Yes
Anti-spam scanning
Detects phishing attacks and takes the appropriate action. Ensures outgoing information complies with requirements for privacy. Scans SMTP email messages for potentially unwanted content, and takes the appropriate action.
Yes
No
Yes
Content scanning
Yes
No
Yes
Quarantine management Allows users to handle quarantined items without involving the email administrator. For example, using the information in the Quarantine Digests, users can: Automatically release email messages that have been mistakenly identified as spam. Configure their own blacklists and whitelists.
Submit spam and non-spam email samples for spam learning. Users can also request that their administrator releases email messages that were quarantined because of their content. Yes No Yes McAfee Quarantine Manager Remote access Consolidates quarantine management for a range of McAfee products. If the optional card is installed, it allows remote access to the appliance and does limited management. Uses a URL-filtering database and URL-filtering policies to protect your organization from inappropriate use of the Internet by your
Yes
Yes
Yes
No
Yes
Yes
Enhanced URL-filtering
Introducing Appliance Security Using this information
Email Web
Both
Feature
Description employees. Websites are categorized and access is filtered according to their content.
No No
Yes Yes
Yes Yes
Timed web access ICAP support
Access to websites can be restricted to specific times of day. The ICAP protocol allows ICAP clients to pass HTTP messages to ICAP servers for processing or transformation (adaptation). The appliances for web or web and email support the ICAP 1.0 protocol and act as an ICAP server. ICAP traffic can be scanned and the appropriate action taken. Blocks or warns users about the reputation of requested websites. IPv4 and IPv6 addresses are acceptable. Interacts with uninterruptible power supply devices to provide graceful shutdown. Combats backscatter bounced email that was not originally sent from your organization.
No Yes Yes Yes Yes Yes
Yes Yes Yes No No No
Yes Yes Yes Yes Yes Yes
SiteAdvisor IP v6 UPS support Bounce Address Tag Validation
Sending-IP address pool Prevents the appliance's large amounts of genuine email being rejected as spam. TLS Certificates Popular CA (Certificate Authority) certificates are stored on the appliance. Support for chained certificates, passphrases and certificate revocation. Enables a cluster of appliances to share the scanning workload efficiently. Enables the appliance to behave like several separate devices each scans traffic on a range of IP addresses and has its own reports, policies, quarantine, and email queues. Greatly improves threat detections by reducing the delay between McAfee's detection of a new malware threat and when a customer receives and installs a detection definitions (DAT) file.
Yes Yes
Yes Yes
Yes Yes
Load balancing Virtual Hosting
Yes
Yes
Yes
Artemis
Using this information

Audience This information is intended for network administrators who are responsible for their company's anti-virus and security program. Conventions The information uses the following conventions: Bold Condensed All words from the interface, including options, pages, buttons, and dialog box names. Example: Type the User name and Password of the appropriate account. The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt). Examples: The default location for the program is: C:\Program
Courier
10
Introducing Appliance Security How to get product information
Files\McAfee\EPO\3.5.0 Run this command on the client computer: scan --help
Italic
For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material. Example: See the VirusScan Enterprise Product Guide for more information. A web address (URL) and/or a live link. Example: Visit the McAfee website at: http://www.mcafee.com Angle brackets enclose a generic term. Example: In the console tree, right-click <SERVER>. Note: Supplemental information; for example, another method of executing the same command. Tip: Suggestions for best practices and recommendations from McAfee for threat prevention, performance and efficiency. Caution: Important advice to protect your computer system, enterprise, software installation, or data. Warning: Important advice to protect a user from bodily harm when using a hardware product.
Blue
<TERM>
Note
Tip
Caution
Warning
How to get product information

Unless otherwise noted, product documentation comes as Adobe Acrobat .PDF files, available on the product CD or from the McAfee download site (https://mysupport.mcafee.com/Eservice/productdocuments.aspx). Standard documentation Installation Guide System requirements and instructions for installing and starting the appliance. Information to help you deploy appliances within your network. Online Help Information within the interface about each interface area. Release Notes ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. A text file is included with the software application and on the product CD.
11
Introducing Appliance Security Contact information
License Agreement The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement presents general terms and conditions for use of the licensed product. Contacts Contact information for McAfee services and resources: technical support, customer service, Security Headquarters (Avert), beta program, and training. A text file is included with the software application and on the product CD.
Contact information
Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Avert Labs Threat Library http://vil.nai.com Avert Labs WebImmune and Submit a Sample (Logon credentials required) https://www.webimmune.net/default.asp Avert Labs DAT Notification Service http://vil.nai.com/vil/signup_DAT_notification.aspx Download Site http://www.mcafee.com/us/downloads/ Product Upgrades (Valid grant number required) Security Updates (DATs, engine) HotFix and Patch Releases For Security Vulnerabilities (Available to the public) For Products (ServicePortal account and valid grant number required) Product Evaluation McAfee Beta Program Technical Support http://www.mcafee.com/us/support/ KnowledgeBase Search http://knowledge.mcafee.com/ McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe Customer Service Web http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html
Phone US, Canada, and Latin America toll-free: +1-888-VIRUS NOor+1-888-847-8766 Monday Friday, 8 a.m. 8 p.m., Central Time Professional Services Enterprise: http://www.mcafee.com/us/enterprise/services/index.html Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html
12
Getting Started
This section describes important concepts to help you integrate an appliance into your network. Contents Controlling your appliance with ePolicy Orchestrator Common tasks within the interface Configuring the protocols
Basic concepts
This section describes important concepts of the appliance. Contents How the appliance controls email access and content Choosing the operational mode The interface Protocol support Recommended network topologies Appliance security Types of reports Monitoring the appliance Maintaining the appliance Troubleshooting on the appliance Fail-Open Unit
Introduction to policies
The appliance uses policies collections of rules or settings which describe the actions that the appliance must take against threats such as viruses, spam, unwanted files, and the loss of confidential information. FTP content policies HTTP scanning policies ICAP content policies POP3 content policies SMTP content policies
13
Getting Started Basic concepts
FTP content policies

The appliance provides the following features when scanning the FTP protocol: Anti-virus Scanner control The appliance can also handle the following types of content: Alert settings Web | Web Policies | Scanning Policies FTP
HTTP scanning policies

You can set policies that control how the appliance scan for threats in HTTP traffic. Anti-virus URL filtering Scanner control The appliance can also handle the following types of content: Alert settings HTML settings Web | Web Policies | Scanning Policies HTTP
ICAP content policies

The appliance provides the following features when scanning the ICAP protocol: Anti-virus URL filtering Scanner control The appliance can also handle the following types of content: Alert settings HTML settings The appliance can apply different policies according to the ICAP service request modification (RESPMOD) or response modification (REQMOD). Web | Web Policies | Scanning Policies ICAP ICAP
POP3 content policies

The appliance provides the following features when scanning the POP3 protocol: Anti-virus Anti-spam Anti-phishing Mail size filtering Scanner control
14
The appliance can also handle the following types of content: Encrypted content Signed content Corrupt content Alert settings Email | Email Policies | Scanning Policies POP3
SMTP content policies

The appliance provides the following features when scanning the SMTP protocol: Anti-spam Anti-phishing Anti-virus Scanner control Mail size filtering The appliance can also handle the following types of content: Encrypted content Signed content Corrupt content Alert settings Mail settings Email | Email Policies | Scanning Policies SMTP
How the appliance controls email access and content

For appliances that scan email, take the following steps to protect your organization and employees: Control SMTP email access. Use the appliance's anti-relay features to prevent third parties using the appliance, or the mail servers that it protects, to deliver their mail. Specify who is allowed or denied email access to your organization Permit and Deny settings. Reduces the incidence of spam using sender authentication. Control the content of email messages that enter or leave your organization. To protect your organization from legal issues and loss of confidentiality, you can control the content of email messages. The appliance can use its own dictionaries of terms to scan SMTP email messages for undesirable content. You can also create your own dictionaries. By stating what is not permitted in email messages, the appliance prevents undesirable messages reaching their intended recipients. Redirect encrypted email to other mail servers for decryption. Control spam and phishing attacks.
15
Unwanted email messages such as spam reduce productivity by distracting employees and reduce the bandwidth and storage capacity available for genuine business use. The appliance can use commercially available lists to block unwanted email messages from known sources. The appliance includes its own block list. Other techniques allow the appliance to authenticate the sender, and reject the email without the need for scanning. Phishing messages try to steal the identity of unsuspecting users. The stolen identity is used to fraudulently obtain goods and services. Email | Email Policies | Scanning Policies
Choosing the operational mode

The appliance operates in one of the following modes: Transparent Bridge Transparent Router Explicit Proxy Carefully select the operational mode for the appliance because it affects how you integrate your appliance into your network and how the appliance handles traffic. After you select the mode, you do not need to change it unless you restructure your network. For details on operational modes, see the Installation Guide. System | Setup Wizard
The interface
NOTE: The interface you see might look slightly different from that shown here, because it can vary depending on the appliance's hardware platform, software version and language.
16
A B C D
Navigation bar User information bar Section icons Tab bar
E F G
Support control buttons View control Content area
A Navigation bar The navigation bar contains four areas: user information, section icons, tab bar, and support controls. B User information bar
Link Logged into Description Displays the type of appliance, for example: Cluster Master User: type of user Displays the type of user, such as System Administrator. Each type has access to parts of the interface. When the cursor is placed over this icon, displays the name and IP address of current users of this appliance. Change password Allows you to change the password. To prevent tampering, the user must know the old password before typing a new password. When clicked, logs off the appliance correctly. Displays product and licensing information. Provides links to various information: Frequently asked questions on our Technical Support website. Instructions for submitting a virus sample to McAfee. Virus information Library, which describes every virus and other potentially unwanted programs that we detect and clean.
Log off About Resources
NOTE: Depending on your configuration, some links might not be available, or they might redirect to other locations. C Section icons The number of section icons depending on the software that you are using. Click an icon to change the information in the content area and the tab bar. The icons include the following:
D Tab bar The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area. E Support control buttons The support control buttons are actions that apply to the content area. Icon Description
17
Refreshes or updates the content. Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button. Appears when you configure something to allow you to apply your changes. Appears when you configure something to allow you to cancel your changes. Opens a window of help information. Much of the information in this window also appears in the Product Guide. F View control The view control button shows or hides a Status window. The Status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links. G Content area The content area contains the currently active content and is where most of your interaction will be. NOTE: The changes that you make take effect after you click the green checkmark. Navigation bar
The dashboard
When you first open the browser, you see the dashboard, which gives a summary of the activity of the appliance. From this page you can access most of the pages that control the appliance.
18
Dashboard
Navigation bar
The navigation bar contains the following icons that lead to further menus and pages where you can control the features of your appliance.
Icon Menu Dashboard Features Use this page to see a summary of the activity of the appliance. From this page you can access most of the pages that control the appliance.
Reports
Use the Reports pages to view events recorded on the appliance such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins. Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration.
Email
Web
Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration.
System
Use the System pages to configure various features on the appliance.
Troubleshoot
Use the Troubleshoot pages to diagnose any problems with the appliance.
The interface
19
Monitoring activity on the appliance Viewing reports Preventing email threats Preventing web threats Configuring the appliance Troubleshooting on the appliance The interface
Protocol support
The protocols supported by each type of appliance are:
Appliance Email Supported protocols SMTP for email messages. POP3 for email messages. Web HTTP for web browsing. ICAP used with ICAP servers and clients. FTP for file transfer. Email and Web SMTP for email messages. POP3 for email messages. HTTP for web browsing. lCAP for use with ICAP clients. FTP for file transfer.
NOTE: FTP over HTTP (download only) is also handled as part of HTTP support. All other protocols are refused or not scanned, depending on the appliance's operational mode.
Effect of enabling or disabling protocol traffic

You can enable or disable each protocol that the appliance scans for threats. If your appliance scans email, the protocols include SMTP and POP3. If your appliance scans web access, the protocols include HTTP, ICAP and FTP. If the appliance is in Transparent Router or Transparent Bridge mode, and the protocol is disabled, traffic for the protocol passes through the appliance, but is not scanned. If the appliance is in Explicit Proxy mode, and a protocol is disabled, traffic directed to the appliance for that protocol is refused. The protocol is blocked at the appliance. In Explicit Proxy mode, only SMTP, POP3, HTTP, ICAP and FTP traffic is handled by the appliance. All other traffic is refused. TIP: If the appliance is in Transparent Router or Transparent Bridge mode, you can prevent scanning taking place for periods during the day by using transparent exceptions.
20
Recommended network topologies

The appliance can be used in almost any network topology. Typical topologies for each operational mode are described in the Installation Guide. NOTE: To scan a supported protocol, ensure that traffic for that protocol passes through the appliance. Any traffic that bypasses the appliance is not scanned, leaving your network vulnerable to attack. For security reasons, use the appliance inside your organization behind an outer firewall. If you are in any doubt about your network's topology and how to integrate the appliance, consult your network expert. Restrictions The appliance is not a firewall. Place the appliance within your organization, behind your existing firewall. The appliance is not a replacement for a mail server. You might need to configure your firewall, mail server, and other devices to pass protocol traffic to the appliance or through the appliance. The appliance is not a general-purpose web server for storing webpages. The appliance is not a general-purpose server for storing extra software and files. Do not install any software on the appliance or add extra files to it, unless instructed by the appliance's documentation or a McAfee support representative. The appliance cannot scan HTTPS traffic (because it is encrypted). The appliance can block or monitor access to HTTPS websites.
Cluster management
A cluster is a group of appliances that shares both its configuration and balances the network traffic. The cluster can contain: One cluster master. The master both synchronizes the configuration and balances the load of network traffic to the other cluster members. and at least one of the following: One cluster failover. If the cluster master fails, the cluster failover will seamlessly take over the work of the cluster master. One or more cluster scanners. They scan traffic according to the policies synchronized from the master. Note that the master and the failover can also scan traffic. Benefits Scalable performance through load balancing multiple appliances removes the need for costly upgrades. Easier management through synchronization of configuration and updates, reducing administrative overhead. Improved resilience through high availability, reducing possibility of unscheduled outages. Improved intelligence through consolidated reports. Settting up the cluster
21
All members of the cluster must be installed and configured separately. When configuring a master or failover, the administrator must do the following: For Proxy or Transparent Router Mode, set a virtual IP address that is the same on both the master and failover. The cluster members then use VRRP to failover. For Transparent Bridge, set up the cluster to use STP to failover. The bridge priority must be lower on the master (set by default). For all cluster members, the administrator must set the cluster identifier. This unique identifier ensures that members of the cluster are joined correctly. To create multiple clusters, you can use a different identifier for each cluster. Direct all network traffic that is to be scanned to the Cluster Master (or the virtual IP address if a Cluster Failover will be used. Managing the cluster Once configured, the cluster is joined automatically using the cluster identifier. The Dashboard on the cluster master lists the appliance and cluster type. The administrator then only needs to use the user interface of the cluster master for management, for example, setting scanning policies. The cluster master will then automatically push this configuration to the other cluster members. The cluster master collates: Anti-virus updates Reports Queued email McAfee Quarantine Manager (MQM) NOTE: Software patches need to be applied to each separate appliance in turn. System | Cluster Management Making changes to an appliance in a cluster
Cluster management tasks

Using a technique called load balancing, several appliances a cluster can share the scanning of viruses, spam and other threats. Table 4: Cluster management tasks
Task Configure an appliance as a cluster master appliance or cluster scanner appliance Location on navigation bar Select System | Cluster Management | Load Balancing or System | Setup Wizard.
Configure policies against threats on each cluster scanner From the cluster master appliance, select Email | Email appliance Policies or Web | Web Policies | Scanning Policies . Each cluster scanner appliance automatically adopts the same configuration against threats as the cluster master appliance. For example, the anti-virus settings on the cluster master appliance override any anti-virus settings on a cluster scanner appliance. View activity of each cluster scanner appliance From the master appliance, select Dashboard . Reports about threats are displayed only on the cluster master appliance. Each cluster scanner appliance has only a limited interface.
22
Task View consolidated reports
Location on navigation bar From the cluster master appliance, select Reports | Email Reports and Reports | Web Reports .
Making changes to an appliance in a cluster

Use this task to make changes to an appliance that is in a cluster. In a cluster of appliances, you might need to make changes to the configuration of one appliance, for example, you need to change the IP address of the appliance or other devices that connect to the appliance. However, the cluster master appliance frequently and regularly sends new configuration information (such as settings for anti-virus scanning) to every appliance in the cluster, including the cluster failover. If you have recently made changes, you might see a message like this: Configuration has changed Another user has saved changes to the appliance configuration User name admin Address 192.168.254.200 You will need to reload your configuration data. Click on the "Reload" button to do so. When you click Reload, your changes are overwritten. To avoid this problem, you must temporarily remove your appliance from the cluster, then attach your appliance to the cluster again. Task For option definitions, click ? in the appliance interface. 1 2 3 4 In the navigation bar, select System | Cluster Management | Load Balancing. At Cluster mode, select Off (Standard appliance). In the Network Interfaces Wizard, click Cancel to close the window. Click the green checkmark: . The appliance is now isolated from the cluster. 5 6 7 8 9 Make your changes. In the navigation bar, select System | Cluster Management | Load Balancing. At Cluster mode, select the original setting for your appliance Cluster Scanner or Cluster Failover. In the Network Interfaces Wizard, complete any further required changes, then click Finish to close the window. Click the green checkmark: . The appliance is now attached to the cluster.
23
Failover techniques for clustered appliances

If the cluster master appliance fails, another appliance can take over. A cluster failover appliance is identical to the cluster master appliance but is normally redundant. The cluster failover appliance runs only if the cluster master appliance fails. The cluster failover appliance uses: Spanning Tree Protocol (STP) for transparent bridge mode. Virtual Router Redundancy Protocol (VRRP) for transparent router and explicit proxy modes. NOTE: When an appliance fails, the consolidated report data is lost. Transparent Bridge mode In this mode, the cluster master appliance and the cluster failover appliance have different IP addresses. The network uses Spanning Tree Protocol (STP) to configure the two appliances. The appliance with the higher bridge priority a Spanning Tree Protocol (STP) setting becomes the cluster master appliance. Each appliance has a different bridge priority. Because the cluster master appliance has the higher priority (for example, a value of 100), this appliance normally scans the network traffic. If the cluster master appliance fails, the Spanning Tree Protocol directs network traffic through a path with the next higher bridge priority, namely the cluster failover appliance (for example, with a bridge priority value of 200). Transparent Router and Explicit Proxy modes In these modes, the two appliances have different physical IP addresses, but are then configured with the same virtual IP address. Normally, traffic is handled by the cluster master appliance. If that appliance fails, network traffic is handled by the cluster failover appliance. The network uses Virtual Router Redundancy Protocol (VRRP) to configure the two appliances. Although each appliance has a distinct IP address, external devices connect to the appliance using a virtual IP address. In this way, external devices can connect to the appliance (using the same virtual IP address), no matter which physical appliance is active. You must: Determine the virtual IP address for the external devices. Determine the IP addresses for the cluster master appliance and the cluster failover appliance. Specify which appliance is to be the cluster master appliance. System | Cluster Management | Load Balancing
Why load sharing is no longer available

An appliance can share some or all of its workload with other appliances. An earlier technique, called load sharing has been replaced by load balancing within cluster management. The new technique dynamically adjusts the workload to provide optimum performance within a cluster of appliances, and does not rely on difficult manual adjustments of connections and listeners. System | Cluster Management | Load Balancing
Protocol presets
Normally you design your connection settings to apply to all devices. However some parts of your network might need some differences because some devices operate differently.
24
For example: Part of the network can handle larger or smaller files than normal. A slow connection requires a different time-out value. Part of the network must use an alternative authentication service. By creating a protocol preset, you can cater for this exception to the connection settings. Where this feature is available, you can click this icon: .
Transparent exceptions
CAUTION: The most secure option is to scan all traffic. Before turning off scanning of any traffic, consider the security risks. Transparent exceptions prevent scanning of some traffic and might introduce a security risk. If an appliance is operating in Transparent Router or Transparent Bridge mode, you can exclude individual hosts, domains or entire subnets from scanning at set times known as exceptions. Exceptions are useful when regularly moving large amounts of data across your network, for example, when taking daily backups. If the data is known to be clean because it has been scanned recently, you can transfer the data during the exception times. No unnecessary scanning takes place, and therefore the transfer is quicker. An exception includes the following information: The port number associated with the exception. Any sources that are exempt from scanning. Any destinations that are exempt from scanning. The start time and end time of the exception. Each exception can contain one or more sources, one or more destinations and a start time. Only one exception can be in effect at any given time. For example, if one exception starts at 5:00 A.M. and a second starts at 8:00 A.M., the first applies only until 7:59 A.M. and the second applies from 8:00 A.M. NOTE: Exceptions might fail if there are any changes to the IP addresses to which the domain names/host names resolve. VLANs are for Transparent Bridge mode only. Example To apply an exception: 1 To use a port that is not already listed under a port heading, select Transparent interception ports. Click the icon to open the Interception Port Range window, then specify the port number. For example, port 123. 2 Under the entry for the port number, click Intercepting Non-VLAN (Intercept IPV4,IPV6 traffic), then click the icon to open the Intercept Time Exception window. Specify the period, for example 05:00 - 08:00.
The settings for this port will look as follows. Transparent interception ports Port: 123 Intercepting Non-VLAN (Intercept IPV4,IPV6 traffic)
25
Exception for port: 123 between 05:00 and 08:00
Appliance security
The appliance can be accessed only through a secure HTTPS link. If you use a web browser when you type the URL for the appliance, use https and not http. The appliance's operating system prevents unauthorized access to its internal file system. The appliance is protected by a password. For security, connections use Secure Sockets Layer (SSL) encryption. The SSL connection closes when you log off the session. To maintain security during long sessions, the browser session locks after a period of inactivity. The user must re-enter the password to continue controlling the appliance. The length of the period can be changed, and is 10 minutes by default. System | Users, Groups and Services | Role-Based User Accounts See also
Improving the appliance's security

To improve security and deter hackers, change the default settings: Administrator user name Password Appliance name IP addresses To change the password later, click the link in the black bar at the top left of the window. System | Setup Wizard
Access by Secure Shell (SSH)

You can gain access to the appliance with a Secure Shell (SSH) client. After you have enabled Secure Shell access on your appliance, you can use your SSH client to access the support account on the appliance. Use the same password that you use to access the interface from a remote computer. System | Appliance Management | Remote Access [+] Secure Shell Configuration
About out-of-band management

Using out-of-band management separates the network traffic that manages your appliance from the network traffic scanned by your appliance. This slightly reduces the scanned traffic passing through the appliance. Also, if the management traffic is removed from the scanned part of the network, management access to the appliance is maintained when network issues prevent in-band management.
26
In the event of a network issue for example, a configuration change to the appliance blocks all network traffic you can still manage the appliance using the out-of-band connection, and correct the appliance's configuration. NOTE: Scanning is not permitted for any protocol on the out-of-band connection. Also, the out-of-band computer cannot access the Internet or other networks or subnets protected by the appliance. Out-of-band management can be configured when first setting up a new appliance, or it can be added to an existing appliance. System | Appliance Management | Remote Access [+] Out of Band management
Types of reports
You can generate reports from your appliances using the following methods: On-box reporting. SmartReporter from Secure Computing. This generates reports about Uniform Resource Locator (URL) filtering activities. See the Secure Computing SmartReporter Administration Guide, available from the Secure Computing website (www.securecomputing.com). ePolicy Orchestrator provides reports from multiple appliances and security software within your organization. Use ePolicy Orchestrator to collect information such as the total number of viruses detected within your organization. Each type of report produces similar information. You need to consider how long to hold the data. The following sections discuss why you might use each type of report. On-box reporting The appliances own reporting features can generate reports, or show logs, statistics, performance counters and graphs for a wide range of data about the appliance and its activities. On-box reporting also provides reports about the appliance itself such as memory and processor usage. Information held on the appliance is typically removed after 14 days. SmartReporter Use SmartReporter to provide information and reports from the enhanced URL- filtering function. NOTE: SmartReporter provides URL-filtering reports on data in US English American Standard Code for Information Interchange (ASCII) format only. Use SmartReporter only for US English reports that do not include non-ASCII characters. System | Logging, Alerting and SNMP Reports
Monitoring the appliance

To monitor the appliance, you can use: Dashboard a summary of the health of the appliance and the status of several parameters. Logs record information that can be presented as charts and reports. Alerts the appliance can generate alerts, enabling other devices to monitor the appliance. For example, the appliance can be remotely monitored by your SNMP manager.
27
McAfee ePolicy Orchestrator Notifications the appliance can send email messages and other alert messages to users and network administrators to tell them about events.
Maintaining the appliance

You can save the appliance's configuration, so that it can be restored later. Regular maintenance of the appliance is important to ensure good performance. You can automate many of the maintenance tasks. System | Cluster Management | Backup and Restore Configuration
HotFixes and patch releases

McAfee occasionally releases software HotFixes and patches for the appliance. You might need to install some of these before using the appliance. For the latest information, visit http://www.mcafee.com/us/downloads/. Subsequent updating can be automated. System | Component Management | Package Installer
Troubleshooting on the appliance

If you are experiencing problems, read the Troubleshooting section, which answers some frequently asked questions. The appliance includes many diagnostic tools for identifying problems. The Resources link at the top of the window provides links to the following information: Contacting support. Submitting a sample. The Virus Information Library. Additional resources, including links to a list of McAfee addresses and to the SNMP MIB definitions. Troubleshoot | Tools
Fail-Open Unit
The Fail-Open Unit enables your network to continue operating if your appliance fails. The unit is intended for use with an appliance that is operating in Transparent Bridge mode. The Fail-Open Unit redirects network traffic if the appliance fails. For more information, see the Fail-Open Unit Product Guide. System | Appliance Management | General
28
Getting Started Controlling your appliance with ePolicy Orchestrator
Controlling your appliance with ePolicy Orchestrator

This information tells you how to set up communication between your appliance and your ePO server. Contents
What is ePolicy Orchestrator (ePO)?

McAfee ePolicy Orchestrator enables you to monitor activity of various threats to your network from a single point. When the feature is enabled, the appliance sends statistical information to the ePolicy Orchestrator server, where information from all your appliances can be combined into summary reports. System | Component Management | ePO Component Management menu
Installing the Email and Web Security ePO extension

Use this task to install the ePO extension included in the appliance onto your ePO server. The appliance extension for ePO is included with Email and Web Security Appliances 5.5. Tasks
Download the ePO extension

Use this task to locate and download the ePO extension from your appliance. Task For option definitions, click ? in the Email and Web Security Appliance interface. 1 2 3 Click Resources from the black links bar on the appliance interface. Click ePO Extension. If prompted, click Save. Browse to a location to save the ePO Extension file. Click Save. If prompted, close the dialog box.
Install the ePO extension

Use this task to install the ePO extension from your appliance onto your ePO server. Before you begin Ensure that you have already downloaded the ePO extension from your appliance, and have placed it where it can be accessed by your ePO server. Task For option definitions, click ? in the ePolicy Orchestrator interface.
29
Getting Started Controlling your appliance with ePolicy Orchestrator
1 2 3 4 5
In the ePO interface, browse to Configuration | Extensions. In Extensions, click Install Extension. Browse to the ePO extension file you exported from your appliance. Click OK. Click OK to install the extension.
Download and install the Help extension

Use this task to download and install the latest ePO Help extension. Before you begin Ensure that you have access to your McAfee grant number. Task For option definitions, click ? in the ePolicy Orchestrator interface. 1 Download the latest ePO Help extension: a Browse to the McAfee Download site for your business sector: http://www.mcafee.com b From My Products - Download Software, click Login. c Type your McAfee grant number and click Submit. d In your list of products, find ePolicy Orchestrator. Click View Available Downloads. e Click ePolicy Orchestrator v4.0.0. f Click I Agree to proceed. g From the Software Downloads tab, locate and click help_for_epo.zip. h If prompted, click Save. 2 Install the ePO Help extension: a Browse to Configuration | Extensions within the ePO interface. b In Extensions, click Install Extension. c Browse to find the Help extension file you downloaded. d Click OK. e Click OK to install the Help extension.
Enabling ePolicy Orchestrator management on your appliance

Use this task to start communication between your appliance and your ePO server. Before you begin Ensure that you have installed the minimum software versions for both your appliance and your ePO server. Also, make sure that you have downloaded the ePO Extension from your appliance, and have successfully installed it onto your ePO server. Task 1 Export the configuration file from your ePO server. a Browse to Network | Email and Web Security.
30
Getting Started Common tasks within the interface
b Click Export Keys. c Save the file to a location that can be accessed from your browser displaying the Email and Web Security Appliance interface. 2 Import the ePO configuration file into your appliance and enable ePolicy Orchestrator Management. a From your appliance interface, browse to System | Component Management | ePO. b Click Import ePO Configuration. c Click Browse to select the ePO configuration file. The ePO configuration file name is in the format "ePOConfignnnnn.zip". d Click OK. e Select Enable ePO Management. f Click the green checkmark to apply your changes. When prompted, add a suitable comment, such as "ePO Configuration imported and ePO Management enabled".
NOTE: By default, the Agent-to-server communication interval is set to 60 minutes. This means that you have to wait before the appliance will show as a managed appliance within ePO. During setup, you can change this to a shorter time such as 5 minutes.
Common tasks within the interface

This section describes some common procedures for setting up, configuring and managing your appliance.
Enabling each feature

To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox.
Making changes to the appliance's configuration

Use this task to make changes to the operation of the appliance. 1 2 In the navigation bar, select an icon. The blue tabs below the icons change to show the available features. Click the tabs until you reach the page you need. To locate any page, examine the tabs, or locate the subject in the help index. The location of the page is often described at the foot of the help page. Example: System | Appliance Management | Database Maintenance 3 4 5 On the page, select the options. Click the help button (?) for information about each option. Navigate to other pages as needed. To save your configuration changes, click the green checkmark icon at the top right of the window.
31
6 7
In the Configuration change comment window, type a comment to describe your changes, then click OK. Wait a few minutes while the configuration is updated. To see all your comments, select System | Cluster Management | Backup and Restore Configuration [+] Review Configuration Changes in the navigation bar. The interface Navigation bar
Making and viewing lists

Lists specify information such as domains, addresses and port numbers on many pages in the interface. You can add new items to a list, and delete existing items. Although the number of rows and columns might vary, all lists behave in similar ways. In some lists, you can also import items from a prepared file, and change the order of the items. Not all lists have these actions. This section describes all the actions that are available in the interface. Tasks
Adding information to a list

1 Click Add below the list. A new row appears in the table. If this is your first item, a column of checkboxes appears on the left of the table. You might also see a Move column on the right of the table. Type the details in the new row. Press Tab to move between fields. For help with typing the correct information, move your cursor over the table cell, and wait for a pop-up to appear. For more information, click 4 . .
2 3
To save the new items immediately, click the green checkmark:
Removing many items from a list

On some long lists, you can remove many items quickly. 1 In the column of checkboxes on the left of the table, select each item. To select many items, select the checkbox in the table's heading row to select all the items, then deselect those that you want to keep. Click Delete at the bottom of the list. To save the new changes immediately, click the green checkmark: .
2 3
Removing single items

Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent the accidentally deletion of a lot of information. In the right column, click the icon: NOTE: If the item cannot be deleted, the icon is disabled: Alternatively, do the following: 1 Click the item to highlight it. The row turns pale blue.
32
Click Delete at the bottom of the list.
Changing information in a list

In the right column, click the icon: . . NOTE: If an item cannot be changed, the icon is disabled: 1 2 3 Click on the text, then delete or retype it. To save the new changes immediately, click the green checkmark: To cancel any recent changes, click the cross at the top right of the window:
Viewing information in a long list

If the list has many items, you might not be able to see them all at the same time. 1 2 To determine the position of an item in the list or the size of the list, view the text at the bottom of the list, such as Items 20 to 29 of 40. To move through the list or to move quickly to either end of the list, click the arrows at ). the bottom right of the list. (
Ordering information in a list

Some lists display items in priority order. The first item in the list is the highest priority, the last item is the lowest priority. To change the item's priority: 1 2 Find the row that contains the item. In the Move column (on the right of the table), click the upward or downward arrow:
Ordering information alphabetically in a list

To change the order: Click the column heading to force items in that column into alphabetic order. Items in other columns are automatically sorted accordingly. An icon appears in the column heading to indicate that this column is sorted: To sort the information differently, click the other column headings. In some cases, you can click the icons in the column heading to reverse and restore the alphabetic order of the information within a single column:
33
Getting Started Configuring the protocols
Importing prepared information

From some pages, you can import information from other devices, appliances, or software for use on the appliance, such as from a previously prepared Comma-Separated Value (.CSV). CAUTION: Imported information normally overwrites the original information. Table 5: Some formats for Comma-Separated Value (.CSV) files
Type of information Domain Network address Email address Format D, domain, IP address N, IP address, IP subnet mask E, email-address Example D, www.example.com, 192.168.254.200 N, 192.168.254.200, 255.255.255.0 E, network_user@example.com
NOTE: Each item in the file is on a single line. 1 2 3 Click Import .... In the Export ... window, browse to the file. Click Open to import the information from the file.
Exporting prepared information

From some pages, you can export information from the appliance for use on other devices, appliances, or software. The information is generated in various forms, such as a ZIP file, a PDF or a CSV file. Table 6: Some formats for Comma-Separated Value (.CSV) files
Type of information Domain Network address Email address Format D, domain, IP address N, IP address, IP subnet mask E, email-address Example D, www.example.com, 192.168.254.200 N, 192.168.254.200, 255.255.255.0 E, network_user@example.com
NOTE: Each item in the file is on a single line. 1 2 Click Export .... In the Export ... window, follow the instructions to create the file.
Configuring the protocols

The appliance protects your network traffic by protocol. This section describes the settings that apply to all protocols scanned by the appliance. NOTE: The protocols available depend on the version of the appliance.
Intercept ports
Intercept ports apply only to appliances operating in Transparent Bridge or Transparent Router mode.
34
For TCP and UDP protocols, port numbers identify the ends of logical connections that carry specific long-term services. You can specify the ports that the appliance uses to intercept email traffic. Each service has an associated port number. For example: Table 7: Typical intercept ports used by each protocol
Protocol FTP HTTP ICAP POP3 SMTP Typical Port 21 80 or 8080 1344 110 25
You can set up one or more intercept ports for your traffic. The appliance intercepts the traffic on those designated port numbers.
Listening ports
Listening ports specify the ports that the appliance uses to listen for traffic. At least one port must be set up for listening. The table shows typical port numbers. Table 8: Typical listening ports used by each protocol
Protocol FTP HTTP ICAP POP3 SMTP Typical port 21 80 1344 110 25
The appliance listens for traffic arriving on the designated port numbers. You can set up one or more listening ports for each type of traffic on your appliance.
Reverse lookup
To find the host name associated with an IP address, the appliance can use DNS servers on the Internet. This action is called a reverse DNS lookup. For example, the appliance can use a reverse DNS lookup to determine that the IP address 192.168.254.200 refers to a host, host.example.com. However, a reverse DNS lookup can take some time and affects your appliance's performance. You can prevent the appliance from making reverse DNS lookups when the appliance intercepts email messages and HTTP requests. CAUTION: Change reverse lookup settings only if you fully understand the consequences. If you deny reverse DNS look-ups, some features such as authentication with Kerberos might not work as expected.
Enabling and disabling protocols

You can enable and disable each of the protocols that the appliance supports.
35
Enabling a protocol effectively turns on that protocol, so that all the settings for that protocol can be applied by the appliance. Enabling a protocol does not automatically enable all the different scan options. These must be enabled separately. For example, if anti-virus scanning is enabled, but anti-spam scanning is disabled, enabling the SMTP protocol causes email messages to be scanned for viruses but not for spam. If you disable a protocol, the appliance will not apply the settings for that protocol. If a protocol is disabled, the appliance will not scan any traffic for that protocol, even if the specific scan options are enabled.
36
Policies
A policy is a collection of settings and content rules that allow you to combat a specific threat to your network. You can tell the appliance how to handle each type of threat. Understanding policies How to use policy groups
Understanding policies
The appliance uses policies collections of rules or settings which describe the actions that the appliance must take against threats such as viruses, spam, unwanted files, and the loss of sensitive information. The appliance always has at least one policy the default policy, which provides adequate protection for your network without the need for any configuration. In other words, your network is protected by the appliance straight out of the box. What is a policy action? A policy specifies how the appliance must respond to a threat. For example: When a virus is detected, the appliance can quarantine or delete the detected item. When an undesirable phrase is detected, the appliance can block the item. In addition to this action, the appliance can also do some secondary actions. For example, if a very large file is detected, the appliance can block the file and also issue a warning to its sender and receiver. Why you might need more policies In time, you might consider changing some settings in the appliance to better suit your own organization, and you can then add more policies. Each new policy can inherit many of the settings in existing policies, which allows you to cater for the different needs of some users or parts of the network. For example, you can allow one department to send or receive large graphic files but restrict all other departments to smaller files. New policies are intended to handle exceptions. If the appliance cannot apply the rules or settings in a new policy, it reverts to settings in the default policy. Priorities in policies The policies can be organized by priority. The topmost policy in the policy list takes precedence if a user or device is affected by two or more policies. Email | Email Policies | Scanning Policies Web | Web Policies | Scanning Policies
37
Policies How to use policy groups
How to use policy groups

Your policies typically apply to parts of the network or to the groups of users within your organization. When you create a policy, you define the part or group. However, if the definition is complex, we recommend that you create the definition beforehand as a policy group. System | Users, Groups and Services | Policy Groups Example You need a policy to protect email users who have laptop computers. The users include some individual email addresses at example.com and a range of email addresses at example.net: A123@example.com H456@example.com V789@example.com X*@example.net The list of users is likely to change over time. Normally, whenever the list changes, you have to update every policy that affects these users. Instead, you can create a single policy group, called Laptop Users under Email recipients and senders. You define your policy group as follows:
Recipient email address Recipient email address Recipient email address Recipient email address is is is is like A123@example.com H456@example.com V789@example.com X*@example.net
You can modify your policy group at any time. When you create a policy for these users, you can refer to them as the User group, Laptop users. Users, Groups and Services menu
Issues with policies applied to network sources

If your appliance is in Explicit Proxy mode and is scanning HTTP traffic, policies based on connections to network destinations will not trigger. This limitation is a result of the nature of explicit HTTP scanning, and the point during connection at which the appliance applies policies. The appliance must determine which policy to apply before it starts scanning. In HTTP communications, the appliance scans the request header. In an explicit proxy configuration, this means the appliance must apply policies during the initial HTTP request, before it has established communication with the other end. No verifiable destination information is available at this point, so policies based on destination cannot trigger. Web | Web Policies | Scanning Policies HTTP
38
Policies Policy planning
Policy planning
This section describes what to do before creating policies. It also describes advanced connection settings, advanced transparent exceptions, and alert settings that apply to more than one protocol. It includes the following topics: Spend time planning your policies Considering legal implications for email Considering legal implications for web access General guidelines for policies
Spend time planning your policies

To make full use of policies, spend time planning. Poorly configured policies can cause serious security and connectivity issues for your network. Familiarize yourself with the policy concepts. Understand especially the importance of establishing a good default policy before deriving any other policies from it. Consider how to organize users and computers into policy groups. Decide which policies to assign to the policy groups. Consider the order in which policies are applied. Consider the legal implications of setting some policies. NOTE: The number of policies can affect the number of scans that the appliance runs. This in turn can affect the appliances performance. Email | Email Policies | Scanning Policies Web | Web Policies | Scanning Policies
Considering legal implications for email

Before applying any restrictions on employees' email, check any local legal requirements. Some restrictions might be illegal. Consider informing employees that restrictions are in force, for example by attaching a disclaimer to each email message. We recommend that you discuss the implications with your legal department.
Considering legal implications for web access

Before applying any restrictions on employees' Internet access, check any local legal requirements. Some restrictions might be illegal. Consider informing employees that restrictions are in force, for example by displaying a statement when they start their computers. We recommend that you discuss the implications with your legal department.
General guidelines for policies

When setting up policies: Set up the default policies to cover most situations.
39
Policies Actions against threats
Set up other policies only to cover exceptions to the way that the default policy handles an item for example, to create exceptions to the way that connections or traffic are normally handled by the appliance. If the appliance is in Transparent Router or Transparent Bridge mode, consider the priority assigned to other policies. NOTE: Incorrect configuration of advanced policy settings can cause serious security and connectivity issues for your network. We recommend that you do not change advanced settings unless instructed to do so by Technical Support or your network expert. Email | Email Policies | Scanning Policies Web | Web Policies | Scanning Policies
Actions against threats

You can configure the appliance to act in various ways when a scanner triggers. For example, you can tell the appliance to try to clean an email message if the anti-virus scanner detects a virus. The actions that are available depend on the policy settings, the protocol, and on the scanner that detected the issue. The actions are: A main action, which determines how the original email message or webpage is handled. Further optional actions against email. These apply to additional copies of the original email messages and notifications. The appliance records main actions, and you can view the event later in reports. For example, if the action is Replace detected item with an alert (Block), you can see the event in a report that specifies an Action of Blocked. See also FTP actions HTTP actions ICAP actions Email (POP3) actions Email (SMTP) actions
FTP actions
Action Refuse the data and return an error code Allow Through Report as ... (Block) Description The appliance rejects the data.
(Monitor)
The appliance lets the file through. Any detections are logged but not acted on. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks.
Web | Web Policies | Scanning Policies
40
HTTP actions
Action Allow Through Report as ... (Monitor) Description The appliance takes no action. The requested URL appears without any messages being displayed. Before using the Allow Through option, carefully consider the security risks. The appliance denies a request to access a website. A message tells the user that access to the website is considered inappropriate and was blocked. The appliance issues a message, telling the user that the request is considered inappropriate. The user can ignore this warning and access the website anyway. When a user is granted coached access to the requested URL, access is granted for a period. If the user does not refresh or reload the browser within this period, the user sees a further coaching message. When the user refreshes or reloads the browser, a further coaching message is displayed when the period expires, unless the user has since browsed to an uncoached URL. To be compatible with most browsers, the appliance sets a time at which access is reassessed. If the system clocks are not synchronized on the appliance and the user's computer, user access might be blocked. For example, if the period is 15 minutes, and the clock in the user's computer is 30 minutes earlier than the appliance's clock, the user will not be able to browse to any URLs that have coached access. If a detection is triggered because of the content of a file, the appliance replaces the content with an alert that explains why the original was replaced.
Deny Access
(Block)
Coach Access
(Monitor)
Replace detected item with an alert, Replace the content with an alert
(Block)
ICAP actions
Action Report as ... Description The appliance lets the file through. Any detections are logged but not acted on. For example, if you are expecting some large files that normally trigger the denial-of-service limits, you can temporarily set the appliance to allow these files through, rather than replace them with an HTML alert. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. If a detection is triggered due to the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. Allow Through (Monitor)
Replace (Block) detected item with an alert, Replace the content with an alert Deny Access (Block)
The appliance denies a request to access a website. A message tells the user that access to the website is considered inappropriate and was blocked. The appliance issues a message, telling the user that the request is considered inappropriate. The user can ignore this warning and access the website anyway. When a user is granted coached access to the requested URL, access is granted for a period. If the user does not refresh or reload the browser within this period, the user sees a further coaching message. When the user refreshes or reloads the browser, a further coaching message is displayed when the period expires, unless the user
Coach Access NOTE: Some devices might not work well with coach pages. Consult
(Monitor)
41
Action your ICAP client manufacturer for further information.
Report as ...
Description has since browsed to an uncoached URL. To be compatible with most browsers, the appliance sets a time at which access is reassessed. If the system clocks are not synchronized on the appliance and the user's computer, user access might be blocked. For example, if the period is 15 minutes, and the clock in the user's computer is 30 minutes earlier than the appliance's clock, the user will not be able to browse to any URLs that have coached access.
Email (POP3) actions

Action Replace the content with an alert Report as ... (Modify) Description If a detection is triggered due to the content of a file, the appliance replaces the content with an alert that explains why the original was replaced. The appliance sends the modified email message to the recipient. The appliance lets the file through. The email message remains unchanged but the event might be logged or the administrator alerted. For example, select this action to monitor the use of certain words in files without preventing their use. Some email software does not accept changes to signed messages, and therefore you cannot allow the appliance to alter the content. If you allow all signed messages through, an undesirable item inside a signed message can escape detection. If you allow all signed messages through, be sure that the messages come from a trusted source, or that they are scanned later. Any detections are logged but not acted upon. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. For more information on the risk associated with each file type, use the Virus Information Library.
Allow Through
(Monitor)
Email | Email Policies | Scanning Policies
Email (SMTP) actions

Action Accept and drop the email Report as ... (Block) Description The appliance issues an acceptance code (SMTP 250 OK) at the post-DATA stage after the final dot (.). This option suggests to the sender that the message was received as intended. The appliance accepts the message and sends an acceptance code (SMTP 250 OK) at the RCPT TO stage. This option suggests to the sender that the message was received as intended. The appliance accepts the email message and discards it. The appliance sends a SMTP 250 OK response to the mail server. The appliance adds a spam score to the overall anti-spam score for this email message. This determines whether the email message is treated as spam. If you select this option, you cannot select secondary actions. Instead you are prompted to type a spam score between -99.9 and +99.9 to add to the overall spam score for the email message.
Accept and ignore the recipient (Block)
Accept and then drop the data
(Block)
Add score to spam score
(Monitor)
42
Action Allow changes to break the signed email
Report as ... (Monitor)
Description If a detection triggers because of the content of an email message, the appliance modifies the message, even if this breaks the signature. The appliance sends the modified email message to the recipient. The appliance lets the file through. The email message remains unchanged but the event might be logged or the administrator alerted. For example, select this action to monitor the use of certain words in files without preventing their use. Some email software might not accept any changes to signed messages, and therefore you cannot allow the appliance to alter the content. If you choose to allow all signed messages through, an undesirable item can escape detection if it is inside a signed message. If you allow all signed messages through, be sure that the messages come from a trusted source, or that they are scanned at a later stage. Any detections are logged but not acted upon. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. For more information on the risk associated with each file type, see the Virus Information Library. The appliance sends an SMTP 550 (permanent failure) response code and closes the connection. The appliance closes the connection when a content rule triggers or when the number of recipients exceeds a limit, typically 10 recipients. You can specify the period that the connection continues to be denied. To view the connections that are currently denied, select Email | Email Configuration | Receiving Email | Permit and Deny Lists on the navigation bar. The appliance closes the connection when the number of recipients exceeds a limit. The appliance quarantines the email message. The appliance only performs actions that do not break the signed email message signature. The appliance then attempts to deliver the email message to the original recipients. The appliance rejects the email message and sends a rejection message to the mail server. The appliance sends an SMTP 550 (permanent failure) response code and keeps the connection open. All subsequent commands are rejected or ignored, except for the QUIT command that closes the connection.
Allow Through
(Monitor)
Close the connection
(Block)
Deny connection
(Block)
Deny connection and quarantine (Block) mail
Do not allow changes to break the signed email
(Monitor)
Refuse the data and return an error code Reject or ignore all commands except QUIT
(Block)
Reject the email
(Block)
The appliance rejects the message and keeps the connection open. The sender is normally informed that the message was not accepted. The appliance sends a rejection code (SMTP 550 Fail). Before closing the connection, the appliance sends a rejection code, SMTP 550 (permanent failure) response code or a 421 Temporarily unavailable service due to potential threat message, and closes the connection. The appliance returns a 421 Temporarily unavailable service due to potential threat message and closes the connection. The connection is then placed in the Deny Connection list. The appliance rejects the message, and sends a rejection code, SMTP 550 (permanent failure) response code. We recommend this option because the sender is normally informed that the message was not relayed.
Reject the email and close the connection
(Block)
Reject the email and deny the connection
(Block)
Reject the recipient
(Block)
43
Policies Priority in policies and settings
Action Route to an alternate relay Remove the content
Report as ... (Reroute) (Modify)
Description The appliance sends the message to another device. The appliance limits the number and size of attachments it scans. If an email message exceeds the limits, the appliance removes the excess content, scans the remaining email message, and sends the modified message to the recipient. If a detection is triggered due to the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. The appliance sends the modified email message to the recipient. If a detection is triggered due to the content of a file, the appliance replaces the attachments with an HTML alert that explains why the original was replaced. The appliance sends the modified email message to the recipient. The appliance delays its response, typically by several seconds.
Replace the content with an alert, Replace detected item with an alert
(Modify)
Replace all attachments with a single alert
(Modify)
Tarpit Tarpit then deny connection (Block)
The appliance delays the response by several seconds, then drops the connection.
Email | Email Policies | Scanning Policies
Priority in policies and settings

This section describes problems arising when a policy is applied to several users. It covers: Connection settings Scanning policies Protocol settings Connection settings If the appliance receives an email message with multiple recipients, and needs to apply connection settings to that message, it always applies the highest priority policy to all of the recipients. The priority is determined by the order of the policies, no matter which operational mode is being used by the appliance. Scanning policies If the appliance receives an email message with multiple recipients, and needs to apply policies to that message, it handles the message as described in the next table:
Operational mode Multi- policies setting Maximum number of policies Not exceeded How the email message is treated The email message is effectively replicated according to the policies that must be applied. Each replicated email message passes through the scanners separately, and the policies and actions are applied. Separate
Explicit Proxy
Not applicable
44
Operational mode
Multi- policies setting
Maximum number of policies
How the email message is treated entries appear in the logs and reports for each replicated email message. If the appliance is configured to generate alerts, separate alerts are generated for each replicated email message.
Explicit Proxy
Not applicable
Exceeded
The highest priority policy only is applied, and it is applied to all recipients. The highest priority policy only is applied, and it is applied to all recipients. The highest priority policy only is applied, and it is applied to all recipients. The email message is effectively replicated according to the policies that must be applied. Each replicated email message passes through the scanners separately, and the policies and actions are applied. Separate entries appear in the logs and reports for each replicated email message. If the appliance is configured to generate alerts, separate alerts are generated for each replicated email message. The replicated email messages are delivered using proxy delivery methods.
Transparent Bridge or Transparent Router
Disabled
Not applicable
Enabled
Exceeded
Enabled
Not exceeded
If the highest priority method is applied, the email message is not replicated and passes through the scanners only once. Scanning policies and performance issues When setting up scanning policies, ensure that most email messages are covered by the default policy. Each time the appliance has to replicate a message to apply another policy to it, the email message is scanned again. The extra scanning affects the appliances performance. Protocol settings If the appliance receives an email message with multiple recipients, and needs to apply protocol settings to that message, it always applies the highest priority policy to all of the recipients. The priority is determined by the order of the non-default policies, no matter which operational mode is being used by the appliance. Understanding priorities in policies Example of priority in policies
45
Understanding priorities in policies

Sometimes, an item is subject to several policies. Consider a person who works for two departments, where each department has its own policy. One department is allowed to accept large graphics files, but the other department is not. When the person tries to handle such a file, the appliance must resolve the conflict. The appliance applies the policy that has the highest priority, that is, the policy that is nearer the top of the policy list. Email | Email Policies | Scanning Policies Web | Web Policies | Scanning Policies
Example of priority in policies

You have two policy groups, Directors and Managers. director1@example.com is a member of the Directors policy group. manager3@example.com is a member of the Managers policy group. You have assigned a policy for mail size to each policy group: Members of the Directors policy group can receive email messages with attachments over 5 Megabytes. Members of the Users policy group can receive attachments only if they are less than 5 Megabytes. If an attachment is more than 5 Megabytes, the Users policy group receives an HTML alert instead of the attachment. Example 1 The appliance receives an email message containing a 5-Megabyte attachment addressed to: director@example.com manager@example.com The appliance scans the email message twice and applies two actions, because the email message is addressed to two recipients. Each recipient is affected by a different policy with different actions: recipient director@example.com the appliance allows the attachment through. recipient manager@example.com the appliance replaces the attachment with an HTML alert, telling the recipient that the attachment has been removed. Example 2 The appliance receives an email message containing a 5-Megabyte attachment addressed to: director1@example.com manager3@example.com user5@example.com The appliance scans the email message three times and applies three actions because the three recipients are members of three different policy groups. The appliance applies the actions for director@example.com and manager@example.com as previously described. However, user@example.com is not a member of either of the policy groups affected by the Directors and Managers policies.
46
When deciding how to handle the attachment for user@example.com, the appliance must refer back to the default policy and apply whatever action the default policy states. For example, the default policy might have Mail Size Filtering settings that state that the appliance action is Refuse the original data and return a rejection code.
47
Monitoring activity on the appliance

The Dashboard page shows a summary of the activity of the appliance. From this page you can access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances. When you click this icon in the navigation bar, you can see the following sections. When clicked, the Edit links in each section lead to further pages where you can change your preferences for the display of the dashboard.
Section Email Detections What you can do at the Edit Preferences page Use this page to specify which counters appear under Email Detections on the Dashboard. Use this page to specify which counters appear under Web Detections on the Dashboard. Use this page to set the thresholds at which the warning and alerts icons appear under System Health on the Dashboard. Use this page to set the thresholds at which the warning and alerts icons appear under Current Detection Rates on the Dashboard. Use this page to specify the protocols that will be monitored under Network on the Dashboard. Use this page to set the thresholds at which the warning and alerts icons appear under Email Queues on the Dashboard. Use this page to select the protocols for which policies are listed under Scanning Policies on the Dashboard. Use this page to specify common tasks and the order in which they appear under Tasks on the Dashboard. Use this page to control the display of the throughput meters on the Dashboard. Use this page to display a graph of activity for each protocol under the graphs on the Dashboard.
Web Detections
System Health
Current Detection Rates
Network
Email Queues
Scanning Policies
Tasks
Load balancing
Graphs
Navigation bar
48
Monitoring activity on the appliance About the links bar
About the links bar

The Links bar at the top of the screen provides links to more resources and sources of support. This black bar has the following links.
Link Logged into Description Displays the type of appliance, for example: Cluster Master User: type of user Displays the type of user, such as System Administrator. Each type has access to parts of the interface. When the cursor is placed over this icon, displays the name and IP address of current users of this appliance. Change password Allows you to change the password. To prevent tampering, the user must know the old password before typing a new password. When clicked, logs off the appliance correctly. Displays product and licensing information. Provides links to various information: Frequently asked questions on our Technical Support website. Instructions for submitting a virus sample to McAfee. Virus information Library, which describes every virus and other potentially unwanted programs that we detect and clean.
Log off About Resources
NOTE: Depending on your configuration, some links might not be available, or they might redirect to other locations.
About counters for blocked connections

This counter on the dashboard increments when a host in the Blocked connections list tries to open a connection to the appliance on port 25. However, the count might appear higher than expected for the following reason. If the appliance blocks an initial connection by a Mail Transfer Agent (MTA), the MTA might retry, causing the blocked connections counter to increment many times. To view the Blocked connections list, select Email | Email Configuration | Receiving Email | Permit and Deny Lists in the navigation bar.
49
Viewing reports
Use the Reports pages to view events recorded on the appliance such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins. You can view the reports of these events via a browser or distribute reports by email. The appliance provides some standard reports and you can create your own. When clicked, this icon on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Scheduled Reports What you can do from this part of the interface Use this page to see a list of the available reports about threats that the appliance has detected. You can view the reports, send reports immediately to other people, or schedule reports to be sent at regular intervals. Use these pages to display reports about threats detected in email. You can filter the information and create your own reports (favorites). Use these pages to display reports about threats detected during web access. You can filter the information and create your own reports (favorites). Use this page to see the details of the system's status. The information is displayed in a table.
Email Reports
Web Reports
System Reports
Further information Web Reports menu Navigation bar
Email Reports menu

Use these pages to display reports about threats detected in email. You can filter the information and create your own reports (favorites). Menu location: Reports | Email Reports When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Total View What you can do from this part of the interface Use this page to see the actions that the appliance has taken against about threats over the period specified under Filter. The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply.
50
Viewing reports Web Reports menu
Tab Time View
What you can do from this part of the interface Use this page to see the actions that the appliance has taken against about threats over the period specified under Filter. The information is displayed in a vertical bar chart, and organized into small intervals. For example, a weekly report shows activity in whole 6-hourly portions of each day. Use this page to see the details of every detected threat. The information is displayed in a pie chart. Use this page to see the details of every email message that the appliance has handled. Information includes any threat in the email message and IP addresses. The information is displayed in a table. Use this page to view the status of each email message such as whether it was delivered successfully or blocked. The information is displayed in a table. Use this page to build a list of links to reports that you have already designed. Use this section of the page to refine or filter the information in the report.
Itemized View
Detail View
Status View
Favorites Filter
Further information
Transport logging
The appliance logs the last known state of each SMTP email message. For example: The email message was blocked because it contained a virus. The email message was deferred to a queue because it cannot be delivered immediately. The email message was successfully delivered. Reports | Email Reports | Total view
Web Reports menu

Use these pages to display reports about threats detected during web access. You can filter the information and create your own reports (favorites). Menu location: Reports | Web Reports When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Total View What you can do from this part of the interface Use this page to see the actions that the appliance has taken against about threats over the period specified under Filter. The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply. Use this page to see the actions that the appliance has taken against about threats over the period specified under Filter. The information is displayed in a vertical bar chart, and organized into small intervals. For example, a weekly report shows activity in whole 6-hourly portions of each day. Use this page to see the details of every detected threat. The information is displayed in a pie chart.
Time View
Itemized View
51
Viewing reports Example of an HTML report
Tab Detail View
What you can do from this part of the interface Use this page to see the details of every detected threat, such as the exact time and IP address of each detection. The information is displayed in a table. Use this page to build a list of links to reports that you have already saved. Use this section of the page to refine or filter the information in the report.
Favorites Filter
Further information
Example of an HTML report

Although this example is in English, reports have a similar format in all other languages.
52
Viewing reports Example of PDF report
Example of PDF report

Although this example is in English, reports have a similar format in all other languages.
53
Preventing email threats

Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration. When clicked, this icon on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Email Overview What you can do from this part of the interface Use this page to see how well the appliance is handling email delivery and threats on incoming email. Use these pages to configure how the appliance handles email before scanning for possible threats. Use these pages to manage policies and dictionaries that apply to email. Use these pages to specify how the appliance quarantines email that probably contains a threat. Use these pages to examine or release email that has been quarantined because it might contain a threat. Use this page to view information about email that was not delivered. For example, you can see the subject lines and senders of every email that was not delivered last week.
Email Configuration
Email Policies Quarantine Configuration
Quarantine
Queued Email
Further information Quarantine menu Navigation bar
Email Configuration menu

Use these pages to configure how the appliance handles email before scanning for possible threats. Menu location: Email | Email Configuration When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Protocol Configuration What you can do from this part of the interface Use these pages to configure the handling of SMTP and POP3 protocols.
54
Preventing email threats Email Configuration menu
Tab Receiving Email
What you can do from this part of the interface Use these pages to examine the source of incoming email, and thereby avoid unnecessary scanning and false alarms. Use this page to specify how the appliance delivers email messages.
Sending Email
Further information
Protocol Configuration menu

Use these pages to configure the handling of SMTP and POP3 protocols. Menu location: Email | Email Configuration | Protocol Configuration When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Connection Settings (SMTP) What you can do from this part of the interface Use this page to specify connection settings for the SMTP protocol, such as port numbers and timeouts. Optionally, specify periods when some parts of the network are not scanned. Use this page to specify how to handle some features of email protocols such as the maximum allowed size of a message. Use this page to convert the addresses in the headers of incoming or outgoing email. For example: Transport Layer Security (SMTP) Connection and Protocol Settings (POP3) Send and receive email for general enquiries using an anonymous address such as info@example.com, instead of one persons specific address. Redirect email for several people to one person. Modify the email headers to hide information about your internal domains.
Protocol Settings (SMTP)
Address Masquerading (SMTP)
Use this page to specify how devices use encrypted communications and to manage their digital certificates. Use this page to specify settings for the POP3 protocol such as port numbers and time-outs. Optionally specify periods when some parts of the network will not be scanned.
Further information
Email Configuration
You can change settings that control the communication between the appliance and your networks: Data command options Denial-of-service prevention Message processing Transparency options Address parsing Email | Email Configuration | Protocol Configuration | Protocol Settings
55
Transparency options
The following settings apply only to appliances operating in a transparent mode. You can set up the appliance to: Use the Welcome Message from the mail server, or use the appliance's own message. Add text to the front of the mail server's Welcome Message. Allow Extended Simple Mail Transfer Protocol (ESMTP) extensions. For example, Delivery Sender Notification (DSN), Authentication (AUTH), and eight-bit data transfer (8BITMIME). Send NOOP keep-alive commands to the destination server, while the appliance receives data from the source server (the DATA phase). This prevents the appliance-to-destination server connection timing-out. Specify the interval between keep-alive commands. Generate extra scanning alerts to warn a network administrator or other users when specific events occur. For example, the appliance can issue alerts when viruses, spam, or banned content have been detected. Allow or prevent the use of multiple policies for email messages with more than one recipient. Configure the appliance to generate additional scanning alerts. Allow multiple policies per email message. Add a Received header to the email message. Define any ESMTP extensions that are allowed to pass through the appliance. Define the Microsoft Exchange server extensions that are allowed to pass through the appliance: X-EXPS, X-LINKSTATE, XEXCH50, and CHUNKING. The extensions are not scanned. If the appliance operates between two Microsoft Exchange servers, it must allow these email headers to be exchanged without scanning. Email | Email Configuration | Protocol Configuration | Protocol Settings
Message processing
Using this feature, you can: Change the welcome message that is displayed when a host using SMTP connects to an appliance in Explicit Proxy mode. By default, the following welcome message is displayed: <appliance name and domain>SCM<product number>/SMTP Ready For example: appliance1.example.com SCM4.5/SMTP Ready. You can replace this welcome message with your own text. The text must be in the US-ASCII character set. Set up store and forward options for email messages. By default, the appliance attempts to immediately deliver email messages addressed to a single recipient, and to the first recipient of any email messages with more than one recipient. This does not involve storing the message for that recipient. This method typically increases throughput. It also causes the connection to the sending mail server to be held open while delivery is attempted. Alternatively, the appliance can be configured to store and forward email messages. The appliance can be set up to store email messages when: The email message is larger than a maximum size that you can specify.
56
The number of recipients exceeds a limit that you can specify. The appliance will try to forward the stored email message later. How often the appliance attempts to forward the email message is defined in the Retryer option. Set up the appliance to store and scan email messages in the background. If the email message is too large (as specified here), the appliance can store and scan the message in the background. Set up DNS data limits. When the appliance tries to deliver an email message by doing a DNS look-up, it examines the number of mail exchange (MX) records and Address (A) records returned by the DNS server. MX records list the host names that accept mail for a specific domain. A records provide the mapping of host name to IP address. You can limit the number of delivery attempts that the appliance makes, by setting limits on the number of MX and A records that the appliance will try. You can also: Send SMTP traffic to a different port number. You need to use the same port number that the receiving mail server uses when listening for SMTP traffic. Specify the largest number of policies that can be applied to an email message. Add the IP address of the connecting server to the Received email header. Force the HELO command to automatically reset (RSET command). Force the use of the HELO or EHLO command in any SMTP communication. Email | Email Configuration | Protocol Configuration | Protocol Settings
Effect of address masquerading on digital signatures

If address masquerading is in use, the appliance might change the information in the email headers of some email messages. After such a change, a digital signature in the email message will not be valid. Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)
Limitations when using regular expressions with email addresses

The appliance does not use the full set of regular expressions for matching email addresses. The limitations are: No \Q or \E anchors to quote pattern metacharacters. No \A or \Z anchors to match the start or end of the string. Use a caret or dollar instead. Lookbehind is not supported. Lookahead is fully supported. No atomic grouping or possessive quantifiers. No Unicode support, except for matching single characters with \uFFFF. No named capturing groups. Use numbered capturing groups instead. No mode modifiers to set matching options within the regular expression. No conditionals.
57
No regular expression comments. Describe your regular expression with JavaScript comments (double-slash, //) outside the expression. Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)
Examples of regular expressions in email addresses

The tables show some typical uses of regular expressions. Table 9: Simple examples
Character . (dot) Meaning Any character Example and description a.c The address contains a followed by any character, then c. Examples: abc@example.com, dazc@example.com, useraxc@example.com \ (backslash) Special characters (such as dot) in their literal meaning \.user The address contains .user Examples: network.user@example.com user[1-3] The address contains a digit. Examples: user1, user3a .* (dot and asterisk) Any number of characters, including none .*user The address contains any number of characters followed by user Examples: user@example.com, abcuser@example.com, 12user@example.com ^ (caret) Start of address ^user The address begins with user Examples: user1@example.com, user99@example.com End of address com$ The address ends with com Examples: user1@mcafee.com
[]
A class of characters
$ (dollar)
If the caret or dollar are not used, the regular expression matches on any part of the email address. Complex examples Table 10: Changing the domain part
Search pattern and replacement text (.*)@example\.com$ $1@mcafee.com Original email address Replacement email address
user1@example.com user_1@example.com
user1@mcafee.com user_1@mcafee.com
58
Search pattern and replacement text
Original email address user1@example.net
Replacement email address Not changed.
Table 11: Converting on an exact match

Search pattern and replacement text ^user1@example\.com$ info@mcafee.com Original email address Replacement email address
user1@example.com 11user22@example.com
info@mcafee.com Not changed.
Table 12: Changing the format of the local part

Search pattern and replacement text (.*)\.(.*)@example\.com$ $1_$2@example.com Original email address Replacement email address
aa.bb@example.com aabb@example.com aa_bb@example.com
aa_bb@example.com Not changed. Not changed.
Table 13: Directing general enquiries to one recipient

Search pattern and replacement text info@example\.com$ aaa@example.com Original email address Replacement email address
info@example.com user99@example.com abcinfo@example.com
aaa@example.com Not changed. abcaaa@example.com
Table 14: Directing email with subdomains

Search pattern and replacement text info@domain1.example.com user1@example.com ... then followed by: info@example.com user2@example.com Original email address Replacement email address
info@domain1.example.com info@example.com
user1@example.com user2@example.com
This example shows two search patterns. The appliance processes the more specific email message (which contains domain1 in its domain part) using the first search pattern and directs the email message to user1. Email with a less specific domain part in its address goes to user2. Table 15: Directing email with several patterns
Search pattern and replacement text sss.*vvv.mdom.dom ab@d1.example.dom ... then followed by: sss.*mdom.dom cd@d2.example.dom Original email address Replacement email address
sss@vvv.mdom.dom
ab@d1.example.dom
This example shows how the order of the search patterns affects the replacement email address. Email sent to sss@vvv.mdom.dom, goes to ab@d1.example.dom. If you change the order of the search patterns, the email goes to cd@d2.example.dom.
59
Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)
Transport Layer Security (TLS)

Transport Layer Security (TLS) provides privacy and data integrity between two communicating applications. TLS provides security by ensuring that the connection is both encrypted and authenticated. TLS encryption enables organizations to send and receive email securely. TLS provides authentication and communications privacy using gateway-to-gateway message encryption. TLS encryption uses the Secure Sockets Layer (SSL) to send and receive data. TLS allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives any data. TLS provides connection security because: The peer's identity can be authenticated using asymmetric, or public key, cryptography. The negotiation and exchange of the symmetric session key secret is secure. The negotiation is reliable. No attacker can modify the negotiation communication without being detected by the parties to the communication. SMTP servers and clients normally communicate over the Internet. Unencrypted messages may pass through uncontrolled entities, allowing a man in the middle to eavesdrop and tamper with messages. A secure SMTP server accepts communications only from SMTP agents it recognizes. After TLS encryption is enabled, the entire SMTP communication including the sending and receiving addresses is encrypted. If the server is authenticated, its certificate message may optionally provide a valid certificate from an acceptable Certificate Authority (CA). Authenticated clients may also be required to supply a valid certificate to the server. Each party is responsible for verifying that the other's certificate is valid and has not expired or been revoked. TLS uses the Secure Sockets Layer (SSL) to send and receive data. The underlying principles are: The server certificate must be sent to the client. If the certificate is signed by a CA that the client has in its trusted CA section, verification is successful. The sending of the client certificate is optional. The client sends a certificate to the server, if requested by the server. If the certificate is signed by a CA that the server has in its trusted CA section, verification is successful. You can: Specify the networks or domains with which the appliance will communicate using TLS. The participating organizations must also use TLS. Configure TLS encryption for outbound mail. The appliance encrypts the connection if the other end offers encryption. The remote server might be configured to require TLS before any SMTP mail is received. The server rejects the transfer if the appliance does not start TLS encryption with the server. Configure TLS encryption for inbound mail. The appliance can be configured to require TLS before any SMTP mail is received. The appliance rejects the transfer if the client does not start TLS encryption with the appliance. In the following example, the appliance sends email to the server using TLS. Therefore: The appliance (the TLS client) requires the CA certificate of the remote party, so that it can verify that the server certificate that comes from the remote party.
60
The email server (the TLS server) requires the certificate signed by the same CA as the client, and a private key associated with the certificate. NOTE: Set up the certificates using third-party certificate management software or obtain one from a public Certificate Authority.
1 Local email clients 2 Mail server 3 Appliance 4 Certificates at appliance
5 Internet 6 Certificates at email server of participating organization 7 Email server at participating organization
In this example: Several clients (1) need to communicate securely with an email server (7) by SMTP email over the Internet. The administrator has configured the network so that all internal email messages go from the email server (2) through the appliance (3), and configured the appliance so that all email sent from the appliance to the email server (7) uses TLS encryption. The appliance (3) and the email server (7) hold certificates (4 and 6 respectively) that were signed by a CA that they both recognize. The email server (7) sends a certificate (6) to the appliance (3) for verification against the list of trusted CAs. Also, the appliance might send a certificate (4) back to the email server (this depends on how the email server and the appliance are configured). Assume a user at a client computer tries to send email to a recipient at an external email server. In a typical communication: 1 The client sends an initial (EHLO) message to start the communication. In this example, TLS encryption is negotiated, so the server sends its certificate to the appliance. The appliance refers to its list of trusted CAs to verify that this certificate is valid. 2 3 The appliance sends a certificate to the email server for verification. The encrypted SMTP conversation is initiated.
Email | Email Configuration | Protocol Configuration | Transport Layer Security (SMTP) System | Certificate Management TLS Protocol How the appliance intercepts TLS connections Using certificates with appliances
61
TLS Protocol
TLS is designed to wrap around existing protocols. That means that the underlying protocol is exactly the same, but is entirely encrypted by TLS. A TLS-encrypted session is started up in the clear (unencrypted). During the protocol conversation, a command is given to start negotiation of an encrypted connection. This is often known as STARTTLS, because this is the name of the command that typically starts the encryption. After the negotiation is complete, the protocol continues encrypted. This method does not need a new port number. In addition to encryption, the TLS protocol can perform authentication by exchanging certificates between the client and server. TLS handshake Three different types of TLS handshakes can be used to start an encrypted session: Server certificate only The server sends its certificate to the client mail server, before negotiating which cipher (type of encryption) to use. This handshake is the most common. Client Client Hello . ----------------------> <---------------------<---------------------<---------------------Client key exchange Change cipher specification Finished ----------------------> <----------------------> <----------------------> Change cipher specification Finished Server Hello Server Certificate Server Hello Done Server
Server and client certificate Both server and client mail server send certificates to each other. This handshake is typically used by extranet websites or closed email servers. No certificates (anonymous connections) No verification of either party is done. This handshake is rarely used, and is not supported by the appliance. After the handshake, each party can send encrypted data. Data will be encrypted and sent until: One of the parties sends a TLS close message to shut down the connection. This is called the Polite Method. The TCP connection is closed. This is called the Impolite Method. SMTP and TLS The SMTP email protocol has an extension, defined in RFC 3207, which allows the SMTP link (not the actual email messages themselves) to be encrypted between two points if both parties agree. TLS is implemented using an extension to the existing protocol. A new port number is not required.
62
Comparison of a normal and an encrypted SMTP conversation The following two diagrams show an unencrypted SMTP conversation and one that is encrypted using a TLS Handshake:
Figure 1: Unencrypted SMTP conversation
Figure 2: Encrypted SMTP conversation 1 2 3 4 The STARTTLS command advises that encryption is available. The STARTTLS command is issued to advise that the connection can be encrypted from now on. The certificates are exchanged and the type of encryption is negotiated. Everything within this box is sent encrypted over the TLS link.
Email | Email Configuration | Protocol Configuration | Transport Layer Security (SMTP) RFCs (Request for Comments)
63
How the appliance intercepts TLS connections

In a conventional TLS communication, the server and the client mail server negotiate a single TLS connection. The server sends its public key to the client mail server. Optionally, the client also sends its public key to the server. Figure 3: Conventional TLS connection
S, C
Server, Client mail server Server Certificate
(Optional) Client Certificate
When using the appliance, however, two separate connections are required. Because the traffic is encrypted, and the appliance has no information about the private key, the appliance cannot intercept, decrypt, and scan the traffic. Instead, the appliance must sit between the mail servers to ensure end-to-end communication, so that it can scan traffic between them. The appliance (A) takes the place of the server in the previous diagram and sends its certificate to the client mail server. Then, a second connection is made with the server, using a certificate sent to the appliance. While the data is unencrypted and secure inside the appliance, the data can be scanned for threats. This is true for proxy and transparent connections and regardless of whether proxy mode or bridge mode or router mode is used.
Figure 4: Two TLS connections used with an appliance Some important points to remember about certificates when TLS is in use on the appliance: Server verification is mandatory. The server (S) sends its certificate to the client mail server (C). If the certificate is signed by a CA that the client mail server has in its trusted CA section, verification is successful. Client verification is optional. The client mail server (C) sends a certificate to the server (S). If the certificate is signed by a CA that the server has in its trusted CA section, verification is successful. Also, you can:
64
Specify the networks or domains with which the appliance will communicate using TLS. The participating organizations must also use TLS. Configure whether TLS encryption is required. Always the email must be encrypted. Email going to or from the appliance is rejected if encryption is not negotiated. When available The appliance encrypts email if either party negotiates encryption. If neither party negotiates encryption, email is sent in plain text. State the CAs to use (using the certificates that have been imported onto the appliance.) Email | Email Configuration | Protocol Configuration | Transport Layer Security (SMTP) System | Certificate Management | Certificate | TLS certificates and keys
Using certificates with appliances

Appliances use certificates to verify the identity of the server communicating with the appliance. Certificates can be issued by a certificate authority, or you can generate certificates yourself using freely available certificate tools, such as xca. (See http://sourceforge.net/projects/xca.) NOTE: Your own certificates are not trusted by the Root Certificate authorities that are automatically installed in browsers or email applications. Therefore, you must manually import your certificate into the browsers and email servers that communicate with your appliance by TLS. The advantage of creating your own certificate is that they are free and quickly obtained. How certificates work A certificate authority or certification authority (CA) is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. The CA certifies that the public key inside the certificate belongs to the person or entity named in the certificate. By doing so, users and other parties can rely on the information inside the CAs certificates. Certificate structure A digital certificate has the following structure: Issuer the name (and usually the location) of the organization that issued the certificate. Subject the name (and usually the location) of the person or organization to whom the certificate is issued. Key usage a list of possible uses for the certificate. For example: Signing other certificates. Verifying the identity of a server. Creating digital signatures. Encrypting and decrypting an email message Digital signature as with a paper certificate, the signature proves that someone else has independently verified the information printed on the certificate. Public and private keys When a certificate is generated, two digital keys are also created a public key and a private key. The keys are used to encrypt data and to create digital signatures.
65
A copy of the public key is sent with every copy of the certificate. The owner must keep the private key secret and never give the key to anyone else. Data that is encrypted with the public key can be decrypted only by the private key. Data encrypted with the private key can be decrypted only by the public key. Types of certificates The two types of certificates are: Certificate Authority (CA) certificate a special kind of certificate that is permitted to sign other certificates. Its only function is to sign other certificates to guarantee their authenticity. CA certificates are already installed in some applications, such as web browsers and email clients. The certificates can be used to establish trust during a TLS conversation. You can usually import other CA certificates if you need to trust a new host or organization. Do this with caution though. A Root CA is the highest level in the certificate hierarchy and it is signed by itself. An intermediate CA can be signed by a root CA or another intermediate CA. A series of intermediate Certificate Authorities can be used to establish a chain of trust. Non-CA (ordinary) certificate a non-CA certificate that is not permitted to sign other certificates. This certificate is used by a server or client uses this certificate to prove their identity. This type of certificate must be signed by a recognized CA before it is trusted by another host. Certificate Revocation Lists Sometimes, a certificate can no longer be trusted because it has expired, been superseded, or a private key has been compromised. The certificate's issuer then publishes the details, typically just the serial number, of the invalid certificate in a Certificate Revocation List (CRL). Updated CRLs are typically issued every few months. From the appliance, you can schedule regular downloads or import CRLs directly. McAfee also supplies CRLs as part of the software patches for the appliance. Email | Email Configuration | Protocol Configuration | Transport Layer Security (SMTP) [+] Certificate Management System | Certificate Management
POP3
POP3 is the Post Office Protocol for collecting email from a remote server. This section describes the appliance's support for POP3. Contents
Dedicated ports
POP3 allows email messages to be downloaded (pulled) from a mailbox on a remote server. The modes of operation are: Generic connection allows connection to any POP3 server, but does not support Authenticated POP (APOP). If you configure the appliance with a port number for generic connections, your POP3 clients (software) do not need to specify the port number whenever they make a generic POP3 connection through the appliance.
66
Dedicated connection allows connections to dedicated POP3 servers with APOP. If a user makes a dedicated proxy connection through the appliance, the appliance uses one of its own ports to reach the POP3 server. For example, if the dedicated ports are specified as in the next table, all requests on port 456 are directed to the second POP3 server. Table 16: Example of dedicated ports and POP3 servers
POP3 server pop3server1.example.com pop3server2.example.com pop3server3.example.com Port 123 456 789
Specify a unique port number for each server. Choose port numbers in the range 1024 to 65535, because numbers below 1024 are generally assigned to other protocols. The server must have an FQDN, for example pop3server.example.com. You can use the default generic proxy port (110) for a dedicated proxy connection. The dedicated connection overrides any generic connections. Email | Email Configuration | Protocol Configuration | Connection Settings (POP3)
POP3 protocol policies

To set policies that control the communication between the appliance and computers in your networks, you can configure the following advanced policy features: Server Keepalives The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the mail server timing-out. Specify the command and how long the appliance will wait between keep-alive commands. Client Keepalives The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the POP3 mail client timing-out. You specify how often the appliance will send a keep-alive command. Address Delimiters You can specify how to interpret the user's address when a generic proxy connection is made through the appliance. You can specify the characters that identify each part of that address. By default, the user name part of the address is separated from the host name by a hash (#), and the host information is separated from the port number by a colon (:). For example, <user name>#<host name>:<port number>. NOTE: Change the delimiter characters only if your POP3 user names contain the delimiter character. POP3 Extensions Specifies whether the appliance responds to CAPA (capability) requests. To discover which POP3 extensions are supported by any POP3 server, POP3 uses the CAPA command. The command returns a list of extensions supported by the POP3 server. It is available in both the AUTHORIZATION and TRANSACTION states. Email | Email Configuration | Protocol Configuration | Protocol Settings [+] POP3 protocol settings
Receiving Email menu

Use these pages to examine the source of incoming email, and thereby avoid unnecessary scanning and false alarms.
67
Menu location: Email | Email Configuration | Receiving Email When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Permit and Deny Lists What you can do from this part of the interface Use this page to build a list of IP addresses, networks and users that are permitted, blocked or temporarily blocked from connecting to the appliance. Use this page to prevent the appliance being used as an open relay. Use this page to prevent attacks from zombie networks, bogus recipient names, and directory harvesting. Use this page to combat backscatter bounced email that was not originally sent from your organization.
Anti-Relay Settings Recipient Authentication
Bounce Address Tag Validation
Further information
Permitted and blocked senders

To prevent unauthorized senders from using the appliance to deliver email messages, the appliance maintains two lists: Permitted senders specifies sources from which email messages are permitted. Blocked senders specifies sources from which email messages are to be denied, or are considered unwanted sources. Each list can contain email addresses, networks, and domains. If you already have this information in text form, you can import it as a .CSV file. You can also manually make a list of this information. Having made the lists, you can specify how the appliance responds to email messages that come from any source in the list of blocked senders. For example, the appliance can reject the email message and close the connection. You can specify whether the appliance: Uses DNS to resolve hostnames to IP addresses from a domain name. These lookups take place when the SMTP proxy is initialized. Uses DNS to do a reverse lookup of the sending IP address to match domains in the list. Because this requires an extra lookup for each connection, this can affect performance. Email | Email Configuration | Receiving Email | Permit and Deny Lists
Blocked connections
When an email message triggers the Deny Connection action, the appliance adds information about the connection to the Blocked Connections list. To see the list, select Email | Email Configuration | Receiving Email | Permit and Deny Lists in the navigation bar. The appliance blocks a connection only temporarily. During the lockout period, the appliance rejects any further email from the connection, thereby preventing a possible denial-of-service attack. To set the lockout period, select Email | Email Configuration | Protocol Configuration | Protocol Settings in the navigation bar, then open Denial of service prevention. At the Blocked connections list you can:
68
View currently denied connections. Immediately unblock some connections. Specify the maximum number of denied connections. If the limit is reached, the appliance can add no further connection address to the list until the lockout period of another connection expires. To prevent the appliance adding a connection to the Blocked connections list regardless of any Deny Connection action , you can add the connection to the Permitted Connections list. NOTE: Permitting a connection does not override the lockout period. For example, if the lockout period is 600 seconds and you change the connection to permitted within the 600 seconds, the appliance continues to block the connection until the 600 seconds have elapsed. This is why a connection can temporarily appear in both the Blocked connections and Permitted connections lists. Email | Email Configuration | Receiving Email
Anti-relay
Relaying is often used for malicious purposes such as mail bombing or spamming. The anti-relay feature prevents unscrupulous third parties from using the appliance, or the mail servers that it protects, to deliver mail for them. Consider the consequences of your clients receiving distasteful, relayed messages that appear to come from your organization. The anti-relay feature prevents such embarrassment and protects the professional image of your organization. NOTE: Email messages with addresses that contain special routing characters such as % can be permitted or denied access. Only networks and domains specified as local domains or permitted domains can use the appliance to relay messages. When you configure the list of networks using the Installation Wizard or the Setup Wizard, the information is used to populate the list of local domains. All local domains must also be valid domains in the DNS, otherwise email messages will be rejected. If the list of domains has no local domains, the appliance is an open relay, accepting and passing on all the email messages it receives, even if the list includes Denied domains or Permitted domains. If the list of local domains is not empty, the appliance checks the email messages that pass through it. For each message, the source IP address and recipients are checked against the type of domain Local domain, Denied domain or Permitted domain.
Example 1 2 3 Local Domains Deny Domains Yes Yes No Permit Domains Yes No No Outcome Allowed Rejected Allowed
Example 1 If the message matches an entry that is a Permitted domain, the message is allowed through, even if the message matches entries in the other lists. Example 2 If the message does not match an entry that is a Permitted domain, but matches an entry that is a Denied domain, the message is rejected, even if the message matches a Local domain entry.
69
Example 3 If the message only matches an entry that is a Local domain, the message is allowed through. The following information is specified for each type of domain:
Type Network address Domain Format <IP address>, <IP subnet mask> <domain> Example 192.168.254.200, 255.255.255.0 *.example.com
In all three types, you can specify several IP address ranges and domains. When checking each message to determine a match, the appliance interprets the entries as follows: IP address or IP address range entry the appliance checks the message's source IP address (the sending server) for a match. Domain entry the appliance checks the message's destination email address (the recipient) for a match. If the Domain entry has A records on the DNS server, this address is also checked against the source IP address. Wildcard domains the appliance checks the message's destination email address for a match. NOTE: Anti-relay does not support reverse lookup. Any reverse lookup will be denied and email will not get through. If the appliance receives an email message addressed to a specific IP address, it interprets the entries as follows: IP address or IP address range entry the appliance checks the message's source IP address and the destination email address for a match. Domain entry the appliance accesses the A records using DNS to retrieve the domain's corresponding IP address. The appliance then checks the message's source IP address and the destination email address against the IP address for a match. You cannot use wildcard characters to specify these domains, because the IP addresses cannot be determined. Email | Email Configuration | Receiving Email | Anti-Relay Settings
Why you need anti-relay

Relaying is often used for malicious purposes such as mail bombing or spamming. The anti-relay feature prevents unscrupulous third parties from using the appliance, or the mail servers that it protects, to deliver mail for them. Consider the consequences of your clients receiving distasteful, relayed messages that appear to come from your organization. The anti-relay feature prevents such embarrassment and protects the professional image of your organization. The appliance's anti-relay feature prevents the forwarding of email (SMTP) messages that do not originate in a domain that the appliance is configured to accept. Sites that forward all messages are commonly called open relays and are considered undesirable. Email | Email Configuration | Receiving Email | Anti-Relay Settings
Greylisting service
Spammers often exploit other computers (zombies) to deliver their spam. The appliance uses a greylist to block such attacks.
70
The greylist records a triplet three pieces of information for each email message: the sender's IP address, the email address of the sender, the email address of the recipient. When the appliance first encounters this combination, it records the triplet in its greylist, then returns a Temporary Service Error message. The appliance then ignores any retries for a period, typically one hour. Managing the greylist To create an effective greylist, the appliance must record the triplets of regular email senders to your network. The records can grow quickly so the appliance deletes records as follows: Any email address that did not try sending again. Genuine email senders retry many times over many hours or days. Zombies typically do not resend email. Any email address that the appliance has not encountered for over 36 days. Although you can change it, we recommend this number for handling regular email such as monthly newsletters. Old email addresses. As the number of records approaches a specified limit, the appliance removes records of senders that it has not encountered for some time. Email | Email Configuration | Receiving Email | Recipient Authentication
How greylisting deters zombies

Zombies typically cannot resend email messages, therefore their spam email messages are blocked without the need for scanning. Genuine senders will retry, often many times over several hours, or even days. When the appliance next encounters the attempt, it allows the email to proceed. Thus, genuine, regular senders are not delayed when sending further email. To avoid delaying trusted senders from outside networks, we recommend that you configure your policies to prevent greylisting being applied to those policy groups. Additionally, to overcome delays caused by anti-spam measures on other devices, configure your policies to handle SMTP callback requests. This overcomes delays caused by anti-spam measures on other devices. If an email server is configured to verify senders, it issues an SMTP callback typically an email message with a null sender before accepting an outgoing email message. If the appliance rejects such return email at the RCPT TO phase, all outgoing email is unnecessarily delayed. When this feature is selected, the appliance postpones the Temporary Service Error until the later DATA phase. Because SMTP callbacks complete their delivery attempt before the DATA phase, the SMTP callback is successful. Email | Email Configuration | Receiving Email | Recipient Authentication [+] Greylisting
Permitted recipients and directory harvest prevention

This feature applies only to policies that affect email from outside networks. Spammers try to build lists of valid email addresses from unprotected email servers. In a directory harvest attack (DHA), a spammer sends an email message to numerous email addresses that are generated from a scripting program. When a mail server receives an email message, it checks the recipient's email addresses. If the email server recognizes the email address as genuine, it accepts the email message for that user. The email server returns a message if the
71
sender is not recognized. The names from accepted email messages are harvested by the spammer who can sell the names to other spammers. The appliance identifies directory-harvest attacks by comparing the number of valid and invalid recipients in an email message. The appliance enables you to select the methods to prevent directory-harvest attacks for different modes. These include tarpitting (slowing the responses down), and denying connections and quarantining the email. The appliance can also block any email message that has a large number of recipients, because this often indicates an attack. To prevent directory harvest attacks and attacks that issue large numbers of email messages (known as flooding), you can provide the appliance with a list of permitted recipients. Your network might already have this information on its LDAP servers. Alternatively, you can import a list of email addresses from a text file. NOTE: Directory Harvest Prevention might not work as expected with some email servers. You can specify the actions against directory-harvest attacks for each circumstance:
Condition The appliance operates in a transparent mode. The appliance operates in Explicit Proxy mode. The email message is deferred and is to be retried. Possible actions Off, Tarpit,Tarpit then deny connection,Deny connection (default) Off, Deny connection (default) Off, Deny connection, Deny connection and quarantine mail (default)
Email | Email Configuration | Receiving Email | Recipient Authentication [+] Directory harvest prevention
How directory-harvesting attacks work

Spammers need lists of valid email addresses for their advertising campaigns. They can also sell the lists to other spammers. The spammer sends an email message with numerous email addresses, typically using varied forms such as user_1@example.com, user.1@example.com, and user1@example.com. Although the mail server for example.com rejects the many invalid email addresses, any acknowledgements provide the spammer with a list (or "harvest") of usable email addresses. Email | Email Configuration | Receiving Email | Recipient Authentication [+] Directory harvest prevention
Directory Harvest Prevention does not work!

For Directory Harvest Prevention to work correctly, your email server must check for valid recipients during the SMTP conversation, and then send a non-delivery report. Several email servers do not send "User unknown" errors as part of the SMTP configuration. These include (but might not be limited to): Microsoft Exchange 2000 and 2003 (when using their default configuration). qmail. Lotus Domino. Check the user documentation for your email server to see if your email server can be configured to send 550 Recipient address rejected: User unknown reports as part of the SMTP conversation when a message to an unknown recipient is encountered.
72
LDAP integration can provide a work around for this. Email | Email Configuration | Receiving Email | Recipient Authentication [+] Directory harvest prevention
DKIM signing
When you enable DKIM signing, you specify various details for signing, such as domain name, private key, and selector. Several options are available when signing email: Selector and Domain Name. During verification, the recipient extracts your Selector and Domain Name from the signature to retrieve the public key associated with the appliance's private signing key. For example, if your Selector is mail and your Domain Name is example.com, the recipient must issue a DNS query for the TXT record of mail._domainkey.example.com. Canonicalization describes how formatting is handled within the headers and body of the email message. During transit, mail servers might change some parts (known as white space) of the email message typically tabs, spaces and end-of-line characters. When the recipient generates the hash from the message, such changes result in a different hash, so the message will not verify successfully. If you specify relaxed canonicalization, the appliance creates the signature after ignoring much of the white space. Then any such changes to the email will likely have no effect, allowing the recipient to verify the message successfully. Simple canonicalization creates a signature based exactly on the original content of the message and therefore tolerates almost no changes to the email message. Signed Headers. The appliance usually creates the cryptographic signature based on all the headers in the email message. However, you can choose from common headers such as Date and Subject, or type your own header names, separated by colons. The From header is mandatory and is always signed. Header names are in English only. Signing Identity. Signing Identity is used to delegate signing responsibilities to other users or agents (such as a mailing list manager). The value can either be a full email address (such as mailer@domain1.example.com or mailer@example.com) or an email address with no local part (such as @domain1.example.com). The domain part of the signing identity must be the same as the Domain Name (described earlier), or one of its subdomains. In most cases, the signing identity is not used. Expiry. You can specify a date for the expiry of the signature. If the email message is presented for verification after the specified date, verification fails. Email | Email Configuration | Sending Email [+] DKIM signing Example DKIM Signature The settings at the Key Signing Options dialog box are:
Domain Name Selector Signing Key Canonicalization example.com mail mykey (the private key) header=simple; body=relaxed
73
Sign These Headers Key expiry
All Headers Eternal
These settings create a signature of the form:

DKIM-Signature: v=0.8; a=rsa-sha256; d=example.com; s=mail; c=simple/relaxed; t=1117574938; h=from:to:subject:date; bh=KlZ6kar4beHQQIM3kDrEYk84UsrIEaIyeSVvRLxkou; b=tvJWl6m1uOVNEIgL+ByQb7kb4NN9mXmWlfomvx4a8Ffpr ... PCNfx62m/v2VJpABQMb694Uzl+k=
The signature has the following information: The version (v) of the protocol is 0.8, with which the email message was signed. The cryptographic algorithm (a) is RSA-SHA256. The domain name (d) is example.com. The selector (s) is mail. The canonicalization (c) is simple for the mail header, and relaxed for the body. The time stamp (t), stating when the email was signed. The headers (h) that contain the from, to, subject and date information are signed in this email message. The hash (bh), derived from the body of the email message. The cryptographic signature of the body (b) of the email message. The verifier will then need to look up a DNS TXT record for mail._domainkey.example.com. Here, mail is the selector (s) value, and example.com is the domain (d) value. The DNS TXT record entry might look like this example:
mail._domainkey IN TXT "p=MIGvMA0GCSqGSIb3DQEBAQUAA4GdADCBmQKBk ... P+ux5yOktxZ0WEJl2nUuHjU2HgJ ... 692dWTR0kZvkMEpJ/2s8CAwEAAQ=="
where p= contains the public key derived from the private signing key, mykey. The options in the DNS text record are defined in Creating DNS TXT records for use with DKIM. Creating DNS TXT records for use with DKIM This section describes the DKIM fields for the DNS record.
Tag Mandatory/ optional Optional Optional Description
v=DKIM1 h
If present, this must be the first entry in the TXT record. Hashing algorithm registry. List of acceptable hashing algorithms for generating the signature. Acceptable values are sha1, sha256, sha1:sha256. Public key. Normally this is the public key for the private key that generated the signature. p=; means the key has been revoked. Granularity of the key. If present, this value must match the local-part of the signing identity tag of the DKIM signature (or its default value of the empty string if there is no signing identity tag (i=) in the DKIM signature), with a single, optional * character (wildcard) that matches a sequence of any number of characters. Default is g=*;. Acceptable values are g=; , g=*; or g='local part of email address'. g=; means no value is mentioned for the g tag. An asterisk in the g tag means any number of characters. If g=; , the signature must not have a signing identity because this results in failure. If g=; and the signature has no signing identity, g=; has no effect. If g has a value other than g=; or g=*;, the value of g must match the local part of the signing identity, otherwise verification fails with a Public
Mandatory
Optional
74
Tag
Mandatory/ optional
Description key user granularity error. For example, if g=mail*, the local part of the signing identity must begin with mail, for example, Mail.manager@smtp.domain1.dom.
Optional
Selector flag registry. Acceptable values are t=s; t=y; and t=y:s. t=y The public key is in testing mode. Even if the DKIM signature fails verification, it is considered successful because it is in this mode. To aid diagnosis, the appliance adds the failure reason to the email header and states that the key is in test mode. t=s The domain in i in the signature must be the same as the value of d. That is, no subdomains are allowed to use the key. t=y:s The key is in testing mode and no subdomains are allowed.
k Optional
Key type registry. Type of key used in the p tag. Currently, the only supported value is rsa. Service type registry. List of service types to which this selector can apply. Acceptable values are email, or * (default). If the value is neither, the appliance fails to verify the signature, citing a Public key service type error. Notes for the DNS record. These are rarely used because the DNS TXT record has a limited length to hold the public key. The appliance ignores this key when verifying a signature.
Optional
Optional
Example This is an example of a DNS text record (Bind version 9 entry):

key1024._domainkey IN TXT "t=s; k=rsa; p=MIGfMIb3DN6INaAQ34dYLQ ... D4QaB"
where:
key1024 p= t=s k=rsa The name of the selector. The public key. The string of characters has been shortened for clarity. No subdomains are allowed in the signing identity. The key type is RSA.
The record must be in a single line.
Retryer
If the appliance cannot deliver an email message, it can try to deliver the message later. You can specify: How often the appliance tries to forward a stored email message. Typically the appliance retries every few minutes or hours. How long the appliance will try to forward an email message before it drops the message. The number of retryers (processes) that can try to forward messages at the same time. Email | Email Configuration | Sending Email [+] Queued Email Delivery
Choices for delivering email

You can specify the methods for delivering scanned SMTP email messages.
75
Preventing email threats Email Policies menu
Policy Based Relays To relay messages that require encryption (for example, because of confidential content) Hosts You can specify a Fully Qualified Domain Name (FQDN), an IP address or an IP address and port number, separated by a colon (:). Domain Relays To relay email messages destined for specific domains to particular mail servers. Add the following information for each domain relay: Domains To create a single relay that routes messages from all domains, use the * wildcard symbol. If you position the wildcard entry beneath other entries in the list, the other entries are tried first, then the wildcard entry routes messages for all other relays. Hosts Specify network addresses and domains here. If you type more than one network address and/or domain, separate them by a space. The appliance tries these addresses in the order you type them. NOTE: Identify the fastest or most reliable server first because the appliance tries the relays in order. DNS If no Domain Relays are specified, allow the appliance to look up mail recipients' IP addresses using DNS. If the appliance cannot resolve an email address to an IP address, the appliance tries to deliver the message to the entries in its list of fallback relays. If the message still cannot be delivered, it is rejected. Fallback Relays To route email messages that cannot be delivered using DNS resolution. This list contains relays for local hosts, such as mail servers and enables the appliance to try local domains, to route undeliverable messages into the organization. You can add as many relays as you want. Fallback relays are typically Internet Service Providers (ISPs). Because the appliance tries them in order, list the most common first. Add the following information (as described under Domain Relays) for each fallback relay: Domain. Postmaster Postmaster The postmaster handles queries from senders about email messages that were returned because of a virus or content. NOTE: We recommend that you assign a postmaster, so that queries from your users are dealt with promptly. The postmaster must be someone who reads email regularly. You can use the name of a single user or a distribution list. Email | Email Configuration | Sending Email
Email Policies menu

Use these pages to manage policies and dictionaries that apply to email. Menu location: Email | Email Policies When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Scanning Policies What you can do from this part of the interface Use this page to make policies for handling threats in email. Policies define how the appliance handles threats such as viruses, spam, and other content.
76
Tab Dictionaries
What you can do from this part of the interface Use this page to change the lists of words and phrases that you want to ban from email. You can edit the dictionaries and make your own.
Further information What is a content filter dictionary?
Email Scanning Policies menu

Use this page to make policies for handling threats in email. Links under the following headings go to further pages, where you can configure the features of the appliance. Anti-Virus Spam Content Scanner Options Anti-Virus Menu location: Email | Email Policies | Scanning Policies [Anti-Virus] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Virus Spyware What you can do from this part of the interface Use this page to specify basic options for anti-virus scanning. Use this page to specify the actions to take against potentially unwanted programs. Use this page to specify the actions to take against packers. Packers compress files, which changes the binary signature of the executable. Packers can compress Trojan-horse programs and make them harder to detect.
Packers
Spam Menu location: Email | Email Policies | Scanning Policies [Spam] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Spam Phish What you can do from this part of the interface Use these pages to manage spam by specifying thresholds and blacklists. Use this page to specify how to handle phishing email. Phishing is the illegal activity of using spoofed email messages to persuade unsuspecting users to disclose personal identity and financial information. Criminals can use the stolen identity to fraudulently obtain goods and services and to steal directly from bank accounts. Sender Authentication Use these pages to manage the use of authentication systems such as DKIM and SPF.
77
Content Menu location: Email | Email Policies | Scanning Policies [Content] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link File filtering What you can do from this part of the interface Use this page to create a rule that controls the movement of files according to their category, name, or size. By restricting large files and some other types of file, you can help control the use of bandwidth in your network. (Not available with POP3.) Mail size filtering Content scanning Use this page to specify how to handle large email messages. Use this page to specify how the appliance handles items that contain banned content. The banned terms are in one or more dictionaries. (Not available with POP3.)
Scanner options Menu location: Email | Email Policies | Scanning Policies [Scanner Options] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Scanning limits What you can do from this part of the interface Use this page to set limits on scanning to prevent attacks and other performance issues. Use these pages to specify how the appliance handles some types of email content. Use this page to control the format and appearance of the alert message that users receive when the appliance detects a threat. Use these pages to manage the sending of email that the appliance automatically generates, and the redirection of email for special processing. (Not available with POP3.)
Content handling Alert settings
Notification and Routing
Further information
Settings for scanning viruses and similar threats

The anti-virus settings in a policy protect the network and its users from: Viruses Spyware Adware Various kinds of malware (malicious software) and other potentially unwanted software. Viruses The appliance can clean each virus before it alters or destroys any data. If the virus cannot be cleaned, the appliance can take some other action such as deleting the file that contains the virus, or moving the file to a safe quarantine area. The appliance updates itself regularly and automatically to protect your network against new viruses.
78
Computers in your network might already have some anti-virus protection, so you can adjust the level of protection that the appliance provides. For example, scanning inside archive files (such as ZIP files) might not be necessary because any file inside them cannot become active until it has been extracted. An on-access (or real-time) scanner will typically detect such files. Packers Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses, making them harder to detect. Spyware Spyware can steal information and passwords. This category includes potentially unwanted programs (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Web Scanning Policies menu Using anti-virus scanning
Using anti-virus scanning

The appliance uses the McAfee anti-virus scanning engine and anti-virus definition (DAT) files to scan and clean network traffic. The scanners detect known viruses, new viruses and variants. The scanners can also detect potentially unwanted programs (PUPs) such as spyware, adware, and cookies. Traffic for a specific protocol is only scanned if that protocol is enabled and scanning is enabled in at least one direction. By default, all protocols are enabled, and traffic is scanned in both directions. The appliance shares its resources between the protocols. It scans each protocol's inbound and outbound traffic. If you disable scanning for either direction, traffic passes through the appliance unscanned in that direction. CAUTION: Do not disable anti-virus scanning for any enabled protocol unless you are scanning its traffic elsewhere in your network. Allowing unscanned traffic to enter your organization leaves it vulnerable to infection. Configure your other network devices to route the protocols through the appliance, so nothing can bypass the appliance. Only traffic that passes through the appliance, or that is routed to the appliance in the case of Explicit Proxy mode, is scanned. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Settings for scanning viruses and similar threats
Anti-Virus
Viruses and other malicious software can destroy or steal data.
79
Contents Anti-virus features Settings for scanning viruses and similar threats What is a potentially unwanted program (PUP)? Types of anti-virus scanning Customized anti-virus settings Detection of new and unknown viruses Special actions against packers and PUPs Settings for scanning viruses and similar threats Anti-virus features Settings for scanning viruses and similar threats What is a potentially unwanted program (PUP)? Types of anti-virus scanning Customized anti-virus settings Detection of new and unknown viruses Special actions against packers and PUPs Anti-virus features The appliance's anti-virus software does the following: Detects and cleans viruses. Protects your network from potentially unwanted programs (PUPs). The appliance can be configured to: Enable or disable detection of potentially unwanted programs. Detect specific types of potentially unwanted programs, such as mass mailers and Trojan horses. Detect named malware. Take specific actions when malware is detected. Protects your network from named packers. You can add and remove packer names from the list of packers that will be detected. Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses and make them harder to detect. The appliance can be configured to: Detect named packers. Exclude named packers from detection. Take specific actions when a packer is detected. Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might want to remove them. CAUTION: McAfee anti-spyware software detects and, with your permission, removes potentially unwanted programs. Some purchased or intentionally downloaded programs act as hosts for other potentially unwanted programs. Removing these potentially unwanted programs may prevent their hosts from working. Review the license agreement for these host programs for further details. McAfee does not encourage nor condone breaking any
80
license agreements. Read the details of license agreements and privacy policies carefully before downloading or installing any software. Automatically scans within compressed files. Automatically decompresses and scans files compressed in the packages that include PKZip, LHA, and ARJ. Detects macro viruses. Detects polymorphic viruses. Detects new viruses in executable files and OLE compound documents, using a technique called heuristic analysis. Upgrades easily to new anti-virus technology. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Settings for scanning viruses and similar threats The anti-virus settings in a policy protect the network and its users from: Viruses Spyware Adware Various kinds of malware (malicious software) and other potentially unwanted software. Viruses The appliance can clean each virus before it alters or destroys any data. If the virus cannot be cleaned, the appliance can take some other action such as deleting the file that contains the virus, or moving the file to a safe quarantine area. The appliance updates itself regularly and automatically to protect your network against new viruses. Computers in your network might already have some anti-virus protection, so you can adjust the level of protection that the appliance provides. For example, scanning inside archive files (such as ZIP files) might not be necessary because any file inside them cannot become active until it has been extracted. An on-access (or real-time) scanner will typically detect such files. Packers Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses, making them harder to detect. Spyware Spyware can steal information and passwords. This category includes potentially unwanted programs (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Web Scanning Policies menu
81
Using anti-virus scanning What is a potentially unwanted program (PUP)? Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan horses. Some software programs written by legitimate companies might alter the security or privacy of the computer where they are installed. This software can include spyware, adware, and dialers, and might be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about such programs, and in some cases, remove them. Email | Email Policies | Scanning Policies [Anti-Virus] McAfee Anti-spyware Types of anti-virus scanning Scanning default file types Normally the scanner examines only the default file types in other words, it concentrates its efforts on scanning those files that are susceptible to viruses. For example, many popular text and graphic formats are not affected by viruses. Currently the scanner examines over 100 types by default, which includes .EXE and .COM. Scanning all files Some operating systems such as Microsoft Windows use the extension name of a file to identify its type. For example, files with the extension .EXE are programs. However, if an infected file is renamed with a harmless extension such as .TXT, it can escape detection. The operating system cannot run the file as a program, unless it is renamed later. This option ensures that every file is scanned. Scanning files according to file type Some operating systems such as Microsoft Windows use file name extensions to identify the type of file. For example, files with the extension .EXE are programs, files with the extension .TXT are simple text files. You can specify the types of files you want to scan according to their file name extension. Scanning inside archive files By default, the scanner does not scan inside file archives such as .ZIP or .LZH files because any virus-infected file inside them cannot become active until it has been extracted. Finding unknown viruses An anti-virus scanner typically detects viruses by looking for the virus signature, which is a binary pattern that is found in a virus-infected file. However, this approach cannot detect a new virus because its signature is not yet known, therefore the scanner uses another technique heuristic analysis. Program file heuristics scans program files and identify potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identify potential new macro viruses. Treating all macros as infected Macros inside documents are a popular target for virus writers. Therefore for added security, you might consider scanning all files for macro viruses, and optionally removing any macro that is found, regardless of whether it is infected. Scanning compressed program files
82
Compressed files (such as those compressed with PKLITE). If you are scanning selected file extensions only, include the needed compressed file extensions in the list of file extensions to be scanned. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Customized anti-virus settings Besides giving you the levels of scanning (such as default file types, which scans only the most susceptible files), the appliance also allows you to specify various options when scanning for viruses. Although more options can provide greater security, scanning will take longer. The scanning capabilities are: Detect possible new viruses in programs and documents. Documents that carry a virus often have distinctive features such as a common technique for replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds of computer instructions. Program file heuristics scans program files and identifies potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses. Scan inside archive files. By default, the scanner does not scan inside file archives such as .ZIP or .LZH files because any infected file inside them cannot become active until it has been extracted. Scan default file types. Normally, the scanner examines only the default file types it scans only those files that are susceptible to infection. For example, many popular text and graphic formats are not affected by viruses. Currently, the scanner examines over 100 file types by default, including .EXE and .COM. Scan all files. This option ensures that every file is scanned. Some operating systems, such as Microsoft Windows, use the extension names of files to identify their type. For example, files with the extension EXE are programs. However, if an infected file is renamed with a harmless extension such as TXT, it can escape detection and the operating system can run the file as a program if it is renamed later. Scan files according to file name extension. You can specify the types of files you want to scan according to their file name extensions. Treat all macros as viruses. Macros inside documents are a popular target for virus writers. Therefore, for added security, consider scanning all files for macro viruses, and optionally removing any macros found, regardless of whether they are infected. Scan compressed program files. This is used to scan compressed files such as those compressed using PKLITE. If you are scanning selected file extensions only, add the appropriate compressed file extensions to the list. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options
83
Web | Web Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Detection of new and unknown viruses An anti-virus scanner uses signatures and heuristic analysis to detect viruses. A virus signature is a binary pattern found in a virus-infected file. Using information in its anti-virus definition (DAT) files, the scanner searches for those patterns. This approach cannot detect a new virus because its signature is not yet known. Therefore another technique, known as heuristic analysis, is employed. Programs that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients, or self-propagate. The scanner analyzes the program code to detect these kinds of computer instructions. It also searches for legitimate behavior, such as prompting the user before taking action, and thereby avoids raising false alarms. To avoid detection, some viruses are encrypted. Each computer instruction is a binary number, but the computer does not use all the possible numbers. By searching for unexpected numbers inside a program file, the scanner can detect an encrypted virus. Using these techniques, the scanner can detect known viruses, and many new viruses and variants. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Special actions against packers and PUPs The appliance handles most detections according to the actions that you specify on the Basic Options tab. To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom Malware Options tab. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Problems with alerts for mass mailers Normally, the appliance handles all potentially unwanted programs in the same way. However you can specify that certain types are handled differently. For example, you can configure the appliance to inform the sender, the recipient and an administrator with an alert message whenever a virus is detected in an email message. This feature is useful because it shows that the anti-virus detection is working correctly, but it can become a nuisance if a mass-mailer virus is encountered. Mass-mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using email. Numerous alerts are generated, and these can be as annoying as the surge of detected email messages that has been blocked. The appliance can handle any mass-mailer virus separately from other types of virus. You example, you can choose to discard the detected document immediately, and thereby suppress any alert messages that will otherwise be generated. Email | Email Policies | Scanning Policies [Anti-Virus] Custom Malware options Settings for scanning viruses and similar threats
84
Artemis technology This technique reduces the delay between McAfee's detection of a new malware threat and when a customer receives and installs a detection definitions (DAT) file. The delay can be 24 72 hours. How the feature works 1 2 The appliance scans each file, comparing its code against the information (or signatures) in the current detection definitions (DAT) file. If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the appliance sends a small definition (or fingerprint) of that code to Artemis an automated analysis system at McAfee. Millions of other computers with McAfee software also contribute fingerprints. McAfee compares the fingerprint against a database of fingerprints collected worldwide, and informs the appliance of the likely risk within seconds. Based on settings in the scanning policies, the appliance can then block, quarantine, or try to clean the threat.
If McAfee later determines that the code is malicious, a DAT file is published as usual. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Settings for scanning viruses and similar threats
Settings for scanning spam and similar threats

The spam settings in a policy protect the network and its users from: Spam email Phish email Email from unknown or unwanted senders The appliance scans the headers and content of email messages, and uses these techniques: Anti-spam Anti-phish Sender authentication Spam Unwanted email messages such as spam reduce productivity by distracting employees and reduce the bandwidth and storage capacity available for genuine business use. The appliance can use DNS block lists to block unwanted email messages from particular sources. The appliance updates itself regularly and automatically to protect your network against the senders' latest tactics. Phish Phishing messages try to steal the identity of unsuspecting users. The stolen identity is used to fraudulently obtain goods and services. The appliance updates itself regularly and automatically to protect your network against new phishing tactics.
85
Sender authentication Many email attacks are made by individuals or organizations that you do not recognize, or that masquerade as known senders. To counteract such attacks, the appliance offers several methods that examine the sender's details: TrustedSource The appliance uses an online service to verify whether the sender's IP address has recently sent email that contained viruses, phish, spam, or was part of a directory-harvest attack. Real-time Blackhole List The appliance compares senders against regularly updated lists of potential sources of spam. Sender Policy Framework The appliance checks the validity of the domain hosts that sent the message, preventing forged addresses in the SMTP MAIL FROM (Return-Path). Sender ID The appliance verifies the IP address of the sender with the stated owner of the sending domain. Domain Keys Identified Mail The appliance examines a header (which is like a digital signature) inside the email message to verify the sender and the integrity of the message. Email | Email Policies | Scanning Policies [Spam]
Spam
Spam is any unsolicited and unwelcome email message. It includes commercial email messages, the electronic equivalent of junk mail, and unwanted non-commercial email messages, such as virus hoaxes, jokes, and chain letters. Often spammers (those who create spam) forge the headers of their email messages to hide their true identity, often deflecting the blame toward innocent parties. Contents What is spam? Problems with identifying spam About spam scores How McAfee tackles spam About spam scores and actions Anti-spam policy Example of spam reporting How to update your anti-spam protection Handling of missed spam Tips to reduce spam What is spam? Spam is any unsolicited and unwelcome email message. It includes commercial email messages, the electronic equivalent of junk mail, and unwanted non-commercial email messages, such as virus hoaxes, jokes, and chain letters. Often spammers (those who create spam) forge the headers of their email messages to hide their true identity, often deflecting the blame toward innocent parties. You can configure the appliance to detect spam.
86
Anti-spam and anti-phishing use the same techniques. You see the anti-phishing option only if the anti-spam option is available. Although you can enable and disable the options independently, you gain little in performance by doing so. NOTE: Quarantined spam is placed in the Spam Quarantine area. Other quarantined messages are placed in other queues. Anti-spam software The anti-spam software uses the anti-spam engine and anti-spam rules to scan email traffic for spam. NOTE: The anti-spam engine uses anti-phishing rules to scan email messages for phishing attacks. The anti-spam engine uses anti-phishing rules to scan email messages for phishing attacks. Identifying spam is not an exact science. Anti-spam software identifies characteristics within an email message that make it likely that the message contains spam. For example, a simple anti-spam rule looks for phrases that typically appear in spam messages, such as Buy these shares now. Try to maintain a balance between blocking potential spam and allowing normal email messages through. If your anti-spam measures are too stringent, normal email might be wrongly identified as spam and blocked. Users will complain that they are not receiving the email they were expecting. If your anti-spam measures are not stringent enough, too much spam gets through and interferes with normal email. Maintaining the right balance is difficult because: The nature of spam is always changing, and its senders change their tactics to avoid detection. The definition of spam varies according to context. For example, a joke you receive at home from a friend might not be considered spam; the same joke sent to 300 employees might be considered spam by your employer. Some exceptions might be needed. For example, you want to block email containing commercial advertising unless it comes from similar organizations, because you need to keep up-to-date with their products and promotions. NOTE: For these reasons, we cannot guarantee that the anti-spam software will detect and block all email messages that might contain spam. The appliance's anti-spam features help you maintain the best balance between blocking potential spam and accepting normal email. In particular: To counter changing spammer tactics, McAfee regularly updates the anti-spam engine and anti-spam rules files. These files can be automatically downloaded using the appliance's update facility. You can also load special extra rules that combat a sudden outbreak of a specific type of spam. Anti-phishing rules are downloaded at the same time as the anti-spam rules. You can specify the level of spam detection to use for each policy. You can also set up separate anti-phish policies. The anti-spam software can decide how to handle the spam after it has been identified. You can:
87
Deal with spam at the appliance so that it never reaches the end users. For example, email messages that contain potential spam can be refused, discarded, or forwarded to a special mailbox. Use the appliance to add a spam indicator to email messages containing potential spam, and let the recipients choose how to deal with the messages. For example, the mail administrators and users can set up their mail clients to automatically place spam into a special folder. You can control the spam that your organization receives by blocking all email from known unwanted senders, marking the subject line of any suspicious email messages, deleting messages, or moving messages to a quarantine area. You can inform an administrator of the detection, or record the event in a log. Email | Email Policies | Scanning Policies [Spam] Problems with identifying spam Identifying spam is not an exact science. Anti-spam rules can identify only characteristics within an email message that make it more likely that the message contains spam. For example, an anti-spam rule looks for certain words or phrases that typically appear in spam messages, such as Get rich quick. It is important to maintain a balance between blocking potential spam and allowing normal email through. If your anti-spam measures are too stringent, normal email might be wrongly identified as spam and blocked. Users will complain that they are not receiving the email messages they were expecting. If your anti-spam measures are not stringent enough, too much spam gets through and interferes with normal email. Maintaining the right balance is difficult because: The nature of spam is always changing, because spammers change their tactics to avoid detection. To counter new tactics, we regularly update the anti-spam engine and anti-spam rules files. The appliance can automatically download these files. The definition of spam varies according to the context. For example, a joke you receive at home from a friend might not be considered spam; the same joke sent to 3000 employees might be considered spam by the employer. Some exceptions are possible. For example, you want to block commercial spam unless it comes from similar organizations, because you need to keep up-to-date with their products and promotions. For these reasons, we cannot guarantee that the anti-spam software will detect and block all email messages that might contain spam. Email | Email Policies | Scanning Policies [Spam] About spam scores The appliance matches a large set of rules against every email message. Each rule has a score positive or negative. Rules that match spam-like characteristics give a positive score. Rules that match characteristics of legitimate messages give a negative score. When added, the scores give each message an overall spam score. Some rules are simple, and match only on popular phrases. Others are more complex and match on the header information and structure of email messages.
88
In a similar way, the anti-spam engine uses the anti-phishing rules to detect phishing attacks. Rules that match anti-phishing characteristics add to the overall phish score, while rules that match non-phish characteristics reduce the overall phish score. NOTE: The appliance examines the overall anti-spam score and overall anti-phish score to determine if the anti-spam or anti-phish policy must be applied to the email message. The email message is categorized as spam or phish. The score for each anti-phish rule and anti-spam rule is fixed and cannot be changed. Examples of anti-spam scoring Spam often contains well-known phrases. For example, these phrases are good indicators: Table 17: Anti-spam scoring
Phrase Dear Friend amazing offers believe your eyes incredibly low best ever Spam score per phrase 1.5 1.0 1.2 0.8 0.8
The values in the table are examples only. The actual values might be different in the appliance. This example is deliberately simple, and does not demonstrate any complex matching. Consider the following messages. The phrases are highlighted for clarity.
Message Dear John, Our computer suppliers have some amazing offers on PCs this year. I'll send you their catalogue and discuss my requirements with you on Tuesday. Looking forward to our best ever year on this project! Regards, Peter Dear Friend, See our website for amazing offers on PCs. You won't believe your eyes! These incredibly low prices are our best ever! Total spam score 1.0 + 0.8 = 1.8
1.5 + 1.0 + 1.2 + 0.8 + 0.8 = 5.3
The second message has a higher score, which indicates that it is possibly spam. A legitimate message may have a high score. Therefore, the detection of spam cannot be precise. You can determine how the appliance will respond to messages based on their spam scores: Specify a level at which you regard a message as spam. Typically, a score of 5 indicates that a message is spam. You can inform the recipients that a message is likely to be spam by adding some text, such as ** spam **, to the subject line of the message. Recipients can then easily identify spam and decide how to handle it. For example, some email products such as Microsoft Outlook and Lotus Notes can redirect mail to specific folders based on rules or filters. Specify a level at which the appliance handles spam messages automatically. For example, the appliance can automatically accept and then drop messages that have high spam scores. In addition, you can inform an administrator or log the event. Add a report to a message's Internet headers that records any rules that triggered and the message's spam score. You can choose whether to add the report, and whether such information is included in all messages or only those messages that the appliance identifies as spam. The report includes a spam score and, optionally, a spam score indicator. For example, a spam score of 5.6 can have an indicator of five asterisks, and a spam score of 6.95 can have an indicator of six asterisks. The indicator is rounded to the lower integer, ignoring any decimal fractions. The indicator provides a simple character string for filtering messages.
89
We recommend that you set this option for initial testing only because it can affect your server's performance. After you have collected enough information, turn off the option. Email | Email Policies | Scanning Policies [Spam] How McAfee tackles spam The anti-spam features help you maintain the best balance between blocking potential spam and accepting normal email. In particular: To counter changing spammer tactics, McAfee regularly updates the anti-spam engine and anti-spam rules files. These files can be automatically downloaded using the appliance's update facility. You can also load special extra rules that combat a sudden outbreak of a specific type of spam. The anti-spam software can decide how to handle the spam after it has been identified. You can: Deal with spam at the appliance so that it never reaches the end users. For example, email messages that contain potential spam can be refused, discarded, or forwarded to a special mailbox. Use the appliance to add a spam indicator to email messages containing potential spam, and let the recipients choose how to deal with the messages. For example, the mail administrators and users can set up their mail clients to automatically place spam into a special folder. You can control the spam that your organization receives by blocking all email from known unwanted senders, marking the subject line of any suspicious email messages, deleting messages, or moving messages to a quarantine area. You can inform an administrator of the detection, or record the event in a log. Email | Email Policies | Scanning Policies [Spam] About spam scores and actions The appliance recognizes three thresholds, which correspond to a high, medium, and low spam content. The appliance can take different actions if a message passes a spam score. For example, if the appliance detects a message that has a score of at least 15, the message is very likely to be spam, so the appliance sends the message to a quarantine area. A message that has a spam score of at least 6 might not be spam, so the appliance only notifies the recipient. Email | Email Policies | Scanning Policies [Spam] | Basic Options Anti-spam policy Using the anti-spam policy option, you can: Enable or disable anti-spam scanning. Specify what action to take against different levels of spam detection. Set up blacklists to ignore email from some senders, regardless of the content. Set up whitelists to accept email from some senders, regardless of the content. Add a spam report to email messages.
90
Add an extra email header that other devices can analyze. NOTE: The anti-spam software does not detect offensive images but can detect email that contains mainly graphics. Email | Email Policies | Scanning Policies [Spam] Example of spam reporting In this example, a user called 99mailbot1 from example.com sends an email to a user at McAfee, with the subject line, Get rich quick . For simplicity, the HTML content of the email message and some headers are not shown here. The anti-spam policy has the following settings: Setting Spam reporting threshold Prefix for subject line Customized mail header and value Spam score indicator Report attached Value 5 ++spam++ MyHeader, myValu * To spam, and verbose
The appliance adds extra text (shown in bold) to the email message. The mail user normally sees only the change to the subject line. Information in the X- headers is not visible to the users, and is intended for analysis by other devices and software in the network. From: 99mailbot1@example.com To: <user@mcafee.com> Subject: ++spam++ Get rich quick! Date: Wed, 23 May 2007 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MyHeader: myValue X-NAI-Spam-Flag: YES X-NAI-Spam-Level: ********* X-NAI-Spam-Threshold: 5 X-NAI-Spam-Score: 9.8 X-NAI-Spam-Report: 13 Rules triggered * 4.1 -- FROM_STARTS_WITH_NUMS -- From: starts with nums * 2.5 -- BAYES_99 -- Bayesian spam probability is 99 to 100% * 1.9 -- SUBJ_GET_RICH_QUICK -- Subject includes get rich quick * 1.3 -- FROM_HAS_MIXED_NUMS -- From: contains numbers mixed with letters * -0.8 -- HTML_LINK_CLICK_HERE -- HTML link text says click here * 0.4 -- INVALID_DATE_TZ_ABSURD -- Invalid Date: header (timezone does not * 0.2 -- HTML_LINK_CLICK_CAPS -- HTML link text says CLICK * 0.2 -- HTML_SHOUTING4 -- HTML has very strong shouting markup * -0.2 -- DATE_IN_PAST_24_48 -- Date: is 24 to 48 hours before Received: d * 0.1 -- HTML_FONTCOLOR_RED -- HTML font color is red
91
* 0.1 -- HTML_MESSAGE -- HTML included in message * 0 -- BTAMAIL_URL -- Message contains a URL at btamail.net.cn * 0 -- HTML_FONT_FACE_CAPS -- HTML font face has excess capital characters <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML> : </HTML> What the headers and report mean The prefix ++spam++ appears in the Subject line. The header line, X-NAI-Spam-Flag: YES indicates that the message is spam, having exceeded the X-NAI-Spam-Threshold: 5 with a spam score X-NAI-Spam-Score: 9.8 . The spam score is 9.8, as indicated by the header line,X-NAI-Spam-Level with an indicator of 9 asterisks. The spam report appears in the header, X-NAI-Spam-Report. The verbose report shows a description of each triggered spam rule. A simple report shows only the rule names and scores, for example: X-NAI-Spam-Rules: 13 Rules triggered FROM_STARTS_WITH_NUMS=4.1, BAYES_99=2.5, SUBJ_LIFE_INSURANCE=1.9, FROM_HAS_MIXED_NUMS=1.3, HTML_LINK_CLICK_HERE=-0.8, INVALID_DATE_TZ_ABSURD=0.4, HTML_LINK_CLICK_CAPS=0.2, HTML_SHOUTING4=0.2, DATE_IN_PAST_24_48=-0.2, HTML_FONTCOLOR_RED=0.1, HTML_MESSAGE=0.1, BTAMAIL_URL=0, HTML_FONT_FACE_CAPS=0 NOTE: Content rules that are treated as spam rules are also included in the report. Email | Email Policies | Scanning Policies [Spam] | Basic Options How to update your anti-spam protection The anti-spam feature help you maintain a balance between the email you want to stop because it probably contains spam, and email that you want to let through because it is unlikely to contain spam. You can regularly download: Anti-spam rules. These define what is spam. Some anti-spam rules are updated regularly, but McAfee also produce extra rules to combat sudden outbreaks of new types of spam. Anti-spam engine. This uses anti-spam rules to scan email messages for spam. Streaming updates. These updates are made available every few minutes. System | Component Management | Update Status Handling of missed spam If you receive spam email that has not been caught by the latest spam rules, or legitimate email has been incorrectly identified as spam by the latest rules, you can send samples to McAfee for analysis. The samples can help to improve the detection and handing of spam by McAfee products.
92
Where a specific email or email content is causing issues within your environment, McAfee support staff can work with you to create a content rule within the anti-spam software that identifies key parts from a message and handles it appropriately. Notes Some email is not spam. For example, weekly newsletters or alert messages delivered to users who subscribe to a mailing list or other forum. Spam messages rarely contain sensitive information. However, do not send any samples that contain your confidential or sensitive information. Do not send support queries such as reporting new issues or inquiring about current issues to the mailboxes for samples. This process and the receiving mailboxes might change and might be unavailable sometimes while we continue to improve our anti-spam solutions. If you cannot submit a sample, try again later. Sending samples from Microsoft Outlook Microsoft Outlook users can submit a spam or phish sample using the McAfee Spam Submission Tool. This small plug-in allows Microsoft Outlook users to send missed, or low scoring, spam messages and incorrectly identified genuine messages quickly and easily to McAfee for analysis. The tool and its documentation are available from the Free Tools section of this web page: http://www.mcafee.com/us/small/downloads/free_tools/index.html Follow the included installation instructions to install the tool. After installation, two additional icons are displayed in the Outlook Toolbar: To submit a spam or phish message that was not detected, select the message, then click the Submit Spam or Phish Sample icon. To submit a message that was incorrectly detected, select the message, then click the Submit Non-Spam Sample icon. NOTE: The tool cannot submit messages that are larger than 1MB. Sending samples from Lotus Domino To submit samples from IBM Lotus Domino Servers or Lotus Notes Clients, see the KnowledgeBase article: KB54323 Collecting Spam samples for issues incurred on Lotus Domino servers and Notes Clients. Manually submitting missed spam McAfee products detect spam messages by analysing the body text of the message and the headers and the message structure. Ideally, McAfee needs the complete message including original headers. A forwarded message loses much of this vital information. TIP: Save or export the whole spam message as an attachment, and then attach it to a new message for submission to McAfee for analysis. In case McAfee needs more information, ensure email is submitted by (or from) a mail administrator. Auto-forwarded emails are automatically discarded.
93
Manually submitting legitimate mail An email is described as a false positive if McAfee products identify the email as spam but the email is legitimate. Send false-positive detections to: customer+false-positive@clicknet.com NOTE: Clicknet.com is a domain owned by McAfee Inc. We rarely need to ask for more information about a submitted sample. However, we recommend that you send the sample from a legal email address - not an alias. Include contact information such as the company name and telephone numbers. Submitting missed or low-scoring spam manually Sometimes, items that are spam but are not detected by a McAfee product because of a new method of spam delivery, or because the anti-spam rules are insufficient to trigger the appropriate response, for example, the item spam score is less than 5. Send missed detections to: customer+missed-spam@clicknet.com Email | Email Policies | Scanning Policies [Spam] Tips to reduce spam Make these tips available to your users to help them reduce spam: Use a different email address or public email address when participating in news groups, joining contests, or responding to any third-party requests online. Do not respond to email requests to validate or confirm any of your account details. Your bank, credit card company, and other online services already have your account details, so they do not need you to validate them. Avoid using a Reply or Remove option. Some senders remove the address, but others record the email address and later send more spam, or sell the address to other spammers. Do not respond to spam. If you reply, you are confirming that your email address is valid and the spam has been successfully delivered. Lists of confirmed email addresses are valuable, and are frequently bought and sold by spammers. Check whether your email address is visible to spammers by typing it into a search engine. If your e-mail address is posted to any websites or news groups, remove it if you can. Limit Internet use at work. When at work, do not access sites that are not relevant to business such as message boards, e-trade sites, Internet auctions, and e-commerce sites. Do not post email addresses online. Know whether your email address will be displayed or used before posting an email address online. Read the privacy policy on the website before posting your address, and opt out if possible. Do not post your email address in a plain format on the Internet. If you need to post your email address, disguise it so it is not easy to replicate. For example, type user-at-example.com instead of user@example.com. Beware of purchasing products that are advertised by spam. When you respond to this type of email, you often make more personal information (such as your name, address, telephone number or credit card number) available to spammers, which can lead to increased spam. Furthermore, to provide themselves with an income, spammers must issue large numbers of email messages to get enough responses. By not responding, you discourage this advertising and make it unprofitable.
94
Email | Email Policies | Scanning Policies [Spam]
User-submitted blacklists and whitelists

A blacklist is a list of email addresses that are probably senders of spam or phishing email messages. Email messages from blacklisted senders receive a high spam score, so they are more likely to have a high overall spam score and will be treated as spam by the appliance. A whitelist is a list of email addresses that are probably senders of email messages that look like spam, but which you do not want to be treated as spam. For example, you might want to receive certain promotional email messages, which the appliance usually treats as spam. Email messages from whitelisted senders are given a high negative spam score, so they are more likely to have a negative overall spam score and be treated as non-spam by the appliance. If the appliance uses the on-box quarantine method and allows users to create blacklists and whitelists, you can view and modify the details submitted by the users. If the appliance uses the off-box quarantine service instead, McAfee Quarantine Manager (MQM) provides the user-submitted blacklists and whitelists, but does not allow you to modify the details from the appliance. MQM forwards updated lists to the appliance regularly, and at least once per day. To see the quarantine options, select Email | Quarantine Configuration | Quarantine Options and Email | Quarantine Configuration | Quarantine Digest Options on the navigation bar. An email address can appear on a blacklist and a whitelist. An email address can also appear in more than one blacklist and more than one whitelist. NOTE: The appliance changes the overall anti-spam score of an email message once only for each type of blacklist and whitelist that the message triggers. If a blacklist and a whitelist trigger, they cancel out each other's effect on the overall spam score. The final spam score determines whether the message is treated as spam, regardless of whether the address is in a blacklist or whitelist. The user list cannot contain wildcard characters; the whitelist and blacklist can. A question mark ?' matches a single character. An asterisk (*) matches portions of an address such as an entire domain. For example: Table 18: Wildcard examples
*@example.com user1@example.* user?@example.com Refers to all users at example.com. Refers to user1 at example.net, example.com, example.org and so on. Refers to user1, user2, and so on at example.com.
Email | Email Policies | Scanning Policies [Spam] Blacklists and Whitelists | User Submitted
What is phish?
You can configure the appliance to detect phishing email messages. Phishing is the illegal activity of using spoofed email messages to persuade unsuspecting users to disclose personal identity and financial information. Criminals can use the stolen identity to fraudulently obtain goods and services and to steal directly from bank accounts.
95
The appliance's anti-phishing software uses the anti-spam engine and phishing rules to scan email messages for phishing characteristics. A phishing score is then associated with each email message. Email | Email Policies | Scanning Policies [Spam] -- Phish
Sender Authentication menu

Use these pages to manage the use of authentication systems such as DKIM and SPF. (Not available with POP3.) Menu location: Email | Email Policies | Scanning Policies [Spam] -- Sender authentication When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab TrustedSource RBL Configuration What you can do from this part of the interface Use this page to specify the actions to take against known senders of spam. Use this page to specify the locations of lists of IP addresses that are known to send spam. Use this page to specify settings for techniques that determine whether the sender of an email message is genuine. These techniques reduce the workload for the appliance, because they reject suspicious email without the need for scanning. Use this page to specify various options, including scoring techniques for authenticating senders.
SPF, Sender ID and DKIM
Cumulative Score and Other Options
Further information How TrustedSource works Sender authentication Many email attacks are made by individuals or organizations that you do not recognize, or that masquerade as known senders. To counteract such attacks, the appliance offers several methods that examine the sender's details. The methods are: TrustedSource. The appliance compares the sender's details against information about potential sources of spam. Sender Policy Framework (SPF). The appliance checks the validity of the domain hosts that sent the message, preventing forged addresses in the SMTP MAIL FROM (Return-Path). The appliance can also add its own SPF result header to each email message. Sender ID. The appliance verifies the IP address of the sender with the stated owner of the sending domain. The appliance can also add a result header to each email message. Domain Keys Identified Mail (DKIM). The appliance examines a DKIM header inside the email message, then requests the sender's public key to verify the sender's domain and the integrity of the message. The most efficient method is TrustedSource. The lookup time is typically short, and the method avoids the need to scan or analyze unwanted email messages, and prevents more attacks from the same source.
96
After deciding the methods to use, you can decide how the appliance will respond to any message that fails a check, for example, the appliance can reject the message. After the appliance tries one method, it moves on to the next selected method. The action, Allow through is slightly different in this case. It means, allow the email message to be examined by the next method. Where the appliance is preceded by Mail Transfer Agents (MTAs), several of the methods check the IP address of the MTA. To allow these checks to work correctly, you can specify the number of hops from the appliance to the MTA. The appliance then parses the email headers to find the original sender and runs a check against that IP address. This feature is not available to the POP3 protocol. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication How TrustedSource works By analysing data worldwide, TrustedSource provides reputation scores for IP addresses, URLs, and domains, based on their behavior. For example, TrustedSource detects computers that have been taken over by zombies or botnets for the purpose of generating spam. On receiving an incoming SMTP email connection, the appliance requests a reputation score from the TrustedSource server, then accepts or rejects the connection based on the score. The process prevents a large proportion of spam entering your network. The spam email does not need to be scanned or stored. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | TrustedSource How DKIM works The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT records to enable the recipient to verify the identity of an email sender. The sender signs the email message with a private key by adding an extra header the DKIM-Signature header. The header provides the email message with a cryptographic signature. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | SPF, Sender ID and DKIM How Sender ID works Sender ID is a technique to counter spoofing forging a sender's address on email messages. Spoofed email is often used in phishing attacks. Sender ID is also known as SPF/PRA (Sender Policy Framework/Purported Responsible Address). With Sender ID, the appliance determines the Purported Responsible Address (PRA) by examining the contents of the several header fields, namely From, Sender, Resent-From, Return-Path, Resent-Sender, and Received. Some headers might appear more than once in a mail header as an email is passed from server to server, making this a more complex process. Sender ID seeks to verify that every email message originates from the Internet domain from which it appears to be sent. Sender ID checks the address of the server that sent the email against a list of servers that the domain owner has authorized to send email. The domain owner typically keeps the list on its own domain servers or gives this information to its Internet Service Provider (ISP).
97
If the Sender ID verification passes, the message is delivered as normal. If the check fails, the appliance can apply various actions against the email message. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | SPF, Sender ID and DKIM How SPF works Sender Policy Framework (SPF) prevents forgery of a sender's address by verifying the envelope sender address, which is used for delivering email messages. Like posted mail, email messages have at least two types of sender address one on the envelope (the envelope sender address) and one in the letterhead (the header sender address): The envelope sender address (also known as the return-path) is used to transport the message from mail server to mail server, for example, to return the message to the sender in the case of a delivery failure. The email user does not normally see the envelope sender address. The header sender address is seen by the email user as the From or Sender address. Generally, mail servers do not consider the header sender address when delivering email. The header sender address can therefore be forged. SPF allows the domain owner to specify which mail servers send mail from the domain. The domain owner publishes this information in an SPF record in the domain's DNS zone. On receiving a message claiming to come from that domain, the appliance checks whether the message complies with the domain's SPF information. If the message comes from an unknown server, it can be considered a fake. The appliance can take various actions against the email message depending on whether the verification passed or failed. After verifying an email message, the appliance can optionally attach its own header to the email message. The Received-SPF header indicates to other mail servers in your organization that the email message has been verified. For example:
Received-SPF: pass (include.example.com: domain ofmailer@include.example.com designates 192.168.254.200 as permitted sender) receiver=include.example.com; client_ip=192.168.254.200;envelope-from=mailer@include.example.com;
For more information about SPF, visit the website www.openspf.org. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | SPF, Sender ID and DKIM How RBL works The appliance can block unwanted email messages from specific sources by comparing the IP address of an email source against lists of potential sources of spam. An RBL typically contains millions of website addresses (URLs), and is updated many times every day. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | RBL Configuration How scoring improves sender authentication methods If no method is entirely effective against untrusted senders, or some methods work better than others in your network, you can associate scores to each method to refine the overall detection. A score can be a positive or negative number. After running your selected methods, the appliance examines the cumulative score. Again, you can choose how the appliance responds on reaching or exceeding the threshold, for example, by denying the connection.
98
To ensure scoring works correctly, select Add to score as the action for every method that is in use. Example In this example, DKIM and TrustedSource are not enabled. RBL is believed to be the best method, while Sender ID and SPF are considered less good but similarly effective. The scoring is set as follows.
Method RBL Score If sender passes the check, add -20 to the score. If sender fails the check, add 20 to the score. SPF If sender passes the check, add -10 to the score. If sender fails the check, add 10 to the score. Sender ID If sender passes the check, add -10 to the score. If sender fails the check, add 10 to the score. DKIM TrustedSource Not enabled. Not enabled.
The next table shows how every combination of passed or failed check gives an accumulative score. A pass is indicated by . A fail is indicated by X.
Method RBL SPF Sender ID Cumulative score (-20) (-10) (-10) -40 (-20) (-10) X (+10) -20 (-20) X (+10) (-10) -20 (-20) X (+10) X (+10) 0 0 X (+20) (-10) (-10) X (+20) (-10) X (+10) 20 20 X (+20) X (+10) (-10) X (+20) X (+10) X (+10) 40
If the score threshold is set 20, an email is deemed to fail if it failed the RBL check and one or two of the other checks. If the score threshold is set to 0, an email is deemed to fail if it has failed the RBL check or failed the SPF and Sender ID checks. NOTE: The Add to score action does not change the content or headers of an email message, and therefore has no effect on spam scores. Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | Cumulative Score and Other Options Considerations when enabling Sender Authentication in non-default policies Sender Authentication is a useful feature in the default policy because it prevents the unnecessary scanning of unwanted email by first verifying each email address. When you create additional policies, you can also modify the feature to apply to parts of your network or to specific connections. However, if an additional policy applies to email addresses (in contrast to an IP address, for example), we recommend that you disable Sender Authentication in this policy because the feature is inappropriate and will have no useful effect.
99
Email | Email Policies | Scanning Policies [Spam] -- Sender authentication DKIM key management The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT records to enable the recipient to verify the identity of an email sender. The sender signs the email message with a private key by adding an extra header the DKIM-Signature header. The header provides the email message with a cryptographic signature. The signature is typically derived from the message body and email headers such as From and Subject, then encrypted using the sender's private key. Recipients can verify that the message is genuine by making a query on the signer's domain to retrieve the signer's public key from a DNS TXT record. The recipient then verifies that the email and its signature match. The recipient can be confident that the email was sent from the stated sender and was not deliberately altered during transit. The appliance can verify signatures from incoming mail and attach signatures to outgoing mail. Signing keys The appliance can create public keys of various lengths. Place the public key on your DNS server or give it to your Internet Service Provider, so that recipients can verify email from your organization. NOTE: The public key must not contain spaces or newline characters. Email | Email Configuration | Sending Email [+] DKIM signing DKIM verification The appliance examines an email header, DKIM-Signature in the email message for details of the sender, then issues a query to retrieve the public key, and deciphers the cryptographic signature. This ensures that no alterations were made to the email headers and body during transit. The appliance can take various actions against the email message depending on whether the verification passed or failed. You can: Enable DKIM Verification. Specify the action to be taken if a message is a threat. Change the score associated with a message. Add an extra header to the email message to indicate the result. See next section. Extra header After the appliance has examined the signature, it can attach a further X-header to the email message. The header indicates to other devices or mail servers in your organization whether the email has been verified. For example:
X-NAI-Header: Modified by appliance; X-NAI-DKIM-Results: 192.168.254.200 header.From=<user1@example.com>; verification=Success; key strength=1024 bits; result=Pass
Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | SPF, Sender ID and DKIM
100
Example of an SPF record The Example organization sends email via its server, server1 in addition to its incoming mail server. The domain owner of example.com publishes an SPF record of this form:
example.com. TXT "v=spf1 mx a:server1.example.com -all"
The parts of the SPF record are:

v=spf1 mx
SPF version 1 is in use. The incoming mail servers (MXes) of the domain are authorized to send mail. is authorized to send mail. All other servers are not authorized.
a:server1.example.com -all
Email | Email Policies | Scanning Policies [Spam] -- Sender authentication | SPF, Sender ID and DKIM
Settings for scanning email content

The content settings in a policy protect the network and its users from: Very large files Very large email messages Distracting email messages or distasteful content in email Failure to comply with privacy legislation Inadvertent loss of confidential data when sending email The appliance scans the content of email messages, and uses these techniques: File filtering Mail size filtering Content scanning The appliance handles encryption and digital signatures under Scanner Options in its policies. File filtering To help you control the use of bandwidth in your network, the appliance examines each file and can restrict the movement of any file according to its name, category, and size. Mail size filtering Large email messages, especially those with large attachments or many attachments, can seriously affect the performance of a network. The appliance can remove attachments from email messages if they exceed a size or quantity that you specify. The appliance can replace the discarded attachments by a small text file, which informs the recipient that attachments were removed. You can also specify actions against email messages that exceed a specified size overall. Content scanning When users view a webpage, their browsers can download ActiveX components, MacroMedia Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects can sometimes contain potentially unwanted programs. Although the anti-virus detection finds many unwanted objects, you can provide extra security by choosing to block some or all
101
such objects. Webpages can also contain metadata, comments, and links (URLs) to other pages or websites. If you are concerned that these areas might harbor potentially unwanted programs or undesirable content, you can choose to scan them too. To prevent the loss of confidential data, the appliance can scan for particular words and patterns of text, for example, telephone numbers and Social Security Numbers. The appliance has dictionaries such as the HIPAA Rules, which are widely used by healthcare organizations to help them protect private information about their patients. These dictionaries are also known as compliancy lexicons. Email | Email Policies | Scanning Policies [Content]
Mail size filtering

Large email messages, especially those with large attachments or many attachments, can seriously affect the performance of a network. When you apply settings to control these, we recommend that you consider carefully whether individual policies need to differ from the default policy. The constraints might seriously disrupt the working of some departments within your organization. The appliance can remove attachments from email messages if they exceed a size or quantity that you specify. The appliance can replace the discarded attachments by a small text file, which informs the recipient that attachments were removed. You can also specify actions against email messages that exceed a specified size overall. Most email messages are based on the MIME format, and have several parts one for the message body, and one for each attachment. However, some messages encode all their attachments as a single uuencoded attachment. In this case, you can choose only to remove all attachments Email | Email Policies | Scanning Policies [Content] -- Mail size filtering
File filtering
When creating file filtering rules, you can detect files in many ways: You can configure the appliance to restrict (or filter) the use of certain file types: By file name For example, some graphic file formats such as bitmap (.BMP) use large amounts of computer memory and can affect network speed when transferred. You might prefer that users work with other more compact formats such as GIF or JPEG. If your organization produces computer software, you might see executable (.EXE) files moving around the network. Within another organization, those files might be games or illegal copies of software. Similarly, unless your organization regularly handles movie files (MPEG or MPG), they are probably for entertainment only. A file filtering rule that examines the file extension name can restrict the movement of these files. Financial information might have file names like Year2008.xls or 2008Results. A file filter that matches the text 2008 can detect the movement of these files. By file format For example, much of your organization's most valuable information such as designs and lists of customers is in databases or other special files, so it is important to control the movement of these files. The appliance examines files based on their true content.
102
Any file can be made to masquerade as another. A person with malicious intent might rename an important database file called CUSTOMERS.MDB to NOTES.TXT and attempt to transfer that file, believing that it cannot be detected. Fortunately, you can configure the appliance to examine each file based on its content or file format, and not on its file name extension alone. By file size For example, although you might allow graphic files to moved around the network, you can restrict their size to prevent the service running too slowly for other users. When you create settings to control the use of any file, remember that some departments within your organization might need fewer constraints. For example, a marketing department might need large graphic files for advertising. This feature is not available to the POP3 protocol. Email | Email Policies | Scanning Policies [Content] -- File filtering Example of a simple file filter This example of a filtering rule prevents the movement of valuable spreadsheets. An organization has some important financial information for the year 2008 in Microsoft Excel files with names such as May2008.xls and 2008-Quarter1.xls.Similar files from earlier years (such as 2006 and 2007) do not need to be restricted. 1 2 3 4 5 6 7 Create a new policy. Click the blue link for File filtering. In the File Filtering Settings window, select Yes to enable you to create a new rule. Click Create new filtering rule to open the New Rule window. Type a name for the rule, such as Block 2008 spreadsheets. Select the Name filtering tab, then select Enable file name filtering. Under Take action when the file name matches, type *2008*.xls and click OK. The File Filtering Settings window shows the following information: Order 1 2 Rule name Block 2008 spreadsheets All other files If Triggered Allow through Allow through
So far, we have created the conditions for the rule to apply. If the appliance encounters a file as we described, the appliance will apply our new rule first. All other files will be handled by the second rule. We must now decide what action to must take against the spreadsheet files. 1 2 Under If Triggered, click the blue link, Allow through to open the Actions window. In the menu, select Deny connection, then click OK. The File Filtering Settings window shows the following information: Order 1 2 3 Rule name Block 2008 spreadsheets All other files If Triggered Deny connection Allow through
Click OK to close the File Filtering Settings window.
This is only a simple example only. You can create many more complex rules. Email | Email Policies | Scanning Policies [Content] -- File filtering
103
Settings for scanner options (email)

These settings in a policy protect the network and its users from: Denial-of-service attacks Corrupt or unreadable messages They also provide: Handling for encrypted mail Handling for unknown character sets in email messages Redirection of email Template design for alert messages These features are arranged under the following categories. Scanning limits Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. For these reasons, you can limit the size to which any file may be expanded and the depth of nesting. Content handling Because scanners cannot read encrypted content, such as password-protected .ZIP files, you must specify how the appliance handles this. The encrypted email can be forwarded to other devices for decryption. A digital signature in an email is rendered ineffective if the appliance has altered the email to remove a virus. Your policy settings must determine what action to take on the email now. Because scanners and other applications can have difficulty reading corrupt content, the policy settings must describe how the appliance will handle this type of content. When users view a webpage, their browsers can download ActiveX components, MacroMedia Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects can sometimes contain potentially unwanted programs. Although the anti-virus detection finds many unwanted objects, you can provide extra security by choosing to block some or all such objects. Webpages can also contain metadata, comments, and links (URLs) to other pages or websites. If you are concerned that these areas might harbor potentially unwanted programs or undesirable content, you can choose to scan them too. Alert settings The appliance issues alerts, for example, upon detecting a virus or banned content. You can customize the alert text by adding a header and footer). For example, you can include a legal statement or contact information. You might need to customized alerts for different groups in your network. Notification and routing If the appliance is requested to reroute an email message, these settings provide a list of alternative computers. Encrypted mail typically needs to be rerouted for decryption. Email | Email Policies | Scanning Policies [Scanner Options] Notification and Routing menu
104
Scanner limits
Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. For these reasons, you can limit the size to which any file may be expanded and the depth of nesting. When expanding a file, we recommend an upper limit of 500 MB. The default maximum nesting depth is 100. If you intend to scan HTML files, set this value to two or more. For compressed files, nesting depth is rarely more than one a single file or several files are compressed or zipped only once. An attacker might wrap an infected file several times inside zipped files within zipped files. If you set the nesting depth low, the appliance will not detect such files because it will not unwrap the zipped file completely. However, because deep nesting is unlikely to occur in normal cases, we recommend that you try a nesting depth of 10, blocking any files that exceed this nesting depth. Log the activity of the scanner control for a while before deciding whether to retain this value. You can also specify the time that the appliance may spend scanning any file. When scanning a file on a server, we recommend 15 minutes maximum. A typical minimum value is one minute. Email | Email Policies | Scanning Policies [Scanner Options] Understanding the scanner options for web How to prevent denial-of-service attacks Understanding the depth of nesting in compressed files How to prevent denial-of-service attacks Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. To prevent this, you can limit the size to which any file is expanded and the acceptable depth of nesting. You can also specify how long the appliance spends scanning any file. Email | Email Configuration | Protocol Configuration | Protocol Settings Scanner limits Understanding the depth of nesting in compressed files To understand the effect of scanning to a depth of nesting, consider the next figure, which shows a compressed file that contains documents and a compressed file. That compressed file contains more documents and another compressed file, and so on.
105
A depth of two scans the non-compressed files inside a compressed file (only as shaded). The contents of any compressed files are not scanned.
A depth of three scans the non-compressed files inside a compressed file, plus the non-compressed files inside any compressed file that it contains (as shaded).
Email | Email Policies | Scanning Policies [Scanner Options] Scanner limits
Content Handling
Because scanners and other applications can have difficulty with some types of content, you must specify how the appliance will handle each type of content. Understanding the scanner options for web Corrupt content Encrypted content Protected content Email options Most email messages use MIME format, and this complex format has often been exploited to transfer potentially unwanted programs. You can specify how the appliance handles email messages that use the MIME format: The action to take when a partial message (a message that has been divided into smaller parts for sending as several separate email messages) is detected. The action to take when a message contains a reference to an external resource and the scheme needed (usually FTP) to retrieve that resource. These messages are known as external-body messages. The alert message to use. You can also customize the alert text. The prefix for the subject line of a message. How the appliance handles MIME messages that have corrupt header files. The position of the alert and disclaimer attachments. The text can appear in the body text of the email message or be included as an attachment. Re-encoding options. How to handle MIME header files that contain null characters.
106
How many MIME parts a message can have before the appliance considers it to be corrupt or a possible denial-of-service attack. The MIME types that must be treated as text attachments or binary attachments. The preferred transfer-encoding method for text parts. Encoding of 7-bit text. The character set that must be used by default for decoding. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options Disclaimer text A disclaimer is text an explanation, information, a legal statement, or warning that the appliance adds to all email messages. The appliance enables you to add disclaimers to inbound and outbound email messages, and to email messages for specific groups of users. For example, you can: Add a disclaimer to outbound messages, to limit the liability posed by statements that might be legally damaging, for example, those containing offensive remarks. Disclaimers are also useful for renouncing the contents of a message as the view of the author, not of the organization, to avoid any damaging publicity. Add a disclaimer to inbound messages, making staff aware that all email messages and attachments are being scanned for viruses and content. Add a disclaimer that protects your organization against costly misunderstandings. A disclaimer can be added to all incoming and outgoing email messages. The type and position of the disclaimer can be configured, for example at the end of each message. NOTE: The appliance cannot add a disclaimer to an email message that contains unsupported character sets, such as the Hebrew character set, ISO-8859-8-I. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Basic Options Examples of disclaimers Add a disclaimer to outbound messages to limit the liability posed by statements that might be legally damaging, for example, those containing offensive remarks. Use disclaimers for renouncing the contents of a message as the view of the author, not of the organization, to avoid any damaging publicity. For example:
The information contained in this message is confidential and may be legally privileged. Views or opinions expressed in this email message are those of the author only.
Add a disclaimer to inbound messages to inform staff that all email messages and attachments are being scanned for viruses and content. For example:
This email message and any attachments were scanned for viruses when they entered the organization. Communications will be monitored regularly to improve our service and for security and regulatory purposes. Thank you for your assistance.
Add a disclaimer for specific departments to protect your organization against costly misunderstandings. For example:
Prices quoted by our sales personnel in this email message provide only a rough guide and do not represent any part of a formal contract.
107
Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Basic Options Considerations for treatment of MIME types The appliance can scan email attachments more efficiently if it can determine whether they are text or binary attachments. The MIME types, text/*, message/* and multipart/* are normally treated as text. The MIME types, application/*, image/*, audio/* and video/* are normally treated as binary. You can specify which MIME types to treat as text attachments and which to treat at binary attachments. A MIME header can contain information about the type of content in a MIME message. For example, the header specifies that the file contains text/plain, where text is the type, and plain is the sub-type. The combination of type and subtype is known as the MIME type or Internet media type. Our scanners handle most types of attachments. You need only define any new or unusual types that the appliance must regard as text or binary attachments. We do not recommend allowing streaming media of MIME type application/octet-stream or application/* to pass through the appliance, because these MIME types are executable and are a security risk. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Text and binary MIME types Received-From headers A Received-From header in an SMTP email message has information about IP addresses and domain names. For example:
Received: from mcafee.com ([192.168.200.254]) by mail123.example.net with smtp 5 May 2008 12:34:56 +0000
If you prefer not to reveal this information to other organizations, you can remove the headers. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Advanced Options About MIME formats Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non-ASCII formats over protocols, like SMTP, that support only 7-bit ASCII characters. Examples of non-ASCII formats, include: 8-bit audio Video files Character sets of many non-English languages MIME defines different ways of encoding the non-ASCII formats so that they can be represented using characters in the 7-bit ASCII character set. MIME also defines extra email headers that contain further information: Version of MIME used. Type of content in the MIME message. Type of encoding method used. Content part identifier for multi-part MIME messages.
108
The resulting MIME message can be "decoded" or "re-encoded" after transmission. We say "re-encoded", because the MIME messages can be converted into a different character set from the original message. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Text and binary MIME types HTML Options When users view a webpage, their browsers can download ActiveX components, Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects can sometimes contain potentially unwanted programs. Although the anti-virus detection finds many unwanted objects, you can provide extra security by choosing to block some or all such objects. Webpages can also contain metadata, comments, and links (URLs) to other pages or websites. If you are concerned that these areas might harbor potentially unwanted programs or undesirable content, you can choose to scan them too. This feature is not available to the POP3 protocol. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | HTML Options Web | Web Policies | Scanning Policies [Scanner Options] -- Content handling | HTML Options Examples of HTML embedded objects
Type Comments Metadata Example <!-- example of comment text --!> <META EQUI="Expires" Content="Wed, 16 May 2007 21:29:02">
Link URL Source URLS
<A href="example.htm"> <IMG src="images/example.gif">
Javascript VBScript Java applet
<SCRIPT language="javascript" src="example/example.js"> <SCRIPT language="vbscript" src="example/example.vbs"> <APPLET code="exampleApp.class codebase=HTML/" ..... </APPLET">
ActiveX components <OBJECT id="clock" data="http://www.example.com/example.png" type="image/png">Example Image</OBJECT> Flash <EMBED src="example.swf" width="500" height="200">
Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | HTML Options Web | Web Policies | Scanning Policies [Scanner Options] -- Content handling | HTML Options
109
Corrupt content Because scanners and other applications can have difficulty reading corrupt content, you must specify how the appliance will handle this type of content. Content Handling Encrypted content Because scanners cannot read encrypted content, such as password-protected .ZIP files, you must specify how the appliance handles this. If you allow encrypted content through, it must be scanned after it is decrypted, and this typically occurs at the user's computer. Content Handling Protected content You can specify how the appliance handles email messages that contain data that cannot be scanned because it is protected in some way. For example, it is protected by password: Content Handling Signed content Whenever information is sent electronically, it might be accidentally or wilfully altered. To overcome this, some email software uses a digital signature the electronic form of a handwritten signature. This extra information is added to a sender's message, and identifies and authenticates the sender and the information in the message. It is an encrypted summary of the data. Typically, a long string of letters and numbers appears at the end of a received email message. The email software re-examines the information in the message, and creates a digital signature. If that signature is identical to the original, the recipient can be sure that the data was not altered. If the message contains a virus, bad content, or is too large, the appliance might clean or remove some part of it. The original digital signature is now broken, and its signature is invalidated although the message is still valid and usually readable. Now the recipient cannot rely on the contents of the message at all because the contents might also have been altered in other ways. NOTE: Signed email messages are quarantined only if a virus or banned content is detected within the message. Signed messages are not quarantined just because the appliance detects that the message has a digital signature. Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Corrupt or Unreadable Content | Signed messages
Alert settings
The appliance sends a message to clients when a specific event occurs. Although a default message is available, you can specify the header and footer text for alert messages that the appliance issues upon detecting unwanted content. This feature is not available to the FTP protocol. Email | Email Policies | Scanning Policies [Scanner Options] Web | Web Policies | Scanning Policies [Scanner Options] -- Alert settings Understanding the scanner options for web
110
Notification and Routing menu

Use these pages to manage the sending of email that the appliance automatically generates, and the redirection of email for special processing. Menu location: Email | Email Policies | Scanning Policies [Scanner Options] -Notification and routing When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Notification Email What you can do from this part of the interface Use this page to specify the email addresses for messages from the appliance to users and to administrators. For example, the appliance can send a notification email if it detects a threat in an email message or it cannot deliver a message. Use this page to specify that a copy must be kept of every email that is sent. Use this page to select a device to which the appliance can redirect email. Use this page to make a list of alternative relays for redirected email. Use this page to build a list of recipients for email that the appliance generates automatically.
Audit Copies Routing SMTP Relays Email recipients
Further information
How to use templates for email address configuration

To send the message to a designated mailbox such as a spam mailbox for specific email users or a corporate spam mailbox, create a templated email address. For example: If each user has a spam mailbox that has the format: spam-user name@example.com: Type spam- in the left box. Leave the middle and right boxes empty. If each user has a spam mailbox that has the format user name-spam@example.com: Type -spam in the middle box. Leave the other boxes empty. If you have a corporate mailbox that has the format: user name@spam.example.com: Type spam. in the right box. Leave the left and middle boxes empty. Email | Email Policies | Scanning Policies [Scanner Options] -- Notification and routing
Extra actions
Upon detecting a threat, the appliance can take a main action such as blocking or monitoring, and various extra actions. The extra actions include: How to handle the original email. Who to notify about the threat. How to handle the email after the appliance has modified it. Not all actions are available when scanning some threats. For example, if an email is encrypted, the appliance cannot scan, and therefore cannot modify, the email. However, the appliance
111
can forward the original email to an administrator for analysis, or issue notifications. In earlier versions, the administrators were called named recipients. Notification This type of message provides a summary of the detection. You can customize the message for each policy. See Email | Email Policies | Scanning Policies [Scanner Options] -Notification and routing. Depending on the threat, you can choose to notify its sender, its recipients, and several administrators. Modified email The appliance can replace unwanted content with an alert message. For example, an email had five files attached. One file contained a virus. That file has been replaced by a text file, which is an alert message. The result is a modified email You can customize the alert message for each type of scanning. Annotation Administrators who want to analyze the threats in each email can request two types of actions: Annotate and deliver to primary administrator Annotate and deliver to secondary administrator The administrator will receive an email that describes the threat (either as an alert or a notification) and has an attachment that contains the original email.
How multiple policies affect an email message

If an email message (being sent or received) has more than one recipient, the appliance needs to know which policies to apply to that email message. If the recipients are in the same policy group, the appliance applies the policies for that policy group. If the recipients are in different policy groups, with perhaps conflicting policies, the appliance must decide how best to handle the email message. How it handles the email message depends on: The policies that need to be applied content, protocol or connection. Operational mode Transparent Bridge, Transparent Router, or Explicit Proxy. Whether handling of multiple policies is enabled (for transparent modes only). The maximum number of policies allowed to apply to a single email message. The priority assigned to a policy. Email | Email Policies | Scanning Policies
What is a content filter dictionary?

A content filter dictionary defines terms words and phrases that you want to detect in email, attachments and uploaded files. The appliance contains several dictionaries of offensive terms such as words that describe gambling and violence. When new offensive terms appear over time, you can add them to these dictionaries. You can create your own dictionaries of terms that you want to detect. For example:
112
To keep details of new products confidential, you can create a dictionary of the product names. The appliance can prevent these words appearing in email messages and web accesses. You can also create a dictionary of acceptable terms a whitelist. This is useful where a term can be offensive or acceptable depending on the context. For example, the dictionaries intended to block terms for sex and drugs contain some legitimate medical terms. To prevent the appliance blocking legitimate email, you can attach a whitelist, which counteracts the effect, allowing the email to proceed. The terms in any new dictionary will grow in number and complexity over time. Think carefully about your terms, and the name of your dictionary. You can assign any number of dictionaries to a policy, and specify how the appliance responds upon detecting any terms in the dictionaries. For example, if the appliance detects an offensive word in a message or its attachment, the appliance can block the message and warn an administrator. Email | Email Policies | Dictionaries Web | Web Policies | Dictionaries Importing and exporting dictionaries Having created new dictionaries or modified existing dictionaries, you can share them with other appliances by exporting and importing the dictionaries as text files in XML format. Web Policies menu About content rule scanning rules Understanding scores and threshold values in privacy rulesets Dictionaries supplied with the appliance Understanding the parts of a dictionary How to choose a name for a dictionary Understanding limitations in content scanning Understanding complex terms when scanning email messages
About content rule scanning rules

A content scanning rule defines how the appliance responds to the terms inside one or more dictionaries. The terms are often unacceptable words or phrases. For example, you can create a content rule to block email messages that enter or leave your organization if they contain specific offensive or confidential terms. A content scanning rule can also refer to a whitelist a dictionary of acceptable terms. Some dictionaries such as those for illegal drugs contain a few terms that are acceptable in some situations. For example, an "anabolic steroid" has lawful and unlawful uses. Using a whitelist, you can exempt some terms without having to alter the original dictionary of offensive terms. Other features of content scanning rules include thresholds and maximum term counts. Email | Email Policies | Scanning Policies [Content] -- Content scanning
Understanding scores and threshold values in privacy rulesets

The rules associate scores to terms such as those highlighted in the following message.
113
The patient, a 50 year old man has a cough and back pain. The table shows the scores for each term. Term year old cough back pain Score 20 10 10
The total score for this message is 40 (20 + 10 + 10). If the total score exceeds the threshold value (for example 25), action is taken against the email message. Email | Email Policies | Scanning Policies [Content] -- Content scanning
Dictionaries supplied with the appliance

The appliance contains several dictionaries. You need to create extra dictionaries only to suit your specific needs. Icon Type and content HIPAA dictionaries words and patterns to help you comply with the Hospital Insurance Portability and Accountability Act. Privacy dictionaries words and patterns to help you comply with other privacy requirements. Source code dictionaries words found in computer programming languages to help prevent loss of valuable code. User-defined dictionary terms or patterns that you have entered. Standard dictionary terms or patterns for categories such as pornography and violence. Dictionaries contain any number of terms: Icon Type and content Simple term Complex term Regular expression term
Email | Email Policies | Dictionaries Web | Web Policies | Dictionaries
114
Understanding the parts of a dictionary

The appliance can block or warn against undesirable or confidential terms in email or webpages. Each term (word or phrase) is held in a dictionary. In a policy, you name the dictionary and the actions to take if the appliance finds any of the dictionary's terms when scanning the content of email or webpages. Creating a simple dictionary When you first create a simple dictionary, you give it a name, a description, and select its type as content filter. You also give the dictionary at least one condition, which defines: The type of terms a simple word or phrase (content filter) or a more complex, regular expression. Where the terms apply, for example in all places or in only some types of document. The condition also helps to group terms together, enabling you to do some complex matching. To add further terms to your dictionary, you select a term within the original condition, then insert the new term. How the list or terms looks in a simple dictionary
Term Applies (1 of 1): Everything rare secret
This dictionary detects the word "rare" or the word "secret" in every type of document. The dictionary has only one condition, hence the title displays (1 of 1). How the list or terms looks with more conditions
[And] Applies (2 of 2): Everything book page
This dictionary has a second condition, which detects the word "book" or the word "page" in every type of document. The dictionary has two conditions, hence the titles display (1 of 2) and (2 of 2). The second condition operates with the first by the use of the And. In summary, the dictionary will detect rare or secret when found with book or page. Thus, the dictionary will detect: rare book, rare page, secret book, and secret page. In technical notation, this is known as: (rare | secret) AND (book | page) Email | Email Policies | Dictionaries [+] List of terms
115
Web | Web Policies | Dictionaries
How to choose a name for a dictionary

Over time, you can create many dictionaries, so each needs an accurate name and description. Remember that if a banned term is detected, the name of the dictionary appears in the alert message that users see. Therefore, to prevent the use of an insulting phrase, do not include the phrase in the name of the dictionary. Instead, name your dictionary something like Insulting Phrases. You can add a description to your dictionary to explain its purpose. The description does not appear in the alert message. Email | Email Policies | Dictionaries (Add dictionary) Web | Web Policies | Dictionaries (Add dictionary)
Understanding limitations in content scanning

A content rule can apply only to a single file, document or attachment at any time. For example, you create a dictionary that contains some offensive words ugly and stupid. A rule that references this dictionary triggers on finding the word ugly in databases and spreadsheets. When the appliance encounters any database, it searches for the word ugly. Similarly, when it encounters any spreadsheet, it also searches for ugly. You can make such rules more complex. For example, you can make the rule search for both ugly and stupid in databases and in spreadsheets. When the appliance encounters any database, it searches for the word ugly and the word stupid. If both words are present, the rule triggers your defined action. When the appliance encounters the words in any spreadsheet, the rule is also triggered. You can create combinations of rules that will not work. For example, if you need two conditions to be true for a rule to be applied, the rule is not applied in the following situation: The appliance scans an email message that has another email message as an attachment. The top-level email message triggers one of the conditions and the attached email message triggers the second condition. The appliance treats each of the email messages as separate objects. The content rule requires that both conditions are met within the same object for that content rule to trigger. Because each object triggers only one of the two conditions, the content rule is not triggered for either object. Email | Email Policies | Scanning Policies [Content] -- Content scanning
Where to apply a banned term

A banned term might appear inside files or documents in email messages or downloads. You can specify the file formats to scan for content. For example, the appliance can scan: Databases Documents Spreadsheets Graphics
116
Email messages You can then select the sub-categories to scan. For example, if you select Documents, you further specify that the appliance will scan only Microsoft Word 7.0 documents. You can also specify which parts of the email messages to scan. For example, the appliance can scan: Attachments Body Recipient Sender Subject line Text attachments Email | Email Policies | Dictionaries Web | Web Policies | Dictionaries Web Policies menu
Understanding complex terms when scanning email messages

Email messages typically have a different structure from documents, and this can affect the way that content rules apply. For example, consider the following text in a document:
I think our manager is stupid and ugly.
To prevent the words stupid and ugly appearing together in a document, you can create a complex term in a dictionary. The appliance takes action when these words appear together. The settings in the Term Details window are:
Name of field Type Term Description Case sensitive Wildcard Starts with Ends with Condition Enable near matching Within a block of characters Word or phrase ugly Content Content filter stupid Two words in the same place
This complex term is suitable for detecting words in the following simple email message:
To: user1@example.com From: user2@example.com Subject: Our manager I think he is stupid and ugly. What do you think?
117
Now consider a second example:

To: user1@example.com From: user2@example.com Subject: Our stupid manager I think he is ugly too. What do you think?
In this case, the appliance cannot detect the two words. Most email messages are based on the MIME format, and have several parts. Each part is like a separate file the To address, the From address, the subject line, and the message body. In this example, no part contains both words stupid is in the subject line; ugly is in the message body. To detect the words stupid and ugly together in an email message, you need two combined conditions the word stupid anywhere in an email message and the word ugly anywhere in an email message. You need a simple dictionary with only two terms, where each term is under a separate condition. The dictionary will have the following structure, when seen under List of terms for selected dictionary: Term Applies (1 of 2): Email messages stupid (And) Applies (2 of 2): Email messages ugly Email | Email Policies | Scanning Policies [Content] -- Content scanning
Best practices for content scanning of email

Use the following ideas to protect your organization. Limit the size of files to protect your network's available bandwidth, sizes of mailboxes, and to prevent delays in the use of important software. Block executable files, that is, those with file name extensions of EXE, PIF and COM. Monitor email between your organization and competitors' organizations. Block incoming email that contains words associated with sex, gambling, violence, drugs and so on. Block outgoing emails that contains words associated with sex and so on, and programming languages. Block the flow of confidential information. In the template of confidential documents, include a header or footer with a phrase such as "Internal only." Write the text in red or black, so it is obvious to its users. Alternatively, write the text in white, so that it is hidden. Create a new dictionary that contains the phrase, then include the dictionary in a content rule to block or monitor the flow of confidential documents. Email | Email Policies | Scanning Policies [Content] -- File filtering Email | Email Policies | Scanning Policies [Content] -- Content scanning
118
Preventing email threats Quarantine Configuration menu
Quarantine Configuration menu

Use these pages to specify how the appliance quarantines email that probably contains a threat. Menu location: Email | Quarantine Configuration When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Quarantine Options Quarantine Digest Options Digest Message Content What you can do from this part of the interface Use this page to specify where to store quarantined items. Use this page to specify how users will receive quarantine digests. Use this page to design the appearance of quarantine digests and the responses to users' requests.
Further information
McAfee Quarantine Manager

McAfee Quarantine Manager (MQM) consolidates the quarantine and anti-spam management functionality of multiple McAfee products. It gives you a central point from which you can analyze and act upon email and files that have been quarantined. Items are quarantined if they are categorized as spam, or phish, or because they may contain viruses, potentially unwanted software, or other unwanted content. McAfee Quarantine Manager is particularly effective in managing unsolicited bulk email or spam. From the McAfee Quarantine Management (MQM) feature, you can: Enable the appliance's use of the MQM software. Specify the IP address of the MQM server. Specify the appliance ID. If you replace the appliance, it will have a new ID. Because items released from the MQM software use this ID to communicate with the appliance, some email might not reach its intended destination If you enable MQM, the appliance's own quarantine digest facilities, spam learning, user-submitted blacklists and whitelists, and quarantine queue options are disabled. Email | Quarantine Configuration | Quarantine Options [+] McAfee Quarantine Manager (MQM)
Quarantine digests
A quarantine digest is an email message that the appliance sends to an email user. The digest includes information about the user's email messages that have been quarantined because they contain unacceptable content or spam. It does not contain information about viruses and other potentially unwanted program detections. The types of quarantine digest are: Non-interactive quarantine digests A summary of the email messages that the appliance has quarantined for users. These digests cannot be used to manage quarantined messages.
119
Preventing email threats Quarantine menu
To request changes to the quarantined email messages, users must contact their administrator. For example, a user might ask the administrator to release a message that has been mistakenly quarantined. Interactive quarantine digests A summary that enables users to request certain actions on email messages addressed to themselves. The benefits of using interactive quarantine digests are: Less effort for email administrators because users can do some actions themselves. Users receive a single email summary rather than a number of individual alerts. Users can quickly respond to new sources of spam by creating and changing their own blacklists and whitelists. Users need not wait for email administrators to approve the release of messages from the spam quarantine area. Administrators retain control over the content of users' blacklists and whitelists, and can override incorrect entries. Administrators retain control of messages that have been quarantined because of their content, and must approve the release of these messages. If a user does not respond to a digest message after a predefined time, any email detected as spam is automatically deleted. If a user requests the release of a non-spam email message, the request is added to the Release Requests queue. To see the queue, select Email | Quarantine | Release Requests on the navigation bar. Email | Quarantine Configuration | Quarantine Digest Options
Quarantine menu
Use these pages to examine or release email that has been quarantined because it might contain a threat. Menu location: Email | Quarantine When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Quarantined Email Release Requests What you can do from this part of the interface Use this page to view email that was quarantined because it contains a threat. Use this page to release quarantined email when users send a request.
Further information
Email queues
If the appliance cannot deliver the email messages immediately for example if a forwarding mail server is unavailable the appliance holds the messages in a queue. The appliance automatically makes several attempts to resend the email. From the queue, you can:
120
Preventing email threats How email messages are processed
View details about each email message such as its sender and size. View the reason for the non-delivery. Try to send each email again or delete it. Email | Queued Email
How email messages are processed

The appliance handles an email message according to: Who sent the email message. Who will receive the email message. The content of the email message. On receiving an email message, the appliance processes it in the following order: Table 19: Email message processing
Denied Connections Sender Authentication CONNECT Permit Sender Deny Sender TrustedSource Real-time Blackhole Lists (RBL) EHLO/MAIL FROM SPF (Sender Policy Framework) Permit Sender Deny Sender RCPT TO Anti-Relay Anti-relay checks are made in the following order: Greylisting Permitted Recipient list LDAP recipient check Directory Harvest Prevention Permit domains Deny domains Local domains
DATA
RBL SPF Sender ID Domain Keys Identified Mail (DKIM)
If behind an MTA. If behind an MTA.
Scanning Anti-spam Mail size filter If anti-spam software is in use.
121
Preventing email threats How email messages are processed
Corrupt content Signing check File filter Encrypted content HTML check Content Compliancy Anti-virus Delivery Proxy Mode Domain Relay If a domain relay is specified, a domain relay check is carried out. An MX lookup may also be required if only a domain name was specified. If there is an IP address, no further checks are done If no domain relay is specified, then the DNS and fallback steps are carried out instead. DNS If DNS delivery is enabled, then an MX record lookup is carried out. If there is no MX record, an A record lookup is done. After the DNS checks, a Fallback relay list lookup is done, followed by an A record lookup if only a domain name was specified. If the appliance is running in transparent mode, the client does all the required DNS lookups The anti-virus scan always runs even if some of the other scans are not.
Fallback relay
Transparent Mode
NOTE: If any actions are associated with anti-virus scanning and content scanning detections, the highest priority primary action is done. The priority that the appliance gives to actions is predetermined and cannot be reconfigured.
122
Preventing web threats

Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration. When clicked, this icon on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Web Configuration What you can do from this part of the interface Use these pages to configure aspects of web access through a range of protocols. Use these pages to manage policies and dictionaries that apply to web access.
Web Policies
Further information Web Configuration menu Web Policies menu Navigation bar
Web Configuration menu

Use these pages to configure aspects of web access through a range of protocols. Menu location: Web | Web Configuration When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab HTTP What you can do from this part of the interface Use these pages to configure web access using the HTTP protocol. Use these pages to configure web access using the ICAP protocol. Use these pages to configure web access using the FTP protocol.
ICAP
FTP
Further information Preventing web threats
123
Preventing web threats Web Configuration menu
Web Configuration menu HTTP Web Configuration menu ICAP Web Configuration menu FTP Data trickling its advantages and disadvantages
Web Configuration menu HTTP

Use these pages to configure web access using the HTTP protocol. Menu location: Web | Web Configuration | HTTP When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Connection Settings What you can do from this part of the interface Use this page to specify connection settings for the HTTP protocol, such as port numbers and timeouts. Use this page to specify how the appliance handles some features of the HTTP protocol, such as denial-of-service protection and data trickling.
Protocol Settings
Web Configuration menu HTTP
HTTP
HTTP is the HyperText Transfer Protocol, a protocol used for accessing websites. This section describes the appliance's support for HTTP. Contents Web Configuration menu HTTP Understanding traffic flow HTTP configuration HTTP protocol settings How Transparent Authentication can affect Outlook 2003 email
Understanding traffic flow

For Internet traffic, policies are applied according to the source of the request not the location from which a file is retrieved. For example, consider a user downloading a test virus file from www.eicar.com. You might assume that the infected file is going from the Internet (the outside network) to the internal (inside) network. However, this is not the case. The source of the initial
124
connection was the user on the internal network. The request was made to the Internet the outside network. The request originated from inside.
Figure 5: Requests from inside If your organization has a web server, you also need a policy that applies to HTTP requests that come into your network from an outside network, namely the Internet.
Figure 6: Requests from outside NOTE: Include the IP address of the firewall in the list of outside networks. Web | Web Policies | Scanning Policies
HTTP configuration
For HTTP connections initiated by hosts in your networks, you can configure the following features for the appliance: Authentication Client Time-outs Web | Web Configuration HTTP
HTTP protocol settings

To control the communication between the appliance and hosts in your networks, you can configure the following features: Denial of service protection Download status pages and data trickling FTP over HTTP Handoff host Header blocking and modifications Protocol details Request permissions Web | Web Configuration | HTTP | Protocol Settings HTTP
125
How Transparent Authentication can affect Outlook 2003 email

If Transparent Authentication is enabled, a user does not normally need to repeatedly enter username and password. If an Outlook user receives an email that needs access to the Internet via Internet Explorer to fetch some objects, the appliance intercepts the Internet access. If Transparent Authentication is enabled, the user might be prompted to enter a username and password, because of security constraints in the Outlook client. System | Users, Groups and Services | Web User Authentication HTTP
Web Configuration menu ICAP

Use these pages to configure web access using the ICAP protocol. Menu location: Web | Web Configuration | ICAP When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Connection Settings What you can do from this part of the interface Use this page to specify connection settings for the ICAP protocol, such as port numbers and timeouts. Use this page to specify details about the authentication servers, and ICAP header extensions that might be present in REQMOD and RESPMOD requests, such as X-Authenticated-User and X-Authenticated-Groups, to provide information about the source of the encapsulated HTTP message. Use this page to specify how the appliance handles some features of the ICAP protocol such as data trickling.
Authentication
Protocol Settings
Web Configuration menu ICAP
ICAP
ICAP is the Internet Content Adaptation Protocol. This section describes the appliance's support for ICAP. Contents Web Configuration menu ICAP What is ICAP? How does ICAP work? ICAP content policies Structure of an ICAP message Example of appliance as an ICAP server Considerations for using ICAP without HTTP RFCs (Request for Comments)
126
What is ICAP?
ICAP allows ICAP clients to pass HTTP messages to ICAP servers for processing or transformation (adaptation). For more information, see RFC 3507. Web caches such as the Open Source program Squid also act as ICAP clients. See www.squid-cache.org. The web caches can intercept HTTP traffic, and pass HTTP requests and responses to the ICAP server for adaptation. The HTTP requests and responses are encapsulated in ICAP requests. The appliance can act as an ICAP server. The appliance supports the encapsulation of the HTTP protocol only. The type of adaptation depends on the policies set up on the ICAP server. For example, the ICAP server can be configured to check for viruses or to block access to certain websites. NOTE: ICAP implementation varies according to the product used in your network. For example, some ICAP clients do not support all ICAP services. See the user documentation for your ICAP clients. By default, the appliance offers a REQMOD service and a RESPMOD service. Each service can have its own policy settings that control how the appliance processes the ICAP requests. For example, if the appliance receives a REQMOD request, it applies the URL-filtering, scanning, and other REQMOD policies to the ICAP request. NOTE: The appliance does not act as an ICAP client to other ICAP servers. Web | Web Policies | Scanning Policies ICAP RFCs (Request for Comments) ICAP
How does ICAP work?

This section describes what happens when the following occurs: An HTTP request is intercepted by the ICAP client device An HTTP response is intercepted by the ICAP client device The ICAP client and ICAP server use the Preview feature An HTTP request is intercepted by the ICAP client device The ICAP client device intercepts HTTP requests and redirects them to an ICAP server for processing. NOTE: Some web caches and similar devices have ICAP client capabilities. When a device intercepts an HTTP request, the ICAP client within that device encapsulates the HTTP request in an ICAP request message and sends this request to the ICAP server for processing. The ICAP client request message includes: The ICAP REQMOD verb. The HTTP request header. Any HTTP body data associated with that request. The server processes the request and sends a response to the client. The content of the response might be: The server does not need to modify the HTTP request the server sends a response that contains the original unmodified HTTP request, or just sends a 204 No modification needed response.
127
The implementation of the client and server determines which response is sent. In some implementations, the server returns the unmodified request, and the client device passes the request to the HTTP server. In other implementations, the client device keeps a copy of the HTTP request, which it passes to the HTTP server when the client receives the 204 No modification needed response from the server. This is the case when the ICAP client sends the ICAP header: Allow:204. The server modifies the request the server can modify the request header, body data, or both. The type of modification depends on the policies set up on the server. The server encapsulates the modified message in an ICAP response and sends it to the client. The client device receives the response and passes the modified request to the HTTP server. The server blocks the HTTP request the server creates an HTTP response header, such as 403 Forbidden and includes it in the response. The client device receives the response and passes the HTTP response to the HTTP client. NOTE: If there is a problem with the server, or with communication between the client and server, the client device sends an error message to the HTTP client. An HTTP response is intercepted by the ICAP client device The ICAP client within the ICAP client device can encapsulate the HTTP response in an ICAP request. The request is sent to the ICAP server for processing. The request contains: The ICAP RESPMOD verb. The HTTP request that caused the response from the HTTP server. The HTTP response header returned by the HTTP server. Any HTTP body data returned by the HTTP server. The server processes the request and sends an ICAP response to the client. The content of the response might be: The server does not need to modify the HTTP response the server sends an ICAP response that contains the original unmodified HTTP response, or sends a 204 No modification needed response. The implementation of the client and server determines which response is sent. The server modifies the HTTP response the server can modify the response header, body data, or both. The type of modification depends on the policies that have been set up on the server. The server encapsulates the modified message in an ICAP response that it sends to the client. The client device receives the response and passes the modified HTTP response to the HTTP server. NOTE: If there is a problem with the server, or with the communication between the server and client, the client device sends an error message to the HTTP client. The ICAP client and ICAP server use the Preview feature Sometimes you might not want the ICAP client to send all the HTTP data to the ICAP server. For example, sending large graphic files to an ICAP server that cannot process them is an inefficient use of network resources and the ICAP server. To improve efficiency, the server and clients can be configured to use the ICAP preview function. Instead of sending all the HTTP data to the server, the client sends a few bytes of data.
128
By default, the ICAP RFC standard specifies that up to 4096 bytes of data can be sent in a preview. NOTE: The preview function is available only if it is enabled on both the ICAP server and the ICAP client. The server uses the preview information to decide if the client must send the rest of the message for possible modification. The response from the server to the client might be: If modification is not required, the server sends a 204 No modification needed response to the client. The rest of the message is not sent to the server. If modification is required, and all the data was not received as part of the preview, the server sends a 100 Continue after ICAP Preview response to the client. The client then sends the rest of the data to the server. If the server has already received all of the HTTP message in the preview, it continues to process the message as if the preview had not been sent, and sends the response to the client. By default, the appliance ensures that all HTTP data is transferred from the ICAP client regardless of the preview settings. The preview function really comes into operation only when you have policies on the appliance that prevent the scanning of certain data types. For example, you have a policy that prevents the scanning of some MIME data types. When the appliance receives the preview, it detects the MIME data type, applies the policy, and returns a 204 No modification needed ICAP response to the ICAP client. The ICAP client does not transfer the remaining data to the appliance and the file is not scanned. Some ICAP clients require the server to send the header Transfer-Preview in order to make preview work. See Service settings for details. NOTE: For best security, we recommend scanning all file types. Before turning off the scanning of any file type, carefully consider the security risks. To do this, you must set Transfer-Complete to * in Service Settings. For more information about the risks, see the Virus Information Library at http://vil.nai.com or speak to your support representative. ICAP RFCs (Request for Comments)
ICAP content policies

The appliance provides the following features when scanning the ICAP protocol: Anti-virus URL filtering Scanner control The appliance can also handle the following types of content: Alert settings HTML settings The appliance can apply different policies according to the ICAP service request modification (RESPMOD) or response modification (REQMOD). Web | Web Policies | Scanning Policies ICAP ICAP
129
Structure of an ICAP message

The following basic ICAP messages pass between ICAP clients and ICAP servers: ICAP requests from ICAP clients ICAP responses from ICAP servers ICAP requests from ICAP clients An ICAP client makes an ICAP request to an ICAP server for an ICAP service. When an ICAP client device (such as a web cache or web proxy) intercepts an HTTP request or response that it wants to pass to an ICAP server for processing, it sends an ICAP request to that server. The request has the following parts: Request header Request body Request header The request header tells an ICAP server what type of service is needed. It starts with a request line, indicating the verb, the URL of the service, and the ICAP version, for example: RESPMOD icap://icap.example.net/translate?mode=french ICAP/1.0 Parts of a request header
Part Action required Description Example
Action required the method or RESPMOD verb. Full URL of the ICAP service being requested. Version of ICAP that the ICAP client is using icap://icap.example.net/translate?mode=french
Service requested ICAP version
ICAP/1.0
An ICAP client can use the following verbs when requesting a service from an ICAP server: REQMOD for dealing with HTTP requests (REQuest MODification). RESPMOD for dealing with HTTP responses (RESPonse MODification). OPTIONS for requesting information about the ICAP server's configuration. Depending on the vendor you use, some ICAP servers can be configured to offer more than one ICAP service, and some ICAP clients can be configured to use more than one ICAP server. For example, an ICAP client that requires URL blocking and anti-virus scanning might be configured (depending on its capabilities) to use one ICAP server for URL blocking and another for scanning viruses. Alternatively, if an ICAP server offers URL blocking and scanning services, the ICAP client might use that ICAP server for both. The first line of the request header can be followed by other lines that describe the data in the request, and control aspects of the ICAP transaction. NOTE: User-defined header extensions are allowed in ICAP requests, and follow the HTTP Xnaming convention. For a full description of ICAP headers, see RFC 3507, the ICAP Extensions document, and other ICAP documents on the ICAP Forum website.
130
Request body The content of an ICAP request body depends on the type of request made by the ICAP client. It also depends on the basic capabilities of the ICAP client, because some clients support the REQMOD verb and some support the RESPMOD verb. If the request contains REQMOD, the ICAP request body contains: The HTTP request header. The HTTP request body, if there is body data associated with the request. For example, the body might contain data being sent to a webserver using an HTTP POST command in the request header. If the request contains RESPMOD, the ICAP request body contains: The original HTTP request header. The HTTP response header provided by the HTTP server. The HTTP response body, if there is body data associated with the response. For example, the body might contain data returned from the HTTP server, such as a webpage that is downloaded from a webserver. If the request contains OPTIONS, there is no request body. NOTE: The HTTP message is said to be encapsulated (enclosed) in the ICAP message. Encapsulated HTTP bodies are transferred using data chunking, but encapsulated HTTP headers are not chunked. NOTE: For information about HTTP version 1.1 and chunked transfer-encoding, see the HTTP RFC2616 standard. ICAP responses from ICAP servers An ICAP response is a response made by an ICAP server to an ICAP request from an ICAP client. When an ICAP server responds to an ICAP request, it sends an ICAP response message to that ICAP client. The response has the following parts: Response header Response body Response header ICAP response headers start with an ICAP status line that shows an ICAP version number, status code and a status description, for example: ICAP/1.0 200 OK. Parts of an ICAP status line
Part ICAP version number Description Version of ICAP that the ICAP server is using when responding to the ICAP request. Example 1ICAP/1.0
ICAP status code
Status of the ICAP exchange. User-defined header extensions are 204 allowed in ICAP responses, and follow the HTTPX- naming convention. See the ICAP Extensions document on the ICAP Forum website. Description of the status code. OK
Status description
The first status line can be followed by other response header lines that describe the data in the response, and control aspects of the ICAP transaction. For full details of the type of headers, see the ICAP RFC standard.
131
Response body The content of an ICAP response body depends on: The verb used in the original ICAP request (REQMOD or RESPMOD). ICAP requests that use the OPTIONS verb do not have a response body. Whether the HTTP header and HTTP data encapsulated in the ICAP request need modification. The policies that have been set up on the ICAP server. Policies specify how the ICAP server modifies HTTP messages received from ICAP clients. The status of the ICAP exchange. For example, the content of the ICAP response body might change if the ICAP server has a problem. RFCs (Request for Comments) ICAP
Example of appliance as an ICAP server

In this example, the ICAP policy on the appliance prevents access to banned websites. The web cache normally intercepts HTTP requests from a user's computer. Popular web pages are stored in the web cache and returned directly to the user, without the need to send the HTTP request to the Internet.
In the following configuration, the web cache uses the appliance to block access to banned sites. The web cache acts as an ICAP client and the appliance acts as an ICAP server.
1 2 3 4
The web cache converts the HTTP request to an ICAP request. The appliance examines the request and compares the website address (URL) against a list of banned websites. If the website is in the list, the appliance returns a webpage to the web cache, intended for the user, stating that the site is banned. If the website is not in the list, the appliance returns an ICAP response to the web cache, enabling the web cache to send the HTTP request to the Internet. Web | Web Policies | Scanning Policies ICAP
132
Considerations for using ICAP without HTTP

During the configuration of the ICAP proxy, the appliance gives a warning if the HTTP proxy is disabled or is not available. Some ICAP alerts use the HTTP proxy to serve embedded images, therefore we recommend that you enable the HTTP proxy with the ICAP proxy. These images will show as broken images in the client if the HTTP proxy is disabled or not reachable by users of the ICAP client. However, you can run the ICAP proxy alone if you need only text alerts and no linked images need to be served (that is, the ICAP client is not serving HTML-based clients). In this case, we recommend that you configure the ICAP proxy to use text alerts instead of HTML alerts. Web | Web Configuration | HTTP | Connection Settings ICAP
Web Configuration menu FTP

Use these pages to configure web access using the FTP protocol. Menu location: Web | Web Configuration | FTP When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Connection Settings What you can do from this part of the interface Use this page to specify connection settings for the FTP protocol such as port numbers and time-outs. Use this page to specify how the appliance controls the communication between the appliance and hosts in your networks. Use for features such as data trickling and the keep-alive interval.
Protocol Settings
Web Configuration menu FTP
FTP
FTP is the File Transfer Protocol. The appliance includes an FTP proxy for transferring files between computers. This section describes the appliance's support for FTP. Contents Web Configuration menu FTP Understanding traffic flow FTP protocol settings Download status and data trickling Upload status and data trickling FTP handoff host
Understanding traffic flow

For Internet traffic, the source of the request not the location from which a file is retrieved is the basis for policy selection. You might assume that an infected file is traveling from the
133
Internet (the outside network) to the internal (inside) network, so you need to apply a policy to traffic from outside your network. However, the source of the initial connection is the user on the internal network. The request was made to the Internet the outside network. The request originated from inside. For example, if a user on the internal network downloads a file from the Internet using FTP GET, you need a policy that applies to requests from inside your network. If the user uploads a file to the Internet using FTP PUT, the initial connection is again from the inside network, so again the same policy is needed. In summary, even though the files are traveling in different directions, the appliance still uses the same policy. Web | Web Policies | Scanning Policies FTP
FTP protocol settings

To control the communication between the appliance and hosts in your networks, you can configure the following features: Data processing. Download status and data trickling. Upload Status and Data Trickling Handoff Host. Web | Web Configuration | FTP | Protocol Settings FTP
Download status and data trickling

You can configure the appliance to start downloading (data trickling) the file to the client before the whole file has been received from the server and scanned by the appliance. FTP allows data to be passed between computers in two modes binary and 8-bit American Standard Code for Information Interchange (ASCII). Binary is consistent across computer platforms, so its data can be scanned effectively. However, 8-bit ASCII can contain different character codes and formatting, depending on the computer systems in use, so viruses can be concealed within its data. You can configure the appliance to allow or block 8-bit data transfers. The appliance allows this transfer mode by default. Blocking 8-bit file transfers in ASCII mode prevents binary files being transferred in ASCII mode, but might also prevent legitimate text files being transferred. If your users need to transfer text files in 8-bit character sets using FTP, we recommend that they transfer the files in binary mode and convert them to the appropriate local file format using utilities such as recode. NOTE: Some file transfer utilities use the 8-bit ASCII mode by default. If the appliance blocks the 8-bit ASCII mode, change your utility to binary mode. Web | Web Configuration | FTP | Protocol Settings [+] Download status and data trickling FTP
134
Upload status and data trickling

The appliance can be configured to permit or deny the uploading of files over an FTP connection, to display status messages informing a client that an upload is still in progress, and can start uploading (data trickling) a file to a client before the whole file has been received from the server and scanned by the appliance. Web | Web Configuration | FTP | Protocol Settings [+] Upload status and data trickling FTP
FTP handoff host

An FTP handoff host diverts all client requests to a specific FTP proxy server. This server is then responsible for handling the client requests. For example, if your firewall has an FTP proxy server, use this option to redirect FTP requests to the firewall. Web | Web Configuration | FTP | Protocol Settings FTP
Data trickling its advantages and disadvantages

Table 20: Data trickling advantages and disadvantages
Advantages Data trickling enabled Good user experience Instead of a long wait for the whole file to be downloaded, the file is downloaded as smaller data chunks. Information in these data chunks can be displayed as it is downloaded, making the download seem faster. Users can leave large files to download without the risk that the web browser will time-out the connection in their absence. Disadvantages Less secure A file is downloaded as a series of small data chunks, which are placed on the user's hard disk drive before the appliance can scan the whole file. These data chunks might contain a virus or some malware. More administration Users might think that the unusable data chunks that appear on their hard disk drives are files that have been corrupted by the appliance and contact their network administrator. Users will also need to remove these files. Poor user experience The whole file must be downloaded before a user can view it, making the download seem slower.
Data trickling disabled
More secure The whole file is scanned before it is placed on the user's hard disk drive.
Web | Web Configuration | FTP | Protocol Settings Web | Web Configuration | HTTP | Protocol Settings Web | Web Configuration | ICAP | Protocol Settings Web Configuration menu
135
Preventing web threats Web Policies menu
Web Policies menu

Use these pages to manage policies and dictionaries that apply to web access. Menu location: Web | Web Policies When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Scanning Policies What you can do from this part of the interface Use this page to create and review all the policies. Policies define how the appliance handles threats such as viruses and other content. Dictionaries Use this page to change the lists of words and phrases (or terms) that are detected as banned content. You can add your own dictionaries and add more terms to existing dictionaries.
Preventing web threats Web Scanning Policies menu
Web Scanning Policies menu

Use this page to make policies for handling threats during web access. Links under the following headings go to further pages, where you can configure the features of the appliance. Anti-Virus URL Filtering Content Scanner Options Anti-Virus Menu location: Web | Web Policies | Scanning Policies [Anti-Virus] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Virus Spyware What you can do from this part of the interface Use this page to specify basic options for anti-virus scanning. Use this page to specify the actions to take against potentially unwanted programs. Use this page to specify the actions to take against packers. Packers compress files, which changes the binary signature of the executable. Packers can compress Trojan-horse programs and make them harder to detect.
Packers
URL Filtering Menu location: Web | Web Policies | Scanning Policies [URL Filtering] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
136
Link HTTPS URL Filtering
What you can do from this part of the interface Use these pages to control access to secure websites when the action is coach. A secure website has an address of the form: https://www.example.com. (Available with HTTP only.)
Primary URL Filtering
Use these pages to allow or block access to specified websites. (Not available with FTP.)
Enhanced URL Filtering
Use these pages to control access to websites according to their SiteAdvisor classification or their URL category (such as pornography or violence). (Not available with FTP.)
Timed setting
Use these pages to control the times of access to websites according to their SiteAdvisor classification or their URL category (such as news or forums). (Not available with FTP.)
Content Menu location: Web | Web Policies | Scanning Policies [Content] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Content scanning What you can do from this part of the interface Use this page to specify how the appliance handles items that contain banned content. The banned terms are in one or more dictionaries. (Available with HTTP only.) Streaming media Use this page to allow some types of streaming media to pass through the appliance. (Not available with FTP.) Instant messaging Use this page to specify how to handle instant messaging. (Not available with FTP.)
Scanner Options Menu location: Web | Web Policies | Scanning Policies [Scanner Options] This column on the page contains the following links, which lead to further pages where you can control the features of the appliance.
Link Scanning limits What you can do from this part of the interface Use this page to set limits on scanning to prevent attacks and other performance issues. Use these pages to specify how the appliance handles some content, including encrypted or corrupt content. (Not available with FTP.) Alert settings Use this page to control the format and appearance of the alert message that users receive when the appliance detects a threat. (Not available with FTP.)
Content handling
Further information Web Policies menu
137
Settings for scanning viruses and similar threats Understanding the scanner options for web
Settings for scanning viruses and similar threats

The anti-virus settings in a policy protect the network and its users from: Viruses Spyware Adware Various kinds of malware (malicious software) and other potentially unwanted software. Viruses The appliance can clean each virus before it alters or destroys any data. If the virus cannot be cleaned, the appliance can take some other action such as deleting the file that contains the virus, or moving the file to a safe quarantine area. The appliance updates itself regularly and automatically to protect your network against new viruses. Computers in your network might already have some anti-virus protection, so you can adjust the level of protection that the appliance provides. For example, scanning inside archive files (such as ZIP files) might not be necessary because any file inside them cannot become active until it has been extracted. An on-access (or real-time) scanner will typically detect such files. Packers Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses, making them harder to detect. Spyware Spyware can steal information and passwords. This category includes potentially unwanted programs (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Web Scanning Policies menu Using anti-virus scanning
Using anti-virus scanning

The appliance uses the McAfee anti-virus scanning engine and anti-virus definition (DAT) files to scan and clean network traffic. The scanners detect known viruses, new viruses and variants. The scanners can also detect potentially unwanted programs (PUPs) such as spyware, adware, and cookies. Traffic for a specific protocol is only scanned if that protocol is enabled and scanning is enabled in at least one direction. By default, all protocols are enabled, and traffic is scanned in both directions. The appliance shares its resources between the protocols. It scans each protocol's inbound and outbound traffic.
138
If you disable scanning for either direction, traffic passes through the appliance unscanned in that direction. CAUTION: Do not disable anti-virus scanning for any enabled protocol unless you are scanning its traffic elsewhere in your network. Allowing unscanned traffic to enter your organization leaves it vulnerable to infection. Configure your other network devices to route the protocols through the appliance, so nothing can bypass the appliance. Only traffic that passes through the appliance, or that is routed to the appliance in the case of Explicit Proxy mode, is scanned. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Settings for scanning viruses and similar threats
Anti-Virus
Viruses and other malicious software can destroy or steal data. Contents Anti-virus features Settings for scanning viruses and similar threats What is a potentially unwanted program (PUP)? Types of anti-virus scanning Customized anti-virus settings Detection of new and unknown viruses Special actions against packers and PUPs Settings for scanning viruses and similar threats Anti-virus features Settings for scanning viruses and similar threats What is a potentially unwanted program (PUP)? Types of anti-virus scanning Customized anti-virus settings Detection of new and unknown viruses Special actions against packers and PUPs Anti-virus features The appliance's anti-virus software does the following: Detects and cleans viruses. Protects your network from potentially unwanted programs (PUPs). The appliance can be configured to: Enable or disable detection of potentially unwanted programs. Detect specific types of potentially unwanted programs, such as mass mailers and Trojan horses. Detect named malware. Take specific actions when malware is detected.
139
Protects your network from named packers. You can add and remove packer names from the list of packers that will be detected. Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses and make them harder to detect. The appliance can be configured to: Detect named packers. Exclude named packers from detection. Take specific actions when a packer is detected. Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might want to remove them. CAUTION: McAfee anti-spyware software detects and, with your permission, removes potentially unwanted programs. Some purchased or intentionally downloaded programs act as hosts for other potentially unwanted programs. Removing these potentially unwanted programs may prevent their hosts from working. Review the license agreement for these host programs for further details. McAfee does not encourage nor condone breaking any license agreements. Read the details of license agreements and privacy policies carefully before downloading or installing any software. Automatically scans within compressed files. Automatically decompresses and scans files compressed in the packages that include PKZip, LHA, and ARJ. Detects macro viruses. Detects polymorphic viruses. Detects new viruses in executable files and OLE compound documents, using a technique called heuristic analysis. Upgrades easily to new anti-virus technology. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Settings for scanning viruses and similar threats The anti-virus settings in a policy protect the network and its users from: Viruses Spyware Adware Various kinds of malware (malicious software) and other potentially unwanted software. Viruses The appliance can clean each virus before it alters or destroys any data. If the virus cannot be cleaned, the appliance can take some other action such as deleting the file that contains the virus, or moving the file to a safe quarantine area. The appliance updates itself regularly and automatically to protect your network against new viruses. Computers in your network might already have some anti-virus protection, so you can adjust the level of protection that the appliance provides. For example, scanning inside archive files
140
(such as ZIP files) might not be necessary because any file inside them cannot become active until it has been extracted. An on-access (or real-time) scanner will typically detect such files. Packers Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses, making them harder to detect. Spyware Spyware can steal information and passwords. This category includes potentially unwanted programs (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus] Web Scanning Policies menu Using anti-virus scanning What is a potentially unwanted program (PUP)? Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan horses. Some software programs written by legitimate companies might alter the security or privacy of the computer where they are installed. This software can include spyware, adware, and dialers, and might be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about such programs, and in some cases, remove them. Email | Email Policies | Scanning Policies [Anti-Virus] McAfee Anti-spyware Types of anti-virus scanning Scanning default file types Normally the scanner examines only the default file types in other words, it concentrates its efforts on scanning those files that are susceptible to viruses. For example, many popular text and graphic formats are not affected by viruses. Currently the scanner examines over 100 types by default, which includes .EXE and .COM. Scanning all files Some operating systems such as Microsoft Windows use the extension name of a file to identify its type. For example, files with the extension .EXE are programs. However, if an infected file is renamed with a harmless extension such as .TXT, it can escape detection. The operating system cannot run the file as a program, unless it is renamed later. This option ensures that every file is scanned. Scanning files according to file type Some operating systems such as Microsoft Windows use file name extensions to identify the type of file. For example, files with the extension .EXE are programs, files with the extension .TXT are simple text files. You can specify the types of files you want to scan according to their file name extension. Scanning inside archive files
141
By default, the scanner does not scan inside file archives such as .ZIP or .LZH files because any virus-infected file inside them cannot become active until it has been extracted. Finding unknown viruses An anti-virus scanner typically detects viruses by looking for the virus signature, which is a binary pattern that is found in a virus-infected file. However, this approach cannot detect a new virus because its signature is not yet known, therefore the scanner uses another technique heuristic analysis. Program file heuristics scans program files and identify potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identify potential new macro viruses. Treating all macros as infected Macros inside documents are a popular target for virus writers. Therefore for added security, you might consider scanning all files for macro viruses, and optionally removing any macro that is found, regardless of whether it is infected. Scanning compressed program files Compressed files (such as those compressed with PKLITE). If you are scanning selected file extensions only, include the needed compressed file extensions in the list of file extensions to be scanned. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Customized anti-virus settings Besides giving you the levels of scanning (such as default file types, which scans only the most susceptible files), the appliance also allows you to specify various options when scanning for viruses. Although more options can provide greater security, scanning will take longer. The scanning capabilities are: Detect possible new viruses in programs and documents. Documents that carry a virus often have distinctive features such as a common technique for replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds of computer instructions. Program file heuristics scans program files and identifies potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses. Scan inside archive files. By default, the scanner does not scan inside file archives such as .ZIP or .LZH files because any infected file inside them cannot become active until it has been extracted. Scan default file types. Normally, the scanner examines only the default file types it scans only those files that are susceptible to infection. For example, many popular text and graphic formats are not affected by viruses. Currently, the scanner examines over 100 file types by default, including .EXE and .COM. Scan all files. This option ensures that every file is scanned. Some operating systems, such as Microsoft Windows, use the extension names of files to identify their type. For example, files with the extension EXE are programs. However, if an infected file is renamed with a harmless extension
142
such as TXT, it can escape detection and the operating system can run the file as a program if it is renamed later. Scan files according to file name extension. You can specify the types of files you want to scan according to their file name extensions. Treat all macros as viruses. Macros inside documents are a popular target for virus writers. Therefore, for added security, consider scanning all files for macro viruses, and optionally removing any macros found, regardless of whether they are infected. Scan compressed program files. This is used to scan compressed files such as those compressed using PKLITE. If you are scanning selected file extensions only, add the appropriate compressed file extensions to the list. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Web | Web Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Detection of new and unknown viruses An anti-virus scanner uses signatures and heuristic analysis to detect viruses. A virus signature is a binary pattern found in a virus-infected file. Using information in its anti-virus definition (DAT) files, the scanner searches for those patterns. This approach cannot detect a new virus because its signature is not yet known. Therefore another technique, known as heuristic analysis, is employed. Programs that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients, or self-propagate. The scanner analyzes the program code to detect these kinds of computer instructions. It also searches for legitimate behavior, such as prompting the user before taking action, and thereby avoids raising false alarms. To avoid detection, some viruses are encrypted. Each computer instruction is a binary number, but the computer does not use all the possible numbers. By searching for unexpected numbers inside a program file, the scanner can detect an encrypted virus. Using these techniques, the scanner can detect known viruses, and many new viruses and variants. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Special actions against packers and PUPs The appliance handles most detections according to the actions that you specify on the Basic Options tab. To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom Malware Options tab. Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus]
143
Problems with alerts for mass mailers Normally, the appliance handles all potentially unwanted programs in the same way. However you can specify that certain types are handled differently. For example, you can configure the appliance to inform the sender, the recipient and an administrator with an alert message whenever a virus is detected in an email message. This feature is useful because it shows that the anti-virus detection is working correctly, but it can become a nuisance if a mass-mailer virus is encountered. Mass-mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using email. Numerous alerts are generated, and these can be as annoying as the surge of detected email messages that has been blocked. The appliance can handle any mass-mailer virus separately from other types of virus. You example, you can choose to discard the detected document immediately, and thereby suppress any alert messages that will otherwise be generated. Email | Email Policies | Scanning Policies [Anti-Virus] Custom Malware options Settings for scanning viruses and similar threats Artemis technology This technique reduces the delay between McAfee's detection of a new malware threat and when a customer receives and installs a detection definitions (DAT) file. The delay can be 24 72 hours. How the feature works 1 2 The appliance scans each file, comparing its code against the information (or signatures) in the current detection definitions (DAT) file. If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the appliance sends a small definition (or fingerprint) of that code to Artemis an automated analysis system at McAfee. Millions of other computers with McAfee software also contribute fingerprints. McAfee compares the fingerprint against a database of fingerprints collected worldwide, and informs the appliance of the likely risk within seconds. Based on settings in the scanning policies, the appliance can then block, quarantine, or try to clean the threat.
If McAfee later determines that the code is malicious, a DAT file is published as usual. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Settings for scanning viruses and similar threats
Understanding URL filtering in policies

The content settings in a policy protect the network and its users from: Some categories of websites such as those for gambling and pornography Undesirable websites from your own list of websites and categories of websites. Websites that (according to SiteAdvisor) are likely to annoy users. These settings also handle: Access to secure websites
144
SiteAdvisor SiteAdvisor software helps Internet users stay safe as they search, browse and transact online. For example, it warns users about websites that are known to include adware in downloads. Web | Web Policies | Scanning Policies [URL Filtering] Web Scanning Policies menu
How URL blocking works

When a user tries to access a website over an HTTP or ICAP connection, the appliance uses primary URL Blocking and enhanced URL filtering policies to determine how to handle the request. The appliance checks if the primary URL Blocking policies block access to the website. If access is not blocked, and the enhanced URL filtering option has been enabled, the appliance checks the URL against the list of denied or allowed URLs. Access to the site is then allowed or blocked. NOTE: You can also specify how the appliance handles uncategorized URLs. If the URL is not in the list of allowed or denied URLs, the appropriate enhanced URL filtering policy is applied. Depending on the type of policies that have been set up, a request might be considered inappropriate because: The website is in a category that your organization considers to be inappropriate for business use, such as violence and pornography. The website is requested at an inappropriate time. For example, an employee accessed a website during the normal working hours. The website request came from an IP address that is not allowed to access that website. SiteAdvisor classifies the website as unsuitable. Web | Web Policies | Scanning Policies [URL Filtering] Web Scanning Policies menu Example with URL categories Using URL filtering, you can control access to some websites, as this example shows. To deter some users from reading news websites: 1 2 3 4 5 6 Select Web | Web Policies . Select the policy that applies to these users. In the policy settings, click Enhanced URL filtering, then select the Categorized URLs tab. Click Add categorized URL. At URL, type http://www.cnn.com, then select the category General news, and click OK. Repeat the two previous steps for http://www.bbc.co.uk, and http://www.msn.com. The list of User Categorized URLs now includes these entries: URL http://www.cnn.com http://www.bbc.co.uk http://www.msn.com Categories General news General news General news
145
7 8 9
Select the Categories tab. Click the row for General news, then select Coach Access from the menu. Click OK. When users who are governed by this policy try to access a news website, they will first see a warning web page.
10 To see the type of alert, select Web | Web Policies | Scanning Policies [URL Filtering] -- Alerts on the navigation bar. Web Scanning Policies menu
URL filtering
On the versions of the appliance that scan web traffic, you can evaluate and activate an optional feature enhanced URL filtering. Enhanced URL filtering policies can be applied to HTTP and ICAP traffic. If the enhanced URL filtering component is activated, the appliance can also control access to websites based on the category of their content. Web | Web Policies What is enhanced URL filtering? Enhanced URL filtering provides extra URL filtering for the appliances that scan web traffic and appliances that scan web traffic and email. Enhanced URL filtering uses a URL filtering database and policies to prevent inappropriate use of the Internet. The appliance can block requests, warn (coach) users if requests are not appropriate, or allow requests through. Enhanced URL filtering uses the following components: The enhanced URL filtering database categorizes websites according to their content, such as pornography or gambling. SiteAdvisor classifies websites for safe use. URL whitelist specifies that access must always be allowed for certain websites, regardless of their category within the enhanced URL filtering database. URL blacklist specifies that access must always be denied for certain websites, regardless of their category within the enhanced URL filtering database. Customizable alert messages inform users if a request is denied or considered inappropriate. For example, if a user tries to access an inappropriate site, the appliance can respond with a message that explains your organization's policy on Internet usage. Logs and reports capture and display information about web access. Enhanced URL filtering: Controls Internet access and reduces: Risk of legal issues over the misuse of the Internet. Employee exposure to inappropriate or insecure websites. Misuse of network resources by preserving bandwidth for genuine business use. Can be customized to reflect changes in the way your organization uses the Internet. Can be customized to reflect changes in the type of content that is available on the Internet. Can filter access according to the URL or IP address of the requested website.
146
Can filter access to a whole website or just some parts of a website. Can control the type of searches employees make while using an Internet search engine. Produces information that can be logged and used to create detailed reports, which allow you to monitor Internet use. Integrates fully into the appliance and the appliance's interface. Web Scanning Policies menu
SiteAdvisor
SiteAdvisor software helps Internet users stay safe as they search, browse and transact online. The SiteAdvisor organization patrols the Internet, browsing sites, downloading files, and filling forms. When supplemented with user feedback, comments from website owners, and other analysis, their results classify websites as shown in the table. For more information about SiteAdvisor, visit www.siteadvisor.com. Through the use of its policies, the appliance can block access or issue warnings about unsuitable websites. Classifications Green Safe. SiteAdvisor tested the site and did not find any significant problems. Yellow Caution. SiteAdvisor found some minor security or nuisance issues, or the site has previously had security issues (directly or through corporate affiliations). Red Warning. SiteAdvisor found some serious issues at this website. For example, the site sends spam, includes adware with downloads, or has a business relationship with an organization known for bad practices. Gray Untested. SiteAdvisor has no information about this site yet. How SiteAdvisor works 1 2 3 4 The appliance detects a user's request to view a website. The appliance sends a request to the SiteAdvisor server. The SiteAdvisor server sends information that classifies the website, for example Caution. The appliance examines the policy for this user and applies an action, for example, the appliance blocks access to the website.
NOTE: To ensure a prompt response to every web access, the appliance records the classification of recently visited websites, rather than making repeated requests to the SiteAdvisor server. If any user tries to access the same website within the next 30 minutes, the appliance refers to the recorded (or cached) classification first. The appliance does not cache this information for a longer time because the SiteAdvisor organization often changes a website's classification. If the SiteAdvisor server does not respond promptly, and the appliance has no cached information about a website, the appliance assumes the website is safe, and allows the user to view the website. Web | Web Policies | Scanning Policies [URL Filtering] -- SiteAdvisor
147
Web Scanning Policies menu
Understanding the scanning of web content

The content settings in a policy protect the network and its users from: Some types of streaming media Instant messaging Distracting or distasteful content The appliance handles encryption and digital signatures under Scanner Options in its policies. Content scanning Some words in websites can be offensive. As an example, the appliance can block a webpage that discusses gambling by comparing the words in each webpage against own list of words, such as poker and casino. The appliance has many collections of words and phrases, which are organized into dictionaries, and they include dictionaries for violence, gambling and drugs. You can also make your own dictionaries. To prevent the loss of confidential data, the appliance can scan for particular words and patterns of text, for example, telephone numbers and Social Security Numbers. The appliance has dictionaries such as the HIPAA Rules, which are widely used by healthcare organizations to help them protect private information about their patients. These dictionaries are also known as compliancy lexicons. Web | Web Policies | Scanning Policies [Content] -- Content scanning Web | Web Policies | Dictionaries Web Scanning Policies menu Streaming media Instant messaging
Streaming media
Streaming media is a technique for transferring data such that it can be processed as a steady and continuous stream. The user can therefore view or listen to the data before the entire file has been transmitted. The appliance cannot scan streaming media. To be able to scan a file for viruses, all of the data contained in that file must be available to the appliance. Streaming media is a continuous stream of data without a clear end-marker to indicate that the transmission is complete. The appliance does not know if it has received the whole file, and therefore cannot complete the scan. The appliance can be set up to allow streaming media to pass through it unscanned. CAUTION: Allowing streaming media to pass through the appliance is a security risk, because streaming media is not scanned by the appliance. We strongly discourage allowing streaming media of type application/octet-stream or application/* to pass through the appliance because some of these MIME types may be executable and are a security risk. You can specify: Whether streaming media is allowed to pass through the appliance. Types of data that the appliance considers to be streaming media.
148
Types of servers where the appliance treats all data as streaming media. CAUTION: Data received from these servers is treated as streaming media and is not scanned by the appliance. This presents a security risk to your network. Configure this option only at the request of McAfee Technical Support or your network expert. Incoming streaming media must satisfy some security conditions before it passes to internal users. These security conditions depend on the operating mode of the appliance: Explicit Proxy mode Streaming media on ports not scanned by the appliance cannot pass through the appliance. Set up an alternative network route for this traffic. For streaming media arriving on port 80, add this media stream as a MIME type that is treated as streaming media by the appliance. Transparent mode Streaming media on ports not scanned by the appliance passes through the appliance to the users. For streaming media arriving on port 80, add the file type as MIME type audio/*. You can allow other types of streaming media such as video/* and application/x-mms-framed to pass through the appliance. Web | Web Policies | Scanning Policies [Content] -- Streaming media
Instant messaging
Instant messaging offers real-time text conversations between users. Examples of instant messaging clients include: MSN Messenger from Microsoft Corporation ICQ Yahoo! Messenger from Yahoo! Inc. Instant messaging can sometimes install malware. Its inappropriate use can also distract employees and reduce productivity. Thus, many organizations block instant messaging protocols by firewall at the network gateway. However, if a firewall blocks their usual port number, some instant messaging clients try other port numbers. For example, some instant messaging clients try to tunnel instant messaging traffic over HTTP. They wrap the message in an HTTP message complete with the HTTP headers and send it like HTTP. The appliance blocks instant messaging by detecting certain phrases within the HTTP headers and POST body data. CAUTION: If the appliance is operating in a transparent mode, and HTTP traffic is not intercepted on an intercept port, instant messaging traffic passes through the appliance unscanned. To prevent this, set up the intercept ports, or use a firewall to restrict access to any open ports. Web | Web Policies | Scanning Policies [Content] -- Instant messaging
Understanding the scanner options for web

These settings in a policy protect the network and its users from: Denial-of-service attacks Exploits such as buffer-overflow attacks They also provide: Handling for corrupt content Template design for alert messages
149
These features are arranged under the following categories. Scanning limits Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. For these reasons, you can limit the size to which any file may be expanded and the depth of nesting. Content handling Because scanners cannot read encrypted content, such as password-protected .ZIP files, you must specify how the appliance handles this. The encrypted email can be forwarded to other devices for decryption. A digital signature in an email is rendered ineffective if the appliance has altered the email to remove a virus. Your policy settings must determine what action to take on the email now. Because scanners and other applications can have difficulty reading corrupt content, the policy settings must describe how the appliance will handle this type of content. When users view a webpage, their browsers can download ActiveX components, MacroMedia Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects can sometimes contain potentially unwanted programs. Although the anti-virus detection finds many unwanted objects, you can provide extra security by choosing to block some or all such objects. Webpages can also contain metadata, comments, and links (URLs) to other pages or websites. If you are concerned that these areas might harbor potentially unwanted programs or undesirable content, you can choose to scan them too. Alert settings The appliance issues alerts, for example, upon detecting a virus or banned content. You can customize the alert text by adding a header and footer. For example, you can include a legal statement or contact information. You might need to customized alerts for different groups in your network. Web | Web Policies | Scanning Policies [Scanner Options] Web Scanning Policies menu Scanner limits Content Handling Alert settings Selecting policies based on group membership Selecting policies based on individual user names
Scanner limits
Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. For these reasons, you can limit the size to which any file may be expanded and the depth of nesting. When expanding a file, we recommend an upper limit of 500 MB. The default maximum nesting depth is 100. If you intend to scan HTML files, set this value to two or more. For compressed files, nesting depth is rarely more than one a single file or several files are compressed or zipped only once. An attacker might wrap an infected file several times inside zipped files within zipped files. If you set the nesting depth low, the appliance will not detect
150
such files because it will not unwrap the zipped file completely. However, because deep nesting is unlikely to occur in normal cases, we recommend that you try a nesting depth of 10, blocking any files that exceed this nesting depth. Log the activity of the scanner control for a while before deciding whether to retain this value. You can also specify the time that the appliance may spend scanning any file. When scanning a file on a server, we recommend 15 minutes maximum. A typical minimum value is one minute. Email | Email Policies | Scanning Policies [Scanner Options] Understanding the scanner options for web How to prevent denial-of-service attacks Understanding the depth of nesting in compressed files How to prevent denial-of-service attacks Large or complex files such as compressed files or .ZIP files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. To prevent this, you can limit the size to which any file is expanded and the acceptable depth of nesting. You can also specify how long the appliance spends scanning any file. Email | Email Configuration | Protocol Configuration | Protocol Settings Scanner limits Understanding the depth of nesting in compressed files To understand the effect of scanning to a depth of nesting, consider the next figure, which shows a compressed file that contains documents and a compressed file. That compressed file contains more documents and another compressed file, and so on.
A depth of two scans the non-compressed files inside a compressed file (only as shaded). The contents of any compressed files are not scanned.
A depth of three scans the non-compressed files inside a compressed file, plus the non-compressed files inside any compressed file that it contains (as shaded).
151
Email | Email Policies | Scanning Policies [Scanner Options] Scanner limits
Content Handling
Because scanners and other applications can have difficulty with some types of content, you must specify how the appliance will handle each type of content. Understanding the scanner options for web Corrupt content Encrypted content Protected content Corrupt content Because scanners and other applications can have difficulty reading corrupt content, you must specify how the appliance will handle this type of content. Content Handling Encrypted content Because scanners cannot read encrypted content, such as password-protected .ZIP files, you must specify how the appliance handles this. If you allow encrypted content through, it must be scanned after it is decrypted, and this typically occurs at the user's computer. Content Handling Protected content You can specify how the appliance handles email messages that contain data that cannot be scanned because it is protected in some way. For example, it is protected by password: Content Handling
Alert settings
The appliance sends a message to clients when a specific event occurs. Although a default message is available, you can specify the header and footer text for alert messages that the appliance issues upon detecting unwanted content. This feature is not available to the FTP protocol. Email | Email Policies | Scanning Policies [Scanner Options] Web | Web Policies | Scanning Policies [Scanner Options] -- Alert settings Understanding the scanner options for web
Selecting policies based on group membership

For policies based on group membership, select User's directory group. For this type of policy, the policy criteria records one or more LDAP group identities. For policy selection, the user name from authentication is used to do a group membership query. The query uses the LDAP server configuration selected for group membership (based on the authentication service configuration).
152
If the group identified by the query matches the group specified in the policy, the appliance applies that policy to the user, the policy can be selected and the settings applied to the user (specific URL filtering policies can be applied to groups of users). Web | Web Policies | Scanning Policies {Add Policy} Understanding the scanner options for web
Selecting policies based on individual user names

For policies based on user name, select Authenticated user. The user name must match the format for one of the configured authentication service types: For Kerberos, the format is the userPrincipalName property in Active Directory LDAP. It looks like an email address, for example user_1@example.com. For NTLM, the format is the samAccountName property in Active Directory LDAP. It must not include the domain name. For LDAP, the format is always the fully distinguished name (LDAP DN) of the user in the LDAP directory (for example cn=User1A,cn=Users,dc=scm-auth-ad2,dc=example1,dc=example,dc=com). Web | Web Policies | Scanning Policies {Add Policy} Understanding the scanner options for web
What is a content filter dictionary?

A content filter dictionary defines terms words and phrases that you want to detect in email, attachments and uploaded files. The appliance contains several dictionaries of offensive terms such as words that describe gambling and violence. When new offensive terms appear over time, you can add them to these dictionaries. You can create your own dictionaries of terms that you want to detect. For example: To keep details of new products confidential, you can create a dictionary of the product names. The appliance can prevent these words appearing in email messages and web accesses. You can also create a dictionary of acceptable terms a whitelist. This is useful where a term can be offensive or acceptable depending on the context. For example, the dictionaries intended to block terms for sex and drugs contain some legitimate medical terms. To prevent the appliance blocking legitimate email, you can attach a whitelist, which counteracts the effect, allowing the email to proceed. The terms in any new dictionary will grow in number and complexity over time. Think carefully about your terms, and the name of your dictionary. You can assign any number of dictionaries to a policy, and specify how the appliance responds upon detecting any terms in the dictionaries. For example, if the appliance detects an offensive word in a message or its attachment, the appliance can block the message and warn an administrator. Email | Email Policies | Dictionaries Web | Web Policies | Dictionaries
153
Importing and exporting dictionaries Having created new dictionaries or modified existing dictionaries, you can share them with other appliances by exporting and importing the dictionaries as text files in XML format. Web Policies menu About content rule scanning rules Understanding scores and threshold values in privacy rulesets Dictionaries supplied with the appliance Understanding the parts of a dictionary How to choose a name for a dictionary Understanding limitations in content scanning Understanding complex terms when scanning email messages
About content rule scanning rules

A content scanning rule defines how the appliance responds to the terms inside one or more dictionaries. The terms are often unacceptable words or phrases. For example, you can create a content rule to block email messages that enter or leave your organization if they contain specific offensive or confidential terms. A content scanning rule can also refer to a whitelist a dictionary of acceptable terms. Some dictionaries such as those for illegal drugs contain a few terms that are acceptable in some situations. For example, an "anabolic steroid" has lawful and unlawful uses. Using a whitelist, you can exempt some terms without having to alter the original dictionary of offensive terms. Other features of content scanning rules include thresholds and maximum term counts. Email | Email Policies | Scanning Policies [Content] -- Content scanning

The rules associate scores to terms such as those highlighted in the following message. The patient, a 50 year old man has a cough and back pain. The table shows the scores for each term. Term year old cough back pain Score 20 10 10
The total score for this message is 40 (20 + 10 + 10). If the total score exceeds the threshold value (for example 25), action is taken against the email message. Email | Email Policies | Scanning Policies [Content] -- Content scanning
154
Dictionaries supplied with the appliance

The appliance contains several dictionaries. You need to create extra dictionaries only to suit your specific needs. Icon Type and content HIPAA dictionaries words and patterns to help you comply with the Hospital Insurance Portability and Accountability Act. Privacy dictionaries words and patterns to help you comply with other privacy requirements. Source code dictionaries words found in computer programming languages to help prevent loss of valuable code. User-defined dictionary terms or patterns that you have entered. Standard dictionary terms or patterns for categories such as pornography and violence. Dictionaries contain any number of terms: Icon Type and content Simple term Complex term Regular expression term
Email | Email Policies | Dictionaries Web | Web Policies | Dictionaries
Understanding the parts of a dictionary

The appliance can block or warn against undesirable or confidential terms in email or webpages. Each term (word or phrase) is held in a dictionary. In a policy, you name the dictionary and the actions to take if the appliance finds any of the dictionary's terms when scanning the content of email or webpages. Creating a simple dictionary When you first create a simple dictionary, you give it a name, a description, and select its type as content filter. You also give the dictionary at least one condition, which defines: The type of terms a simple word or phrase (content filter) or a more complex, regular expression. Where the terms apply, for example in all places or in only some types of document.
155
The condition also helps to group terms together, enabling you to do some complex matching. To add further terms to your dictionary, you select a term within the original condition, then insert the new term. How the list or terms looks in a simple dictionary
This dictionary detects the word "rare" or the word "secret" in every type of document. The dictionary has only one condition, hence the title displays (1 of 1). How the list or terms looks with more conditions
[And] Applies (2 of 2): Everything book page
This dictionary has a second condition, which detects the word "book" or the word "page" in every type of document. The dictionary has two conditions, hence the titles display (1 of 2) and (2 of 2). The second condition operates with the first by the use of the And. In summary, the dictionary will detect rare or secret when found with book or page. Thus, the dictionary will detect: rare book, rare page, secret book, and secret page. In technical notation, this is known as: (rare | secret) AND (book | page) Email | Email Policies | Dictionaries [+] List of terms Web | Web Policies | Dictionaries
How to choose a name for a dictionary

Over time, you can create many dictionaries, so each needs an accurate name and description. Remember that if a banned term is detected, the name of the dictionary appears in the alert message that users see. Therefore, to prevent the use of an insulting phrase, do not include the phrase in the name of the dictionary. Instead, name your dictionary something like Insulting Phrases. You can add a description to your dictionary to explain its purpose. The description does not appear in the alert message. Email | Email Policies | Dictionaries (Add dictionary)
156
Web | Web Policies | Dictionaries (Add dictionary)
Understanding limitations in content scanning

A content rule can apply only to a single file, document or attachment at any time. For example, you create a dictionary that contains some offensive words ugly and stupid. A rule that references this dictionary triggers on finding the word ugly in databases and spreadsheets. When the appliance encounters any database, it searches for the word ugly. Similarly, when it encounters any spreadsheet, it also searches for ugly. You can make such rules more complex. For example, you can make the rule search for both ugly and stupid in databases and in spreadsheets. When the appliance encounters any database, it searches for the word ugly and the word stupid. If both words are present, the rule triggers your defined action. When the appliance encounters the words in any spreadsheet, the rule is also triggered. You can create combinations of rules that will not work. For example, if you need two conditions to be true for a rule to be applied, the rule is not applied in the following situation: The appliance scans an email message that has another email message as an attachment. The top-level email message triggers one of the conditions and the attached email message triggers the second condition. The appliance treats each of the email messages as separate objects. The content rule requires that both conditions are met within the same object for that content rule to trigger. Because each object triggers only one of the two conditions, the content rule is not triggered for either object. Email | Email Policies | Scanning Policies [Content] -- Content scanning
Where to apply a banned term

A banned term might appear inside files or documents in email messages or downloads. You can specify the file formats to scan for content. For example, the appliance can scan: Databases Documents Spreadsheets Graphics Email messages You can then select the sub-categories to scan. For example, if you select Documents, you further specify that the appliance will scan only Microsoft Word 7.0 documents. You can also specify which parts of the email messages to scan. For example, the appliance can scan: Attachments Body Recipient Sender Subject line Text attachments Email | Email Policies | Dictionaries
157
Web | Web Policies | Dictionaries Web Policies menu
Understanding complex terms when scanning email messages

Email messages typically have a different structure from documents, and this can affect the way that content rules apply. For example, consider the following text in a document:
I think our manager is stupid and ugly.
To prevent the words stupid and ugly appearing together in a document, you can create a complex term in a dictionary. The appliance takes action when these words appear together. The settings in the Term Details window are:
Name of field Type Term Description Case sensitive Wildcard Starts with Ends with Condition Enable near matching Within a block of characters Word or phrase ugly Content Content filter stupid Two words in the same place
This complex term is suitable for detecting words in the following simple email message:
To: user1@example.com From: user2@example.com Subject: Our manager I think he is stupid and ugly. What do you think?
Now consider a second example:

To: user1@example.com From: user2@example.com Subject: Our stupid manager I think he is ugly too. What do you think?
In this case, the appliance cannot detect the two words. Most email messages are based on the MIME format, and have several parts. Each part is like a separate file the To address, the From address, the subject line, and the message body. In this example, no part contains both words stupid is in the subject line; ugly is in the message body. To detect the words stupid and ugly together in an email message, you need two combined conditions the word stupid anywhere in an email message and the word ugly anywhere in an email message. You need a simple dictionary with only two terms, where each term is under
158
a separate condition. The dictionary will have the following structure, when seen under List of terms for selected dictionary: Term Applies (1 of 2): Email messages stupid (And) Applies (2 of 2): Email messages ugly Email | Email Policies | Scanning Policies [Content] -- Content scanning
Compliancy
As a result of increasingly stringent regulations, many organizations in the health care, finance and government sectors need to prevent the leaking of private and sensitive information. Compliancy uses dictionaries of key terms to ensure content complies with health care and privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach Bliley Act (GLBA), and the Sarbanes-Oxley Act (SOX). The feature enforces compliancy where determined by policy, and reports any violations. NOTE: The dictionaries are intended for general use by the appliance and therefore contain some information that is relevant only to some protocols. Email | Email Policies | Scanning Policies [Content] -- Content scanning Web | Web Policies | Scanning Policies [Content] -- Content scanning Web Policies menu Compliancy policies What the HIPAA ruleset does Understanding scores and threshold values in privacy rulesets
Compliancy policies
Using the appliance, you can: Create policies against email and HTTP posting using the dictionaries for groups of users. An HTTP posting occurs when a user attaches a document to an email message and sends the message via web-based email service. Create policies to support specific regulations such as HIPAA or the Privacy lexicon. This is done using compliance dictionaries, and by encrypting email and filtering the content of email messages to ensure that they comply with the regulations. The following example policies prevent private information being sent without encryption: Identify a Social Security Number by looking for a pattern of alphanumeric characters. Identify an account by looking for a pattern (for example, a letter, a digit, a hyphen, and 7 digits as in A1-764532). Compliancy can: Examine email messages or HTTP postings against dictionaries. Report violations of policy that refer to specific pre-defined dictionaries.
159
Take action against non-compliant email messages or HTTP postings. NOTE: You must enable content scanning before you can enable compliancy. When using this feature, you can: Specify the action to take if content is non-compliant. The default primary action is to allow the content through and log its occurrence. Specify the alert to send if an email or HTTP posting is non-compliant. You can use the default alert, or configure your own version. Specify which dictionaries to use to ensure compliance. Specify the threshold(s) for non-compliance for email or HTTP postings scanned against each dictionary. Email | Email Policies | Scanning Policies [Content] -- Content scanning Web | Web Policies | Scanning Policies [Content] -- Content scanning Editing the dictionaries You do not normally need to change the contents of dictionaries. NOTE: The dictionaries are intended for general use by the appliance and therefore contain some information that is relevant only to some protocols.
What the HIPAA ruleset does

HIPAA is the Health Insurance Privacy and Accountability Act. This ruleset protects information that identifies an individual who is receiving health care, and includes: Physical or mental health of the individual. Provision of health care to the individual. Payment for health care. Information can identify an individual and threaten the individual's privacy if it includes the individual's name or other information such as date of birth, address, or telephone number. Email | Email Policies | Scanning Policies [Content] -- Content scanning

The rules associate scores to terms such as those highlighted in the following message. The patient, a 50 year old man has a cough and back pain. The table shows the scores for each term. Term year old cough back pain Score 20 10 10
The total score for this message is 40 (20 + 10 + 10). If the total score exceeds the threshold value (for example 25), action is taken against the email message.
160
Email | Email Policies | Scanning Policies [Content] -- Content scanning
161
Configuring the appliance

Use the System pages to configure various features on the appliance. When clicked, this icon on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Appliance Management Cluster Management What you can do from this part of the interface Use these pages to specify connections for the appliance within the network. Use these pages to manage a cluster of appliances, for example by taking backups and copying configuration information. Use these pages to make lists of users and services. Use these pages to manage digital certificates. Use these pages to specify virtual hosts and networks. Use these pages to manage how the appliance communicates with other devices. The appliance records its activity through logs and messages. Use these pages to update the appliance with new software. Use this page to specify the type of installation.
Users, Groups and Services Certificate Management Virtual Hosting Logging, Alerting and SNMP
Component Management Setup Wizard
Further information Cluster Management menu Users, Groups and Services menu Certificate Management menu Virtual host management Logging, Alerting and SNMP menu Component Management menu Navigation bar
Appliance Management menu

Use these pages to specify connections for the appliance within the network. Menu location: System | Appliance Management When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
162
Configuring the appliance Appliance Management menu
Tab General
What you can do from this part of the interface Use this page to specify basic settings for the appliance. The appliance can handle IP addresses in IPv4 and IPv6 formats. Use this page to configure the appliances use of DNS and routing. Use this page to set the time and date on the appliance. Use this page to provide the methods of accessing the appliance remotely. The methods include: Secure Shell Configuration Out-of-band Management User Interface Access Configuration Remote access card
DNS and Routing Time and Date Remote Access
UPS Settings
Use this page to specify details of Uninterruptible Power Supply (UPS) systems that are connected to the appliance. Use this page to manage the size of the reporting database, and to enable external devices to access information about email events via SQL. Use this page to safely turn off the appliance, reboot the appliance, or revert to factory default settings. Use this page to specify details of HTTP and FTP proxy servers, through which the appliance receives updates.
Database Maintenance
System Commands
External Proxy Servers
Further information Configuring the appliance Access by Secure Shell (SSH) About out-of-band management About the Remote Access Card Stopping and starting the appliance
Access by Secure Shell (SSH)

You can gain access to the appliance with a Secure Shell (SSH) client. After you have enabled Secure Shell access on your appliance, you can use your SSH client to access the support account on the appliance. Use the same password that you use to access the interface from a remote computer. System | Appliance Management | Remote Access [+] Secure Shell Configuration
About out-of-band management

Using out-of-band management separates the network traffic that manages your appliance from the network traffic scanned by your appliance. This slightly reduces the scanned traffic passing through the appliance. Also, if the management traffic is removed from the scanned part of the network, management access to the appliance is maintained when network issues prevent in-band management.
163
Configuring the appliance Appliance Management menu
In the event of a network issue for example, a configuration change to the appliance blocks all network traffic you can still manage the appliance using the out-of-band connection, and correct the appliance's configuration. NOTE: Scanning is not permitted for any protocol on the out-of-band connection. Also, the out-of-band computer cannot access the Internet or other networks or subnets protected by the appliance. Out-of-band management can be configured when first setting up a new appliance, or it can be added to an existing appliance. System | Appliance Management | Remote Access [+] Out of Band management
About the Remote Access Card

The Remote Access card enables you to control the appliance remotely from a personal computer. For example, the card can re-image the appliance remotely using a CD in another computer. The card is supplied with some of the higher-performance appliances only, and behaves like another NIC (Network Interface Card) to the appliance. From the appliance, you can configure various communications details of the card such as its Ethernet address. System | Appliance Management | Remote Access
Spanning Tree Protocol (STP)

STP prevents physical loops in networks that have two or more bridges. STP uses a Root Bridge that calculates all the redundant paths from other bridges back to itself. Bridge Protocol Data Units (BPDU) exchange status information between bridges. Each bridge port is assigned a path cost weighting, and this path cost determines which ports are disabled by STP to remove any physical loops in the network. To create the best path through the network, some bridge ports are in forwarding mode, while others are blocking. If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is running on your network, make sure that the appliance is configured according to STP rules. System | Appliance Management | General Configuring the appliance
Stopping and starting the appliance

The appliance can be turned off completely. To prevent tampering, or accidental stopping of the appliance, this feature works only if the correct password is given. Depending on your hardware, the appliance is then turned off, or taken to a state where you can safely turn off its power The appliance can be restarted remotely. To prevent accidental restarting, this feature works only if the correct password is given. System | Appliance Management | System Commands
164
Configuring the appliance Cluster Management menu
UPS support
An uninterruptible power supply (UPS) provides emergency power when the main power supply is not available. A UPS maintains power by switching instantaneously to batteries if power fails (blackout) or the voltage reduces briefly (brownout). Even a brief fluctuation in power can damage or lose computer data. The appliance must carefully monitor the UPS because the UPS provides power for only a short period. If the mains power is unavailable for a long period, the appliance must shutdown gracefully. In a network that has several appliances, one master appliance can monitor the activity of the UPS. If main power fails, the master appliance sends a password-protected message to the other appliances (clients) forcing them to shutdown gracefully before the UPS battery is exhausted. System | Appliance Management | UPS Settings Configuring the appliance
Cluster Management menu

Use these pages to manage a cluster of appliances, for example by taking backups and copying configuration information. Menu location: System | Cluster Management When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Backup and Restore Configuration What you can do from this part of the interface Use this page to back up and restore the information about the appliances configuration. You can copy the configuration from one appliance to another, or use the backup copy to restore your appliance to former settings. Use this page to copy the settings on one appliance to other appliances. For example, you can specify that all your appliances have the same anti-virus scanning settings. Not all configuration parameters are pushed to the other appliances. Settings such as an appliances IP address are not exported. Use this page to specify the load-balancing requirements for the appliance.
Configuration Push
Load Balancing
Further information Configuring the appliance Why you need to restore system settings Reviewing changes to the appliance Setting date and time on the appliance Management of a group of appliances
Why you need to restore system settings

You can restore previously saved settings onto an appliance. You might do this because: You have upgraded the appliance's software and want to use the previous settings.
165
Configuring the appliance Users, Groups and Services menu
You have reinstalled the appliance's software because of a problem, and want to use the previous settings. You have another appliance and want to copy the settings. If you restore the same system configuration file onto more than one appliance, they will all have the same appliance name (host name) and IP addresses. You must change the appliance name and IP addresses so that each appliance has a unique name and IP address. The user name and password are not saved from a previous configuration. Log on to the appliance using its user name and default password, then change the password. System | Cluster Management | Backup and Restore Configuration
Reviewing changes to the appliance

You can: View recent configuration changes to the appliances. Compare the differences between configuration versions. Revert to previous configurations. System | Cluster Management | Backup and Restore Configuration [+] Review Configuration Changes
Setting date and time on the appliance

You need to set the system date and time, which the appliance uses for reporting and other purposes. Using the Network Time Protocol (NTP), the appliance can synchronize its time settings to other devices, keeping its own logs, reports and schedules accurate. System | Appliance Management | Time and Date
Management of a group of appliances

From one appliance, you can make a list of appliances that you want to configure as a group, then apply the configuration from one appliance to the group. This enables you to give several appliances the same anti-virus settings, for example. Not all configuration parameters are pushed to the other appliances. Parameters such as an appliance's IP address are not distributed around the group. System | Cluster Management | Configuration Push
Users, Groups and Services menu

Use these pages to make lists of users and services. Menu location: System | Users, Groups and Services When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
166
Tab Directory Services Web User Authentication Policy Groups
What you can do from this part of the interface Use this page to build a list of directory services. Use this page to specify the services that authenticate web users. Use this page to build lists of users and networks to which you can apply policies. Use this page to create user accounts with different roles. For example, some users can make changes to important settings, while others can only generate reports.
Role-based User Accounts
Further information Configuring the appliance How to use policy groups Authentication group User authentication Understanding administrators and roles Protocol details Setting up Kerberos for use with Active Directory Configuring Kerberos authentication via Active Directory 2003 Formats of user names for authentication services
How to use policy groups

Your policies typically apply to parts of the network or to the groups of users within your organization. When you create a policy, you define the part or group. However, if the definition is complex, we recommend that you create the definition beforehand as a policy group. System | Users, Groups and Services | Policy Groups Example You need a policy to protect email users who have laptop computers. The users include some individual email addresses at example.com and a range of email addresses at example.net: A123@example.com H456@example.com V789@example.com X*@example.net The list of users is likely to change over time. Normally, whenever the list changes, you have to update every policy that affects these users. Instead, you can create a single policy group, called Laptop Users under Email recipients and senders. You define your policy group as follows:
Recipient email address Recipient email address Recipient email address is is is A123@example.com H456@example.com V789@example.com
167
Recipient email address
is like
X*@example.net
You can modify your policy group at any time. When you create a policy for these users, you can refer to them as the User group, Laptop users. Users, Groups and Services menu
Authentication group
An authentication group consists of one or more authentication services. If a group contains more than one service, the appliance tries to authenticate the user against each service in order. An authentication group can be used globally or for specific policies (for example, for this IP address, authenticate users using this authentication group). System | Users, Groups and Services | Web User Authentication Users, Groups and Services menu
User authentication
User authentication (or transparent authentication) controls web access for specific users and groups. A user's identity is established without the need to type the user name and password again. User authentication can be used with HTTP or ICAP. User authentication: Authenticates users and group membership using a directory service such as Microsoft Windows Active Directory or Novell eDirectory. The authentication mechanisms are Kerberos, NT LAN Manager (NTLM) and Lightweight Directory Access Protocol (LDAP). Enforces policies by user identity. Uses ICAP to control access to the Internet by applying URL filtering policies to users and groups. In addition, you can also: Include information about user identities in URL filtering reports. Track users' activity and provide reports of enhanced URL filtering events using Smart Reporter from Secure Computing. The data does not need to be stored on the appliance. System | Users, Groups and Services | Web User Authentication Users, Groups and Services menu How does user authentication work? Where is user authentication used?
How does user authentication work?

You can configure user authentication using any of the following authentication services: Kerberos Provides authentication for client/server applications using public-key cryptography. NTLM The appliance provides an interface to add the appliance to a Microsoft Active Directory or NT domain. LDAP for directories that provide a standard LDAP interface. You can use: Lotus Domino-based directory services.
168
Novell NetWare Directory Services (NDS). Other standards-compliant LDAP directories. NOTE: The LDAP options are also available to Active Directory if Active Directory is used as an LDAP server. The appliance uses session-based cookies to identify users when they make HTTP requests: The HTTP handler looks for the cookie in HTTP requests. If the cookie is present, the handler extracts the user's identity and the appropriate URL filtering policy. The identity is also included in any URL filtering events logged to the URL database. If the cookie is not present, the user is redirected to an authentication broker on the appliance. The broker handles authentication between the web browser and the authentication service. For Microsoft single sign-on support, the user is transparently authenticated by the authentication broker and directed back to the destination URL with a valid cookie if: The appliance is configured for Kerberos or NTLM authentication to Active Directory. The user is logged on to a Windows client logged on to the same Active Directory. The user uses Microsoft Internet Explorer or another browser that supports Integrated Windows Authentication. Internet Explorer's security configuration enables Integrated Windows Authentication. In this instance, the user is not presented with a logon page. For authentication to other services that support single sign-on (for example non-Microsoft Kerberos-based authentication schemes), single sign-on can also be supported as described above. Otherwise, the browser displays a logon page. If users successfully authenticate using this page, they are directed back to the original URL with a valid authentication cookie. If users fail to authenticate, their access to the Internet is blocked by a message page or they can continue (for example, using a more restrictive URL filtering policy). System | Users, Groups and Services | Web User Authentication User authentication
Where is user authentication used?

When user authentication is set up and authentication is enabled, you can: Assign policies by user identity instead of IP address. This provides more detail (for example, in an environment where Network Address Translation (NAT) and/or terminal services multiple users on a single IP address are used). The interface provides a global configuration option to enable or disable transparent authentication. Authentication is supported in both transparent and proxy mode. Authentication uses several configurable authentication services, and multiple services can be active at the same time. The services supported are: Kerberos for authentication to Active Directory or other Kerberos authentication services. NTLM for authentication to Microsoft (Windows Active Directory integration and Windows Domain support). LDAP for authentication to directories that support LDAP (for example Novell eDirectory).
169
Configure authentication groups that define the authentication services that the policies will use. If you do not use single sign-on, NTLM or LDAP services repeatedly prompt you to sign on until a full sign-on is successful. Use policies to control whether authentication is done and, if it is, which authentication groups are used. You can use other existing policies to exclude IP subnets, individual IP addresses (using existing selection criteria) and URLs from authentication. You can also specify user-agent exceptions to allow agents (such as an automatic updating program) not to authenticate. Configure the action to take if authentication fails. You can block access, or allow users access under a user name that has limited access only. Base URL filtering policies (and other settings) on user identity and group membership. User group membership is verified by LDAP using an enhanced version of LDAP support. Suppress HTTP verbs in case the authentication or redirection results in problems (for example with POST or PUT requests). Include names and IP addresses for authenticated users in URL filtering reports (including on-box reporting and ePolicy Orchestrator reports). For non-authenticated users, the reports show Internet usage by IP address and the user identity remains blank. Export data about Internet access to SmartReporter at regularly scheduled intervals, and, if necessary, purge the data from the appliance after it has been transferred. System | Users, Groups and Services | Web User Authentication User authentication
Understanding administrators and roles

Initially, the appliance has one administrator account the Super administrator, scmadmin which has access to all the appliance features. Using the scmadmin account, you can create any number of other accounts, including more Super administrators. The appliance will probably be used by many people, where each user has a different requirement. For example: Change the scanning settings that affect email Change settings that affect the access to websites. View settings but not change them. Look at reports, and distribute them to other people. Many users might have the same requirement. For example, two users need to full access to all the appliance features, while another four users need only to view the reports. You need two user accounts that are like the super administrator, scmadmin and four user accounts for administering reports. We refer to these type of requirements as roles. The appliance has several roles already defined. Super administrator Email administrator Web administrator Reports administrator Scanning Appliance Administrator. This role is available only when the appliance is configured as a scanning appliance for load balancing.
170
A super administrator can see all the menus and buttons that are available from the interface. The other administrators can see fewer menus and buttons. As you create user accounts, you assign each account with a role. You can also create new roles. For example, you need a network expert to investigate connection problems within the network, but do not want this user to view any reports. You can create a new role, which gives access to all the appliance menus except the Reports menu, then add a user account for the network expert. System | Users, Groups and Services | Role-Based User Accounts Users, Groups and Services menu
Protocol details
You can specify how the appliance displays NTLM failure pages. Some clients and servers use the Microsoft Windows NT LAN Manager (NTLM) authentication protocol for the secure transmission of credentials, including passwords. NOTE: This is also known as Windows NT challenge/response authentication. Sometimes, the NTLM authentication process fails. For example, if a client using a web browser configured to operate in proxy mode tries to connect via the appliance to a server that requires NTLM authentication, the authentication fails. NTLM works in transparent modes only. System | Users, Groups and Services | Web User Authentication Users, Groups and Services menu
Setting up the browser for authentication

Use these tasks to configure Internet Explorer or Firefox browsers to participate in transparent authentication. The browser selects Kerberos or NTLM. Tasks Users, Groups and Services menu Configuring Internet Explorer Configuring Internet Explorer with Active Directory and GPO Configuring Mozilla Firefox
Configuring Internet Explorer

To enable Internet Explorer to use Kerberos or NTLM authentication: 1 If the appliance is running in proxy mode: a Set the proxy as the fully qualified domain name of the appliance. From Internet Explorer, click Tools then Internet Options, then Connections. Click LAN Settings and select Use a proxy server for your LAN. Type the address and the port of the appliance. The default port is 80. b Set the proxy not to be used for the appliance itself (that is, not for Internet addresses starting with the appliance's name). From Internet Explorer, click Tools then Internet
171
Options, then Connections. Click Advanced and select Do not use proxy server for addresses beginning with. Type the appliance's FQDN, if necessary prefaced by an asterisk (*) and a dot, for example, *.FQDN. 2 Because authentication requires browser redirections to the appliance, the appliance must be in the local intranet zone. To add the appliance to the local intranet: a From Internet Explorer, click Tools then Internet Options. b Click Security, then Local intranet, Sites and Advanced. c Type the fully qualified domain name of the appliance, then click Add. 3 From Internet Explorer, click Tools then Internet Options. Select Security. Click Custom Level and enable redirection to sites within the intranet zone by selecting Websites in less privileged web content zone can navigate into this zone (under Miscellaneous). From Internet Explorer, click Tools then Internet Options. Select Advanced, then select Enable Integrated Windows Authentication (under Security). Restart Internet Explorer.
4 5
Configuring Internet Explorer with Active Directory and GPO

For Internet Explorer, the policy settings can be centrally controlled by Active Directory. Enter the settings in Active Directory, then push the settings as a Group Policy Object (GPO) to all Internet Explorer browsers within the organization. For full details, see your Microsoft documentation or visit http://go.microsoft.com/fwlink/?LinkId=56544.
Configuring Mozilla Firefox

To enable Firefox: 1 In the menu, click Tools, then Options, Connection Settings and Manual Proxy Configuration. Type the HTTP Proxy (the appliance's FQDN) and the Port. The default port is 80. At No Proxy for, type the appliance's FQDN. Do about:config then: network.negotiate-auth.delegation-uris = https://FQDN,http://FQDN network.negotiate-auth.trusted-uris = https://FQDN,http://FQDN network.negotiate-auth.trusted-uris = https://FQDN,http://FQDN Where FQDN is the fully qualified domain name of the appliance.
2 3
Setting up Kerberos for use with Active Directory

1 To create an Active Directory user that corresponds to the appliance, start the Active Directory Users and Computers: a Select Users. Right-click New, then click User. b Type the user's First name (for example, scmuser) and the User Logon Name (for example, scmuser), then click Next. c Select User cannot change password and password never expires. Deselect any other options. Type the password and confirm it, then click Next.
172
d Click Finish. 2 Get the ktpass utility available from Windows 2000 and Windows 2003 support tools. To install the support tools, you need your Windows 2000 or Windows 2003 software CD. The files are in the following locations: \Support\Tools\suptools.msi (Windows 2003) \Support\Tools\Setup.exe (Windows 2000) If you are using Windows 2003, see the Microsoft Knowledge Base article http://support.microsoft.com/kb/843071/en-us for more information. 3 Create a keytab file called scm.keytab on the Active Directory host using ktpass. For this example, the fully qualified domain name is scm.example.com, the Kerberos realm is EXAMPLE.COM, and the username and password are from step 1. At the Windows command prompt, type: ktpass -princ HTTP/scm.example.com@EXAMPLE.COM -mapuser scmuser -pass scmuserpassword -ptype KRB5_NT_PRINCIPAL -out scm.keytab. A typical response is: Targeting domain controller: ad.example.com Successfully mapped HTTP/scm.example.com to scmuser. Key created. Output keytab to apache.keytab: Keytab version: 0x502 keysize 83 HTTP/scm.example.com@EXAMPLE.COM ptype 1 (KRB 5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x807cc80b8397dfab) Account scmuser has been set for DES-only encryption. NOTE: Create a separate keytab file with a different user name and password for each appliance. Users, Groups and Services menu
Configuring Kerberos authentication via Active Directory 2003

This topic explains how to configure the appliance to use Kerberos authentication in a Microsoft Active Directory 2003 environment. It explains how to configure the appliance to authenticate users when they access the Internet. Prerequisites All authenticated users are allowed to access the Internet. The appliance is configured in proxy mode. All authenticated users' workstations, the Windows 2003 Active Directory Server, and the appliance have the same clock source such as a Network Time Protocol server. NOTE: The appliance can also perform Kerberos authentication in a transparent mode. Browsers are configured to use transparent authentication using Kerberos with the appliance in a Windows 2003 Active Directory environment. 1 Create an Active Directory user account for the appliance to use in Kerberos authentication. Create an Active Directory user account for the appliance in the network that will use
173
Kerberos authentication. The account must be a member of the domain users group. The account does not need administrative rights. If the network has multiple appliances, create a separate user account for each appliance. For example, if the network has two appliances, named a1 and a2, create two user accounts named k1 and k2. 2 Synchronize the time on the appliance with the time on the domain controller or KDC. This is necessary for Kerberos to work. a Open the appliance from a web browser at the Domain Controller or backup Domain controller. b On the navigation bar, select System | Appliance Management | Time and Date . c Select Synchronize time with client, and click Set Now. 3 Generate the keytab file. a On the Domain Controller, download and extract the ktpass.exe (91.136 bytes) file from the support.cab file to a temporary folder. For further details, see the article: http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D939B-9A772EA2DF90&displaylang=en . b On the Windows desktop, open a command prompt click Start, Run, type command, and click OK. c Create a keytab file (scm.keytab) to be imported into the appliance type: ktpass -princ HTTP/scmgateway.mcafee.local@MCAFEE.LOCAL -mapuser Kerberos-user1 -pass <password> -ptype KRB5_NT_PRINCIPAL -out scm.keytab Note the capital letters for the value of the parameter, -princ. After you run this command, the keytab file is associated with the specified user account. d On the domain controller, verify that the command was performed successfully. Open Active Directory Users and Computers, and double-click the account used. Select the Account tab. Verify that the fully qualified domain name (FQDN) for the Appliance is listed correctly. For example: HTTP/scmgateway.mcafee.local. 4 Verify that the DNS server is working for forward and reverse zones on the appliance and on the Domain Controller or KDC. a On the appliance navigation bar, select System | Appliance Management | General . b Under Basic Settings, at Domain name, type the same Active Directory domain name that you used to create the previous user account. c On the navigation bar, select System | Appliance Management | DNS and Routing . d Under DNS Servers, verify that the IP address of the internal DNS server is correct. This DNS server must be authoritative to the Active Directory Domain and must resolve names to IP addresses (forward zones) and resolve IP addresses to names (reverse zones). Select Use the on-box DNS server for caching only. e Verify that the DNS server for the appliance can resolve reverse zones and forward zones. With an SSH application such as PuTTY, connect to the appliance and the Domain Controller/KDC to ensure that the domain-name lookups work correctly for forward and reverse zones. Use the following commands:
Action Syntax Example
Test the forward zone for the appliance nslookup nslookup scmgateway.mcafee.local (Names to IP addresses) <host_name>
174
Action Test the reverse zone for the appliance (IP addresses to names)
Syntax
Example
nslookup nslookup 192.168.0.15 <IP_address>
Test the forward zone for the Domain nslookup nslookup kdc.mcafee.local Controller/KDC (Names to IP addresses) <host_name> Test the reverse zone for the Domain nslookup nslookup 192.168.0.10 Controller/KDC (IP addresses to names) <IP_address>
Configure the LDAP server for querying group membership. This step is not required in the scenario previously described. However, it can be useful for querying group membership if a policy needs to be created on Active Directory user groups in future using Kerberos Authentication. a On the navigation bar, select System | Users, Groups and Services | Directory Services , then click Add a server. b Type the following details:
Option Service name Service address Content Name for the LDAP service such as ldap-service. Fully qualified domain name of the Active Directory server. Active Directory CN=Users,DC=mcafee,DC=local <NETBIOS domain name>\<Username> (Specify a user who can query the entire directory.) Password The password for this user name.
Server type Base DN Username
c Click Next. In the next window, click Show groups to populate Query Results with group entries. If the query fails, click Back repeatedly, and check the user name, password and other details. d Click Finish. 6 Configure the appliance to use Kerberos Authentication (Add the service) a On the navigation bar, select Web | Web Configuration | HTTP | Connection Settings . Under Basic HTTP Settings, select Enable the HTTP Protocol. b On the navigation bar, select System | Users, Groups and Services | Web User Authentication . Under User Authentication Services, select Enable user authentication services. c Click Add a service, type the following information, then click Next. Authentication Service Name Directory services membership query server kerberos-service ldap-service Fully qualified hostname of this appliance scmgateway.mcafee.local
d Select the authentication service type Kerberos Authentication. Select Prevent Web Access when Authentication fails. Click Next and type the following information: KDC hostname Username normalization kdc.mcafee.local None
175
e Click Next and click Apply All Changes Now. Click Next and import the keytab file. After the Kerberos keytab file is imported successfully, a message is displayed. Click Finish. If this process fails, delete all Active Directory user accounts that you created for the appliance, then recreate the accounts and continue from Step 2. If more than one user account has the fully qualified domain name (FQDN) of the appliance listed in the Account tab in Active Directory, an error message is displayed when importing the keytab file. Use the following command on the Domain Controller and search inside the file, output.txt to identify the duplicate account: ldifde f output.txt. Delete all identified duplicate accounts for the appliance in the Active Directory. Also ensure that Kerberos is running over TCP by following the instructions at http://support.microsoft.com/kb/244474. 7 Configure the appliance to use Kerberos Authentication (Add a group). a In the navigation bar, select System | Users, Groups and Services | Web User Authentication . b Under User Authentication Services, click Add a group. Type the Group name, for example, kerberos-group. Select the kerberos-service for this group and click OK. c Click the green checkmark to apply the changes. d Select Web | Web Configuration | HTTP | Connection Settings . Under User Authentication, select Enable user authentication. e Under User Authentication, select Enable user authentication. f 8 Select the Kerberos group, and click the green checkmark to apply the changes. Configure the clients to use the appliance as a proxy server. Make the following configuration changes in Internet Explorer on each client to redirect the browsers/workstations to the appliance: a Open Internet Explorer and select Tools, Internet Options. b Click the Connections tab, then click LAN Settings. Type the IP address and the port for the appliance. c Click Advanced, add the FQDN of the appliance to the exception list, and click OK. d Click the Security tab, select Local Intranet, and click Sites. e Click Advanced and add the FQDN of the appliance to this zone. Click OK, then click Custom Level and select Automatic logon only in Intranet Zone, and click OK. (The option is at the end of the scrolling list.) f Click the Advanced tab, select Enable Integrated Windows Authentication (requires restart), then click OK (The option is near the end of the scrolling list.)
g Close and open the browser again. Try to access a website. If you are logged on to the domain, the page opens successfully. If you are not logged on the Active Directory domain (for instance, logged on locally or if using a Macintosh or Linux system), the following error is displayed on the page: 401 error SCM Appliance <domain> Request for authentication Requesting authentication for kerberos-group kerberos-service, type Kerberos kerberos-group kerberos-service Users, Groups and Services menu
Formats of user names for authentication services

The format of the user name depends on the type of service Kerberos, NTLM or LDAP. If the appliance is configured for multiple authentication schemes, user name formats in the URL
176
Configuring the appliance Certificate Management menu
filtering logs will vary according to the authentication service used for that user. For a user known as user1 on the Active Directory named scm-auth-ad2 in domain example.example1.com, the user name formats are:
Service Format/ Example/ LDAP group lookup Kerberos username@DOMAIN.COM user1@SCM-AUTH-AD2.EXAMPLE.EXAMPLE1.COM Match to userPrincipalName attribute. NTLM domain\username scm-auth-ad2\user1 Match to samAccountName attribute. LDAP LDAP DN for user cn=username,cn=users,dc=domain,dc=machine,dc=com) cn=user1,cn=users,dc=scm-auth-ad2,dc=example,dc=example1,dc=com Match to dn attribute.
NOTE: The format might vary according to directory layout and whether the authentication service is Windows. System | Users, Groups and Services | Web User Authentication Users, Groups and Services menu
Certificate Management menu

Use these pages to manage digital certificates. Menu location: System | Certificate Management When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Certificates Certificate Revocation Lists (CRLs) What you can do from this part of the interface Use these pages to manage CA certificates, TLS certificates, and the appliance's own certificate. Use these pages to manage Certificate Revocation Lists and their regular updating.
Further information Configuring the appliance Creating a TLS certificate using OpenSSL Transport Layer Security (TLS) TLS Protocol How the appliance intercepts TLS connections
177
Configuring the appliance Certificate Management menu
Creating a TLS certificate using OpenSSL

Use this task to create a TLS certificate to use with email. Before you begin Use the OpenSSL command, which is available on Linux. The command syntax can vary. For details, see your Linux documentation. Choose a certificate authority, and learn how they handle certificates. Prepare the information that defines your server:
Item Country name Description Example
Two-letter code such CN, DE, ES, US FR, JP, KR. (See ISO 3166) Full name rather than an abbreviation. For example, the name of the city. For example, the name of the organization. For example, a department or function. Your name or your server's hostname. Email address Password Optional company name Texas
State or Province Name
Locality Name
Plano
Organization Name
McAfee, Inc
Organizational Unit Name
Sales
Common Name
server1.mcafee.com or RootCA 2008
Email Address Challenge password Optional company name
aaa@mcafee.com
Task 1 Generate a private key, and save the result into a file. The key is RSA1024-bit. The file is read-only. openssl genrsa 1024 > server.key chmod 400 server.key 2 3 Generate a certificate signing request (CSR) and save the result into a file. openssl req -new -nodes -key server.key > server.csr Submit the server.csr file to the Certificate Authority. The Certificate Authority will later give you a file that is signed with the CA's own private key. To create a temporary certificate for testing while you wait for the signed certificate from the Certificate Authority: a Type: openssl x509 -req -days 30 -signkey server.key <server.csr >server.crt This command creates a self-signed certificate that expires after 30 days. b To keep a copy of the original server certificate, type: cat server.crt >> temp.crt cat server.key >> temp.crt
178
Configuring the appliance Virtual host management
c Append the server's private key to the server certificate. cat server.key >> server.crt The certificate file now has the format: -----BEGIN CERTIFICATE----//Certificate -----END CERTIFICATE--------BEGIN RSA PRIVATE KEY----//Key -----END RSA PRIVATE KEY----
Virtual host management

Using virtual hosts, a single appliance can appear to behave like several appliances. Each virtual appliance can manage traffic within specified pools of IP addresses, enabling the appliance to provide scanning services to traffic from many sources or customers. Benefits Separates each customer's traffic. Policies can be created for each customer or host, which simplifies configuration and prevents clashes that might occur in complex policies. Reports are separately available for each customer or host, which removes the need for complex filtering. If any behavior places the appliance on a reputation black list, only a virtual host is affected not the whole appliance. Setting up the virtual hosts The feature is available for SMTP scanning only. To specify the pool of inbound IP addresses and the optional pool of outbound addresses, see the System | Virtual Hosting | Virtual Hosts page. Managing the virtual hosts
Feature Email Policy Email Configuration Queued Email Quarantined Email Reporting Behavior Each virtual host has its own tab, where you can create its scanning policies. Each virtual host has its own tab, where you can configure MTA features specific for that host. You can view all queued email, or just queued email for each host. You can view all quarantined email, or just quarantined email for each host. You can view all reports, or just reports for each host.
Behavior between the appliance and MTAs When the appliance receives email sent to the virtual host's IP address range, the virtual host: Responds to the SMTP conversation with its own SMTP Welcome banner. Optionally adds its own address information to the Received header. Scans the email according to its own policy. When the appliance delivers email:
179
Configuring the appliance Logging, Alerting and SNMP menu
The IP address is taken from an outbound address pool, or a physical IP address (if this is not set). The receiving Mail Transfer Agent (MTA) sees the IP address of the virtual host. If there is a pool of addresses, the IP address will be selected "round robin." The EHLO response will be for the virtual host.
Logging, Alerting and SNMP menu

Use these pages to manage how the appliance communicates with other devices. The appliance records its activity through logs and messages. Menu location: System | Logging, Alerting and SNMP When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Email Alerting What you can do from this part of the interface Use this page to decide who receives an email message when events such as a virus detection occur. Use this page to configure the SNMP alerts sent by the appliance. Use this page for settings that allow other devices to communicate with the appliance via SNMP. Use this page to specify which events are recorded in the system log. You can also place logs on separate servers. Use this page to specify which events are recorded in the appliances logs. Use this page to export data about web activity from the appliance to another computer, where other software can create reports.
SNMP Alert Settings SNMP Monitor Settings
System Log
Logging Configuration SmartReporter
Further information Configuring the appliance Overview of logging and alerting How to monitor events on the appliance About the appliance's SNMP alerts How to get reports from SmartReporter Logging and reporting with SmartReporter About alerts Types of events Considerations when overriding events for alerting
Overview of logging and alerting

Over many weeks, the appliance collects information in a database about events such as updates, logins and detected threats. You can review reports or issue alerts about this information at any time. This section describes:
180
Configuring the alerts Recording the events Viewing the reports Managing the database Configuring the alerts You can configure the appliance to respond to some types of information by sending an alert (an alerting message) when an event needs a person or a device to be informed quickly. Alerts can be sent via: Email SNMP Syslog ePolicy Orchestrator To configure the type of alerting, select System | Logging, Alerting and SNMP in the navigation bar. Recording the events You can select the type of data that the log records for each protocol, and whether to include or exclude specific events. The information recorded in the database includes: Viruses detected and the action taken against them whether the files have been cleaned, deleted, or quarantined. Spyware, potentially unwanted programs and other files detected and the action taken against them. Spam email messages including date, time, and sender. Phish email messages. Email compliance. This includes details of policy violations that refer to specific predefined dictionaries, and action taken against non-compliant email messages. Content rules that triggered because of the banned content inside an email message. URLs blocked by basic URL-filtering. URLs filtered. This includes URLs blocked, coaching and allowed actions. Attempts to access websites that are considered inappropriate to business purposes. System and management events, such as failed logon attempts and service failures. To choose the events to record, select System | Logging, Alerting and SNMP | Logging Configuration in the navigation bar. TIP: Decide which events to record in the database as soon as possible. Avoid recording events that do not interest you because they waste disk space on the appliance. Viewing the reports The appliance provides a variety of reports, so you can choose how to present the information. Reports are based only on data that is currently in the database. If you do not configure the appliance to record the events correctly, your reports might not contain all the information you need. To view reports, select Reports in the navigation bar.
181
Managing the database The appliance stores information about events in a database. To limit the number of events and how often to remove old events, select System | Appliance Management | Database Maintenance in the navigation bar. Logging, Alerting and SNMP menu
How to monitor events on the appliance

The appliance has several methods for distributing information about its events: Email messages the appliance sends information as email messages to any number of recipients. SNMP traps The appliance sends information as alerts to an SNMP trap manager. The MIB file on the appliance tells the SNMP manager how to interpret the data in the traps. Syslog entries the appliance sends information to the Syslog for off-box logging. You can also specify the type of event to send for each method of distribution. For example, you can send some alerts by email only, and some information to an off-box syslog, according to the type of event. System | Logging, Alerting and SNMP Logging, Alerting and SNMP menu
About the appliance's SNMP alerts

The appliance uses Simple Network Management Protocol (SNMP) to issue messages (known as traps) to other computers, and can give authorized computers access to its performance data and statistics. An SNMP trap is an unsolicited message from the appliance to an SNMP manager (such as InterMapper, SNMP Watcher or HP OpenView NNM) indicating that an event has occurred. Traps can notify conditions (such as a failed attempt to log on or a disk nearing full capacity) to other devices immediately. These conditions might otherwise be discovered only during occasional polling. The appliance records each piece of information (or MIB variable) about its activities in a database, called the Management Information Base (MIB). SNMP managers and other network-monitoring tools can query the appliance about its MIB variables and display the results. To view the structure of the appliance's MIB file (MCAFEE-SCM-MIB.txt or MCAFEE-SCM-MIB.[locale].txt), click Resources in the black links bar near the top of the main window, then click a link to one of the localized MIBs. Parameters for the SNMP alert Versions 1 and 2 of the SNMP protocol use the community name like a password. The community name is required with each SNMP Get request to allow access to the appliance. The default Community Name is public. Version 3 incorporates both authentication and privacy. You need to set the user name, and the protocols and passwords for authentication and privacy. Provide your own values for name, location and contact. If you have several appliances, change the appliance's default name.
182
The appliance is set to allow SNMP queries from all devices. We recommend that you change the settings to allow access from known devices only. Specify the IP address of the devices that may read the appliance's MIB parameters. System | Logging, Alerting and SNMP | SNMP Agent Settings Logging, Alerting and SNMP menu
How to get reports from SmartReporter

SmartReporter from Secure Computing exports data from the appliances database and uploads it to its own reporting database for processing. NOTE: SmartReporter is supported on English-language operating systems only. To obtain SmartReporter, visit http://www.securecomputing.com/index.cfm?skey=181 and click SmartReporter Download Center. NOTE: For fully up-to-date information, see the Secure Computing SmartReporter Administration Guide (available from the SmartReporter download center). Not all features available within SmartReporter are relevant to reports generated from the appliances. Also, you cannot make changes to the appliances policies from within SmartReporter. To view web activity reports for your network: 1 2 Open SmartReporter and log on. Click one of the following: Quick View for a summary of recent web activity. See Quick View. View Reports to generate a specific report. See View Reports. Schedule Reports to schedule reports to be sent by email. See Schedule Reports. Administrator Options to manage system settings. Quick View A Quick View displays statistics of web activity for today, yesterday, and the past seven days, giving a snapshot of activity on your network. It includes the following tabs: Categories the top five categories requested today, yesterday, and the past seven days. It does not include data for uncategorized sites. It shows the number of site requests per category, and bar graphs that indicate the percentage of requests blocked, coached (warned), monitored, and allowed. It also displays the percentage of coached requests for which the coaching page was bypassed. Users the top five active users for today, yesterday, and the past seven days. It shows the number of requests per user, and bar graphs that indicate the percentage of requests blocked, monitored, and so on. Sites the top five requested sites for today, yesterday, and the past seven days. It shows the number of requests per site, and bar graphs that indicate the percentage of requests blocked, monitored, and so on. Action the actions taken on site requests made today, yesterday, and during the past seven days. It shows the number of requests per action type, and bar graphs that indicate the number of requests relative to other action types. The action types for each period are listed from most to least requests. Click the appropriate link to view more detail about activity during any period, or activity related to any Category, User, Site or Action in the first column.
183
To view a full report listing up to 50 categories, users or sites, click Today, Yesterday or Past 7 Days on the appropriate tab. For example, to view the top 50 users for the past seven days, click Past 7 Days on the Users tab. You can also drill down to view more detail on any item in the Category, User, Site or Action columns. View Reports View Reports enables you to view custom reports. You can select from the following criteria: Custom Dates Type the first and last dates of the period. Category activity Top categories for all web activity, or for a specific user, group, IP address or IP range. User activity Top users for all web activity, for a specific category, or for a specific website. Site activity: Top sites for all web activity. Top sites in a specific category. Top sites for a specific user, group, IP address or IP range. Top sites in a specific category for a specific user, group, IP address or IP range. Time-based activity: Number of site requests by hour or day for a specific category, site, or user, group, IP address or IP range. Requests by hour or day in a specific category for a specific user, group, IP address or IP range. Requests by hour or day for a specific site by specific user, group, IP address or IP range. Detailed user activity View activity for a user, group, IP address or IP range. Detailed site activity View user activity on any website. My favorite reports Choose a report from a list of saved reports. You can also choose how many items to include in the report, and choose how to sort report data. After you specify the criteria for your report, click View. The report appears in the report viewer window. Schedule Reports Scheduling reports makes it easy to receive regular updates about web activity on your network. SmartReporter generates reports at scheduled times, for specified periods, then sends them to a specified email address so you can view the reports. After you view a report, you can schedule it to run automatically daily, weekly or monthly, or once in a range of dates. Further information about SmartReporter For more information about SmartReporter reports and how you can schedule and use them, download the Secure Computing SmartReporter Administration Guide from the SmartReporter download center. System | Logging, Alerting and SNMP | SmartReporter Logging, Alerting and SNMP menu
184
Logging and reporting with SmartReporter

You can use SmartReporter from Secure Computing to log and report Internet usage. NOTE: SmartReporter is only supported on English-language operating systems. Using SmartReporter, you can understand how your organization uses the Internet, monitor bandwidth use, isolate problems, document inappropriate activity, and tailor your filter settings to enforce your policies on Internet usage. You can use SmartReporter to: Monitor the sites that a user visits. Monitor users who visit specific websites. Monitor users who are active during particular times of day. Monitor sites that are visited despite users receiving a coach message stating that the site might be inappropriate. Produce reports showing a user identity. Send scheduled reports by email. SmartReporter provides real-time reports and snapshots of an organization's Internet usage and trends by category, location, or individual. You can identify any abuse and isolate problems, while other departments and staff can run reports and charts without the need for IT involvement. NOTE: SmartReporter requires a valid URL filtering license key. For further information about SmartReporter and how to use it, see Secure Computing's own documentation. System | Logging, Alerting and SNMP | SmartReporter Logging, Alerting and SNMP menu
About alerts
The appliance generates many alerts arising from events such as: Detection of a virus. Detection of a banned word or phrase. Detection of a spam email message. A failed attempt to log on. Resources becoming exhausted. You can configure the appliance to respond in different ways to these events. For example, the appliance can send an email message to a network administrator when the disk is nearing full. You can: Specify which events the appliance records. Specify how the appliance responds when specific events occur. For example, the appliance can send an email message, or create a syslog entry, or send a trap to an SNMP manager. System | Logging, Alerting and SNMP | Email Alerting Logging, Alerting and SNMP menu
185
Types of events
For each supported protocol, you can decide which events to record. You can specify the: Severity of protocol events such as a protocol conversation error. Severity of communication events such as a DNS lookup failure. Type of detection events such as virus or spam detections. Each event has a unique event ID code, and a description to help you select the event. The appliance records most events. However, some events occur frequently and can soon fill the log files, so by default, such events are disabled. You can include or exclude individual events. Every event that you specify at this stage is recorded in log files on the appliance. System | Logging, Alerting and SNMP | Logging Configuration Logging, Alerting and SNMP menu
Considerations when overriding events for alerting

The appliance generates many events. Be careful that you do not needlessly record events, because the data from the event will quickly create large log files. When you make a change or override to the default settings for logging events, the appliance provides information to prevent you making mistakes. The icons in the table help you to quickly understand the settings. The following example is for the SMTP protocol and is in English but the concepts apply to any protocol. The example shows how the appliance prevents the logging of an unwanted message. For the SMTP email protocol, the appliance generates a medium-severity protocol event 50012, Quarantine. This event occurs often, so it is not logged by default. To see how the appliance is handling this event: 1 2 3 Select System | Logging, Alerting and SNMP | Logging Configuration. At Communication events, select All events, then click Advanced to see the list of available events. Scroll to event 50012, near the end of the list.
Column 1 shows the default state. This event is not normally recorded in the log. Column 2 shows the current state. The event is not being recorded in the log, because this checkbox is not selected. Column 3 shows the event number such as 50012. Column 4 shows the severity of the event with a symbol such as a green checkmark, which means Low severity. Column 5 provides a warning. The yellow circle indicates that this is a frequent event, and if you select it (in column 2, State), the appliance will generate numerous log records. Column 6 describes the event, which is Quarantine. Logging, Alerting and SNMP menu
186
Configuring the appliance Component Management menu
Component Management menu

Use these pages to update the appliance with new software. Menu location: System | Component Management When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Update Status What you can do from this part of the interface Use this page to check that each scanning component, such as the anti-virus information, is up-to-date. You can also schedule automatic updates. Use this page to examine and install new software packages hotfixes and patches. Use this page to activate additional components, such as an advanced feature. Use this page to enable the appliance to communicate with an ePolicy Orchestrator (ePO) server.
Package Installer
Activation ePO
Further information Configuring the appliance How the appliance updates your protection Automatic updates What is ePolicy Orchestrator (ePO)?
How the appliance updates your protection

New threats like malware and spam arise continuously, so you must ensure that the appliance can continue to protect your network. This section describes how the appliance maintains its protection by obtaining regularly updated files from our website. Updating can be automated. You need only specify the locations and schedules that the appliance will use to obtain the updates. System | Component Management | Update Status About the wizards Each wizard has two or three steps, which prompt for information: Where to collect the updates. Which files are needed. How often to get the updates. Where to collect the updates The appliance can get the updated components from: A local computer that has already downloaded the files. If several appliances need updating and your Internet connection is slow, busy or expensive, we recommend that you put the files on a local computer. Instead of each appliance having to use an Internet connection, the appliances need only download the files over your internal network. For maximum protection, ensure that the local computer always has the latest files.
187
An FTP site from a McAfee FTP server or one of our authorized providers. If your appliance cannot access a server directly, it can use a proxy server. You must provide details such as the name of the proxy server and a password. Which files are needed For anti-virus protection, the appliance locates a file called UPDATE.INI file, which tells the appliance which anti-virus scanning engine and DAT files are available for loading and where to find those files. The ExtraDAT file, which we occasionally provide during virus outbreaks, can also be requested. For anti-spam protection, the appliance locates a file called SPAMUPD.INI file which tells the appliance which anti-spam engine and anti-spam rules are available for loading and where to find those files. Also available is a streaming service, which can provide updates as often as every few minutes. For packages such as service packs, the appliance provides a choice of actions. For example, the appliance can restart automatically upon installing a package. How often to get the updates You can schedule updates at any time. For the best protection, update the anti-virus and anti-spam files regularly at least daily. If your network is often busy, choose the time of day carefully. Updates can also be run immediately. You might need to do this if we issue an ExtraDAT file, which protects against sudden outbreaks. The anti-spam rules help you maintain a balance between the email you want to filter out because it probably contains spam, and email that you want to let through because it is unlikely to contain spam. You can regularly download: Anti-spam rules. These define what is spam. Some anti-spam rules are updated regularly, but McAfee also produce extra rules to combat sudden outbreaks of new types of spam. Anti-spam engine. This uses anti-spam rules to scan email messages for spam. Streaming updates. You can update the appliance with critical rules more frequently, possibly every few minutes. NOTE: Anti-phishing rules are also downloaded when the anti-spam rules are downloaded. Component Management menu
Automatic updates
This section describes how to use the automatic updates feature, and includes the following topics: What are automatic updates? Before configuring automatic updates Monitoring automatic updates
188
What are automatic updates? Automatic updates download and install new features and product fixes, without having to wait for the next major software release. New features and fixes are made available as software releases known as update packages. Table 21: Types of update packages
Type Feature Pack HotFix Patch Service Pack Description Adds one or more new features. Fixes a known issue. Contains more than one fix. Integrates several patches into a single software release.
You can use automatic updates to: Check which packages are available for downloading and installing on an appliance, and review information about those packages. Download some or all of the packages for installing at a more convenient time. Download and simultaneously install some or all of the packages. Set up a schedule for automatically reviewing, downloading, or downloading and simultaneously installing packages. List which packages have been downloaded or installed on the appliance. Before configuring automatic updates Decide who needs to be notified when a new package becomes available. Test any new features or fixes. See Deploying packages. Follow your standard policy for scheduling any network outages, because the appliance might need to be restarted after you install a new package. Deploying packages Most organizations test new features and fixes on a test network before deploying them in their production environment. We recommend the following deployment: 1 2 3 4 Download the packages to an appliance that is connected to the Internet. If you have a test environment, export the packages to a local computer and transfer them to an appliance in the test environment. Test the packages according to your own procedures to check that they are suitable for your network. If the packages are suitable, install them on appliances in your production environment.
To retain control over the installation process, you can choose the method of installing packages: Use the Automatic package updates wizard to automatically download and install packages according to a pre-defined schedule. Use the Package Installer page to manually install packages that have been previously downloaded to the appliance using the Automatic package updating wizard. Use the Export button in the Package Installer page to copy the package to a local computer for installing manually onto another appliance. System | Component Management
189
Monitoring automatic updates This section describes how to determine the status of the updates.
Task Description
List the update packages installed on an From the black links bar at the top of the window, select About the appliance appliance. View the schedules for the automatic updates The summary displays the packages currently in the schedule and when the automatic updates will take place. System | Component Management | Update Status Manage the update packages: Review information about the package. Download the package. Install the package. System | Component Management | Package Installer
Component Management menu
What is ePolicy Orchestrator (ePO)?

McAfee ePolicy Orchestrator enables you to monitor activity of various threats to your network from a single point. When the feature is enabled, the appliance sends statistical information to the ePolicy Orchestrator server, where information from all your appliances can be combined into summary reports. System | Component Management | ePO Component Management menu
190
Troubleshooting on the appliance

Use the Troubleshoot pages to diagnose any problems with the appliance. When clicked, this icon on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Tools Reports What you can do from this part of the interface Use these pages to confirm that the appliance is working correctly. Use these pages to generate reports that can help to diagnose some problems with the appliance. Use this page to test that the appliance is correctly connected to other devices, such as servers that provide DNS services.
Tests
Further information Navigation bar Reports menu Troubleshooting on the appliance
Tools menu
Use these pages to confirm that the appliance is working correctly. Menu location: Troubleshoot | Tools When clicked, this tab on the navigation bar shows the following tabs, which lead to further pages where you can control the features of the appliance.
Tab Ping and Trace Route What you can do from this part of the interface Use this page to test whether the appliance can reach other devices over the network. Use this page to display information about the processors state. The display is updated every few seconds. The information is similar to that from the Linux top command. Use this page to see information about: Routes used to access certain networks. Routes used to access hosts that have recently received IP packets from the appliance. This host information is stored in the appliances local cache.
System Load
Route Information
Disk Space
Use this page to see how disk space is being used.
191
Troubleshooting on the appliance Reports menu
How to manage the appliance's disk space

The appliance warns you if available disk space begins to run low. However, to avoid any problems that might arise when transport logging is in frequent use, follow these tips: Enable transport logging for specific policies only. Enable or disable transport logging within each policy. By restricting transport logging to the traffic of a few users or connections, you eliminate superfluous information. Use off-box syslog logging. Many companies must record all messages for accountability reasons. That is, they must keep a history of all messages. The appliance cannot store the transport logs produced by heavy traffic for long periods. We recommend that you use the off-box syslog option to forward the transport logs to a central syslog server. System | Logging, Alerting and SNMP | System Log Settings To limit other logging, record only those events that interest you. Consider each protocol and the severity of the events. System | Logging, Alerting and SNMP | Logging Configuration
Reports menu
Use these pages to generate reports that can help to diagnose some problems with the appliance. Menu location: Troubleshoot | Reports
Tab Minimum Escalation Report What you can do from this part of the interface If requested by McAfee Technical Support, use this page to create a MER Tool report to help them diagnose a problem with your appliance. The report provides the minimum information they need. You might be asked to provide further information later. Use this page to capture the TCP traffic coming in and out of the appliance for later analysis. Use this page to specify quarantined items to save offline. Use this page to save the log files for later analysis. Use this page to create a report to help McAfee Technical Support diagnose any problems with your appliance.
Capture Network Traffic
Save Quarantine Save Log Files Error Reporting Tool
192
Appendix
This section contains reference material. Contents Substitution variables for alert messages Use of word separators Word delimiters Word separators Character set encoding Features of the Alert Editor Files that are always scanned Formats for network and domain names CIDR notation for IP addresses CSV file formats for importing to lists Communication port numbering Acronyms and Abbreviations RFCs (Request for Comments) KnowledgeBase articles Additional License Terms for ePolicy Orchestrator Software
Configuring mail clients

Users can configure their mail clients to handle email messages according to the characteristics of the email message. For example, users can configure their email clients so that when they receive an email with the words [spam] in the subject line, that email message is automatically forwarded to a spam folder in the user's mailbox. First, set up the appliance. Then follow further steps to configure some of the popular email client programs. Tasks Setting up the appliance
193
Appendix Setting up the appliance
Setting up the appliance

1 2 3 4 5 Log onto the appliance. In the navigation bar, select Email | Email Policies | Scanning Policies [Spam] Select Add a prefix to the subject line of spam messages. If necessary, change the text that appears at the start of the subject line in email messages that contain spam, by editing the text in the Prefix text text box. Click the green checkmark to apply the configuration changes, then log off.
Handling spam with Lotus Domino Administration

Before customizing your your Lotus Domino mail mail clients, follow the required steps on the appliance. 1 2 3 4 5 6 7 8 9 In Lotus Domino Administration, click Configuration. Expand the Messaging section, then click Configurations. Select the configuration settings document for the server you want to administer and click Edit Configuration. Select Router/SMTP. Select Restrictions and Controls. Select Rules. Click Edit Server Configuration. Click New Rule. In the Conditions section of the new server rule, choose the Subject field.
10 Make sure that the contains condition shows the same text that you typed in the appliance's Add prefix to spam text box. 11 In the Specify Actions section of the Server Mail Rule dialog box, select the action that is applied when an email message containing spam is detected. For example, you can create a spam database and specify that all email messages containing spam must be moved to that database (spam.nsf). 12 Click Save and Close.
Handling spam with Microsoft Outlook

Before customizing your Microsoft Outlook mail clients, follow the required steps on the appliance. 1 2 3 In the Outlook menu, select Rules Wizard | Tools | New | Check messages when they arrive. Click Next. Select the conditions under which you want the email message to be checked. For example, if you have set up the appliance's anti-spam features so that the word [spam] appears in the email header, select with specific words in the message header. In the rule description, specify the words that will trigger the Microsoft Outlook rule. In this case, click specific words, and type [spam].
194
Appendix Troubleshooting FAQs
5 6
Click Next. Specify what Microsoft Outlook will do with messages that contain the specific words. For example, to move all email messages with the word [spam] into a separate spam folder, select move it to a specified folder. In the rule description box, select specified, and select an existing folder or use New to create a new folder to store email messages containing spam. Specify any exceptions to this rule, for example, if it comes from a specific distribution list. Select Finish.
7 8 9
Troubleshooting FAQs
This section describes some of the problems you might encounter when integrating your appliance into the existing network. To use the troubleshooting tools, select Troubleshooting from the navigation bar. Frequently asked questions (FAQs) Performance issues Mail issues Delivery Email attachments POP3 System configuration System maintenance Anti-virus automatic updating Anti-spam ICAP Troubleshooting on the appliance
Performance issues
The Back button on my browser does not take me to the previous page This is a known issue with web browsers. We recommend that you click the back arrow in the top right corner of the appliance interface.
Mail issues
Anti-relay is not working To enable the anti-relay feature, specify at least one local domain. Otherwise, the appliance is open to relaying and abuse by spammers from outside your network.
195
Email | Email Configuration | Receiving Email | Anti-Relay Settings [+] Relaying email Why can I not just give the name of the sender that I want to block from relaying? Think of anti-relay as system-to-system blocking, while anti-spam is sender-based blocking. Anti-relay is configured using the domains and networks that the appliance delivers mail for, while the anti-spam configuration blocks a message based on who sent it. Email | Email Configuration | Receiving Email | Anti-Relay Settings [+] Relaying email Email | Email Policies | Scanning Policies [Spam] Directory Harvest Prevention does not work For Directory Harvest Prevention to work correctly, your email server must check for valid recipients during the SMTP conversation, and then send a non-delivery report. Some email servers do not send User unknown errors as part of the SMTP configuration. These include (but might not be limited to): Microsoft Exchange 2000 and 2003 when using their default configuration. qmail. Lotus Domino. Check the user documentation for your email server to see if your email server can be configured to send 550 Recipient address rejected: User unknown reports as part of the SMTP conversation when a message to an unknown recipient is encountered. LDAP integration can provide a work around for this. Email | Email Configuration | Receiving Email | Recipient Authentication [+] Directory harvest prevention Replication between mail servers is not working If the appliance is between two Microsoft Exchange servers, ensure that the appliance does not block the Extended SMTP (ESMTP) email headers. Allow the use of all the ESMTP extensions: X-EXPS, X-LINK2STATE, XEXCH50, and CHUNKING. Email | Email Configuration | Protocol Configuration | Protocol Settings [+] Transparent Options [+] Advanced options Outbound email is blocked with SMTP code 550 - Denied by policy McAfee recommend LDAP recipient checks on incoming email, because it enables the appliance to block email that is not addressed to users in your organization. The method deters attackers who try to guess email addresses. However, outbound email must not be subject to LDAP recipient checks. The check will block all outgoing email because the recipient's email address is not in your organisation. To check that your outbound mail is not being blocked inadvertently: 1 On the navigation bar, select Email | Email Configuration | Receiving Email | Recipient Authentication .
196
2 3 4
Under Recipient checks, ensure that Protocol preset is set to the network group that you have defined as internal email users. Deselect Or if the recipient is not listed in LDAP. Click the green checkmark to apply the changes.
See also KnowledgeBase article: https://kc.mcafee.com/corporate/index?page=content&id=KB60616
Delivery
When I select Retry All in the Deferred Mail folder, why are the messages not sent? After selecting Retry all results, click Search again to see the progress that the appliance has made through the list of messages. The appliance works through the messages until each one has been sent. If there is still a delivery problem caused by the network or an appliance configuration problem, the message is returned to the Queued Email page. The appliance automatically retries all the deferred messages after 30 minutes, and periodically after that. Email | Queued Email What can I check if I have problems with mail delivery? To deliver mail via DNS, ensure that the option is selected in the interface. If your internal mail server is not receiving inbound mail, check that this mail server is configured to accept email from the appliance. In the list of local domains for email delivery, do not specify a wildcard catch-all rule. Instead, enable the fallback relay, and specify it there. System | Appliance Management | DNS and Routing Email | Email Configuration | Receiving Email | Anti-Relay Settings
Email attachments
The appliance blocks all email when I reduce the number of attachments to block This setting is intended to block email messages with huge numbers of attachments, which waste bandwidth. Some mail clients (like Outlook Express) store extra information in extra attachments, and even embed the main body of the message in an attachment. If this number is set too low, even normal email might be rejected. Email | Email Policies | Scanning Policies [Content] -- Mail size filtering | Attachment Count
197
EICAR (the test virus) or content that must be blocked is still getting through Make sure the appliance is in the mail path. Look at the headers of an email message (in Outlook, select View | Options | Internet Headers). If the appliance is in the mail path, you will see a header of the form Received: from sender by appliance_name via ws_smtp with sender and appliance_name replaced with the actual sender's name and the name of the appliance. When the appliance detects a virus, I get notification of a content violation This problem might be due to a conflict between the HTML template warning page, and a content-scanning rule. For example, if you are content-filtering on the word Virus but you have also set up the HTML template for virus detection to warn you A virus has been detected, an incoming message containing a virus triggers the message to be replaced with the message, A virus has been detected. This replacement message then passes through the content filter which triggers on the word Virus, and the message is replaced with a content violation instead of a virus notification. Email | Email Policies | Scanning Policies [Content] The appliance is slow to respond when I log on to the interface Make sure the browser from which you are connecting is not using the appliance itself as a proxy. In Internet Explorer, go to Tools | Internet Options | Connections | LAN Settings, and deselect Use a proxy server. Check the DNS setup on the appliance. The DNS server field must contain the IP address of a valid DNS server, which must be accessible from the appliance. If the appliance is experiencing a heavy load, responses from the interface are slower. Consider using out-of-band management. System | Appliance Management | DNS and Routing System | Appliance Management | Remote Access [+] Out of Band management
POP3
I have set up a dedicated POP3 connection, and POP3 no longer works Check that the generic and dedicated servers do not share the same port. The default port number for POP3 is 110. The dedicated server will override the generic server. Email | Email Configuration | Protocol Configuration | Protocol Settings [+] POP3 protocol settings When fetching mail with Outlook Express over POP3, I sometimes get a time-out message, giving me the option to Cancel or Wait The appliance needs to download and scan the entire mail message before it can start passing it to Outlook Express. For a large message or a slow mail server, this can take some time. Click Wait to force Outlook Express to wait for the appliance to finish processing the message.
198
I sometimes get two copies of POP3 mail messages Some mail clients do not handle time-outs correctly. If the appliance is downloading and scanning a very large message, the client might time-out while waiting for a response. A pop-up window prompts you to wait for or cancel the download. If you select Cancel and try to download again, two copies of the message might appear in your mailbox.
System configuration
I have disabled the FTP protocol but my users can still use FTP with their browsers Check the browser's FTP proxy settings. On Internet Explorer, select Tools | Internet Options | Connections | LAN Settings | Proxy Server | Advanced. The appliance can support FTP over its HTTP protocol handler, so if the FTP proxy is set to use port 80, your users can still use FTP. NOTE: This is for FTP download only. The appliance does not support FTP uploads over HTTP.
System maintenance
The appliance does not accept the HotFix file Do not unzip the HotFix file before copying it to the appliance. The appliance accepts the original file as you received it with a .ZIP extension. System | Component Management | Package Installer How can I control the size of the appliance's log files? The appliance stores its log files in a partition (/log) on its internal disk. By default, the logs are purged every few days. The appliance issues warnings when its areas are nearing full, typically at 75% and 90%. We recommend that you: Find the percentage usage of the logging partition. Limit the size of the log file, and take regular backups of the log. Adjust the warning levels. Troubleshoot | Tools | Disk Space System | Cluster Management | Backup and Restore Configuration Dashboard [System Health] -- Edit
199
Anti-virus automatic updating

When I request an immediate update, nothing happens. How do I know when the DAT is updated? The DAT files are downloaded, checked and applied they are not just added regardless. The appliance does not wait for the update to complete but starts it in the background. The update can take a few minutes even with a fast Internet connection. You can see the version number of the installed DAT files soon after the appliance has successfully installed the new DAT files. System | Component Management | Update Status Dashboard [System Health] -- Updates
Anti-spam
I have configured the appliance to reject spam with an RBL Servers check but some spam mail is still getting through No anti-spam software is fully effective, and cannot guarantee to block all spam email messages. The appliance uses a list of the names of known email abusers and the networks they use. These lists are effective in reducing unwanted email messages but are not complete. To block a specific sender of spam, add the sender's email address to the Blocked senders list. Email | Email Configuration | Receiving Email | Permit and Deny Lists [+] Permitted and blocked senders Users are not getting normal email messages Users might not receive normal email messages for several reasons: The email messages might be coming from someone listed in the Blocked senders list. You might need to: Refine the Blocked senders list to ensure that wanted email messages are not blocked. For example, you might need to type specific email addresses rather than ban a whole domain or network. Add the sender, domain, or network to the Permitted senders list. The appliance does not scan email from senders, domains and networks in this list for spam. The Permitted senders list overrides entries in the Blocked senders list. The email message might have been blocked because it comes from a sender or organization that has been recognized by a real-time anti-spam list as a potential source of spam. The balance between blocking spam and normal email messages might need changing. For example, if the appliance is blocking email messages when there is only a small chance that they contain spam, you risk unintentionally blocking normal email messages. It is probably better to risk letting some spam through. The email message might contain a virus or potentially unwanted program, and has been blocked by anti-virus scanning.
200
Email | Email Configuration | Receiving Email | Permit and Deny Lists Users are still receiving spam Users might still receive spam for several reasons: No anti-spam software can block all email messages that might contain spam. For the best chance of detecting and preventing spam, ensure that the appliance is using the latest versions of the anti-spam engine, anti-spam rules, and extra rules files. See also Sender authentication and reputation to ensure that you are using all the features that can block unwanted email. The appliance is allowing streaming media to pass through. Allowing streaming media to pass through the appliance is a security risk, because streaming media is not scanned by the appliance. We recommend that you do not allow streaming media of type application/octet-stream or application/* to pass through the appliance because these MIME types are executable and are a security risk. You might need a more stringent anti-spam policy. For example, you might want to ensure that more email messages are marked as spam before they are received by users, or to simply block the spam at the appliance. The email messages might be coming from senders, domains, or networks that are in the Permitted senders list. Review the list to make sure that you really want email messages from these senders to bypass anti-spam scanning. You might need to refine the entry in the list. For example, rather than permitting whole domains or networks, specify individual email addresses instead. See the Permitted senders list. The mail client software does not automatically move unwanted messages into a spam folder, so users still see spam in their inboxes. See Configuring Mail Clients for information on setting mail clients. The email message might be larger than is permitted, so it is not scanned for spam. See the advanced options in the anti-spam settings to change the size. Email messages are not being routed through an appliance with the anti-spam software enabled. Email | Email Configuration | Receiving Email Email | Email Policies | Scanning Policies [Spam] | Advanced Options How can I stop a particular type of spam? To ensure that you have the best chance of detecting and preventing spam, check that: The appliance is using the latest versions of the anti-spam engine and anti-spam rules. The appliance has not been configured to allow streaming media to pass through. System | Component Management | Update Status Web | Web Policies | Scanning Policies [Content] -- Streaming media Users are complaining that their mailboxes are full If users automatically divert spam to a spam folder in the mailbox, their mailboxes can quickly exceed their size limit. Remind users to regularly check their spam folders and delete spam.
201
ICAP
ICAP service not found This section describes a common configuration problem that occurs when setting up or reconfiguring your ICAP services. If the ICAP client cannot find the requested service: Check that the ICAP client is requesting a valid ICAP service. When configuring the ICAP client, it is easy to mistype the service path. Service paths start with a forward slash (/) and are case-sensitive. Make sure that you use the exact path name. For example, the path /REQMOD is different from the path /REQMOD/. Check that the appliance supports the ICAP service, and that the requested service has not been disabled on that appliance. NOTE: Some ICAP servers do not support all ICAP verbs. For example, some ICAP clients support the REQMOD verb only. By default, the appliance supports the REQMOD, RESPMOD and OPTIONS verbs. However, the REQMOD and RESPMOD services can be disabled on the appliance. Check that the network connection between the ICAP client and the ICAP server is working. Use a ping test. On the navigation bar, select Troubleshoot | Tools | Ping and Trace Route. Use telnet to contact the appliance IP address TCP port 1344. Use the probe software in your ICAP client, if available. Appliance connections are unavailable If the appliance runs out of available connections, you might have to restart the ICAP protocol. Understanding ICAP status codes This list of ICAP status codes was accurate at the time of publication. If a status code is not in the table, see the ICAP RFC standard for the latest information. Table 22: ICAP status codes
Code 100 200 204 400 404 405 Description Continue after ICAP preview. OK. The appliance understands the request and will reply. No modifications are needed (also known as 204 No content). Bad request. ICAP service was not found. The method is not allowed for this service. For example, a RESPMOD request was issued to a service that supports only REQMOD. Request has timed-out. ICAP server gave up waiting for a request from an ICAP client. ICAP server error. For example, the ICAP server might have run out of disk space. Method (verb) not implemented. Bad gateway.
408 500 501 502
202
Appendix Substitution variables for alert messages
Code 503
Description Service is overloaded. The ICAP server has exceeded a connection limit associated with the service. The ICAP client must not exceed this limit in the future. The ICAP version is not supported by the ICAP server.
505
RFCs (Request for Comments)
Substitution variables for alert messages

You can customize alert messages with substitution variables. For example, the message: Virus detected at %LOCALTIME% might become: Virus detected at 10:31. This table contains: Substitution variable Names begin and end with the % character. Description Type of information that replaces the substitution variable. Protocols Protocols where you can use the substitution variable. Usage Features that support the substitution variable. See the Usage column in the second table, which describes where to use each substitution variable.
Usage 1 2 3 4 5 6 7 8 9 Supported by SMTP notification Anti-Virus notification Content Filter notification Email Alerting Anti-Virus Email Alerting Anti-Spam Email Alerting URL Filter Email Alerting Content Filter Email Alerting Resource Denial-of-Service notification Usage A B C D E F G Supported by File Filter notification MIME format notification Corrupt Content notification Download Status Page HTML Blocking access to websites, URLs Client Message HTML Quarantine digests
Table 23: Substitution variables

Substitution Variable %ACTIONNAME% Description Action taken against a threat,such as Blocked. HTML form allowing the user to add an email address to the blacklist HTML form allowing the user to add an email address to the whitelist HTML Alert footer Protocols SMTP, HTTP, POP3 SMTP Usage 4
%ADD_BLACK_LIST%
%ADD_WHITE_LIST%
SMTP
%ALERTFOOTER%
SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3
123
%ALERTHEADER%
HTML Alert header
123
%APPLICATION%
Name for example smtp, cmdline
4578
203
Substitution Variable %ATTACHMENTNAME%
Description File name of detected item
Protocols SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP
Usage 1234
%AUTH_USER%
Name of user trying to gain access
1E
%AVDATVERSION%
Version of anti-virus DAT files
1234
%AVENGINEVERSION%
Version of anti-virus scanning engine
1234
%BLACK_LIST%
List of email addresses in the blacklist. An HTML form allowing the deletion of email addresses from the blacklist. URL or website that has been blocked Host for embedded HTML items Port number for embedded HTML items Bytes downloaded File being downloaded Download Status Page identification Mark URL as served by appliance Download percentage complete Interval between HTML page refreshes How long the scan has run URL of the appliance logo Expected size of the download
5G
%BLOCKED_URL% %COMFORT_DECORATIONHOST% %COMFORT_DECORATIONPORT% %COMFORT_DOWNLOADED% %COMFORT_FILE% %COMFORT_ID% %COMFORT_INTERNALMARKER% %COMFORT_PERCENTCOMPLETE% %COMFORT_REFRESHINTERVAL% %COMFORT_SCANNINGTIME% %COMFORT_SCMLOGO% %COMFORT_SIZE% %CONTENT_LIST%
SMTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP
6G D D D D D D D D D D D 3G
List of the email in the content quarantine, SMTP added since the last digest. An HTML form allowing the user to delete, or request release of email in the Content quarantine (Only for messages added since the last digest.) Terms that matched in the content scanning SMTP rule Words that matched in the content scanning SMTP rule Report including the rules, conditions, thresholds, and banned terms. Name of corruption Host name of outgoing connection SMTP, HTTP, POP3 SMTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP, HTTP, POP3
%CONTENT_TERMS%
%CONTENT_WORDS%
%CONTENTREPORT%
%CORRUPTIONTYPE% %DESTINATIONHOST%
C 123
%DESTINATIONIP%
IP address of outgoing connection
123
%DETECTIONS%
Detection for example, virus name
124
%DICTIONARYGROUP%
Group of dictionaries that contained the banned term.
204
Substitution Variable %DIGEST_DATE% %DOSLIMIT%
Description Date when the digest was generated Denial-of-service limit
Protocols SMTP SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP Not applicable SMTP
Usage 5G 9
%EVENT%
Type of event
All
%EXP_DELAY% %FILESYSTEM% %FILTERCONTEXT%
User expiration delay in days File system name Name of the dictionary that contains the banned term File filter name MIME format name for example, partial message
1G 8 37
%FILTERNAME% %FORMAT%
SMTP SMTP, POP3
A B
%FULL_CONTENT_LIST%
Full list of the email in the content SMTP quarantine, added since the last digest. An HTML form allowing the user to delete or request release of email in the content quarantine. Full list of the email in the spam quarantine. SMTP HTML form allowing the user to delete, release or whitelist email in the spam quarantine. HTTP response code and description HTTP
3G
%FULL_SPAM_LIST%
5G
%HTTP_STATUS_STRING% %ICAP_X_CLIENT_IP%
F 1E
IP address of the originating client, as ICAP supplied by the ICAP request header record, X-Client-IP. IP address of the destination webserver, as ICAP supplied by the ICAP request header record, X-Server-IP. Unique message ID SMTP, HTTP, POP3 SMTP, HTTP, POP3 SMTP SMTP, POP3 SMTP SMTP SMTP, HTTP, POP3 SMTP, POP3 SMTP SMTP
%ICAP_X_SERVER_IP%
1E
%ID%
123
%LOCALTIME%
Local time
123
%MAX_EXP_DELAY% %PHISHREPORT% %POST_MASTER% %PRODUCT_NAME% %PROTOCOL%
Maximum expiration delay in days Report about the phishing attack. Email address of the postmaster Product name Protocol
1G 5 1G G 123
%REASON% %RECIPIENT% %RECIPIENTS%
Descriptive reason Email address of the recipient SMTP Envelope Recipients
9A 1G 12345 7 F F
%REQUEST_DNSURL% %REQUEST_PORT%
Requested URL after DNS lookup Port number of the requested URL
HTTP HTTP
205
Substitution Variable %REQUEST_RESULTS%
Description HTML table showing the results of the actions done Scheme of the request (such as HTTP) Requested URL Verb of the request (such as GET) Rule that matched to block URL List of triggered detections Appliance IP Address
Protocols SMTP
Usage 1G
%REQUEST_SCHEME% %REQUEST_URL% %REQUEST_VERB% %RULE% %SCANNER% %SCMIP%
HTTP HTTP HTTP HTTP SMTP SMTP, HTTP, POP3 HTTP SMTP, HTTP, POP3 SMTP
F F F EF 1 12345 78 F 12345 78 12345 7 F 1G
%SCMLOGO% %SCMNAME%
URL of the product's logo Appliance host name
%SENDER%
SMTP Envelope Sender
%SERVER_RESPONSE% %SET_EXP_DELAY%
Response string from the server HTML form that allows the user to set the user expiration delay Text that advises about the suitability of a website Host name of incoming connection
HTTP SMTP
%SITEADVISOR%
HTTP
%SOURCEHOST%
SMTP, HTTP, POP3 SMTP, HTTP, POP3
123
%SOURCEIP%
IP address of incoming connection
123
%SPAM_LIST%
List of the email messages in the spam SMTP quarantine added since the last digest. An HTML form allowing the user to delete, release, or whitelist email in the spam quarantine (only for messages added since the last digest) Version of anti-spam engine Spam rules that were broken Spam score Spam threshold System error code Total score SMTP SMTP SMTP SMTP HTTP SMTP, HTTP, POP3 SMTP SMTP HTTP
15G
%SPAMENGINEVERSION% %SPAMRULESBROKEN% %SPAMSCORE% %SPAMTHRESHOLD% %SYS_ERROR_CODE% %TOTALSCORE%
1 5 15 5 F 7
%TRIGGER_WORDS% %TRIGGER_TYPE% %URL_CATEGORY%
Words that have triggered the policy. Type of trigger. Category of URL or website such as pornography or violence. Who to contact if you need to access the URL or website that triggered a policy.
G G 6G
%URL_REQUEST_DISPLAY_NAME%
HTTP
206
Appendix Use of word separators
Substitution Variable %UTCTIME%
Description Time in Coordinated Universal Time (UTC) format Information from SiteAdvisor about the reputation of the website. IP address of the appliance Name of the appliance List of email addresses in the whitelist. An HTML form allowing the deletion of email addresses from the whitelist.
Protocols SMTP, HTTP, POP3 HTTP
Usage 123
%WEB_REPUTATION_INFO%
%WEBSHIELDIP% %WEBSHIELDNAME% %WHITE_LIST%
Not applicable Not applicable SMTP
All All 5G
Email | Email Policies | Scanning Policies [Scanner Options] -- Alert settings
Use of word separators

When you create content-scanning rules, you need to know how the appliance treats the word separators in email headers, body content, and attachments. The appliance recognizes punctuation, separators, and math symbols as word separators within content rules. This section lists the Unicode and ASCII characters that the appliance recognizes as word separators when scanning email NOTE: When the text being scanned is in ASCII format, only the Latin characters with decimal values up to and including 127 are used. This section does not show the actual characters. They can be viewed at the Unicode Consortium website. Characters are grouped into charts according to their hexadecimal range. Each range is typically a regional character set such as Latin, or a functional grouping such as symbols. To view the charts, go to www.unicode.org. The character index lists the character names in alphabetical order, and provides links to the chart. To view the character index, go to http://www.unicode.org/charts/charindex.html. Email | Email Policies | Dictionaries [+] List of terms
Word delimiters
A word is any number of characters bounded by a word delimiter. A word delimiter is some form of punctuation that is not a character in a word. The table shows some examples for word delimiters. horizontal tab line feed space quotation mark(") percent sign (%) apostrophe (') asterisk (*) left or right parenthesis '( )' carriage return exclamation mark (!) number sign (#) ampersand (&) left or right parenthesis '( )' plus sign (+)
207
Appendix Word separators
comma () full stop (.) semicolon (;)
hyphen-minus (-) colon (:) question mark (?)
The word delimiters used by the content scanner are taken from the UNICODE character definitions in the Punctuation, Separator, and Math Symbol sets. Email | Email Policies | Dictionaries [+] List of terms
Word separators
Table 24: Word separators
Hexadecimal Code 0x0009 0x000a 0x000d 0x0020 0x0021 0x0022 0x0023 0x0025 0x0026 0x0027 0x0028 0x0029 0x002a 0x002b 0x002c 0x002d 0x002e 0x002f 0x003a 0x003b 0x003c 0x003d 0x003e 0x003f 0x0040 Decimal Code Type Character Name
09 10 13 32 33 34 35 37 38 39 40 41 42 43 44 45 46 47 58 59 60 61 62 63 64
Punctuation, Other Punctuation, Other Punctuation, Other Separator, Space Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Other Math Symbol Punctuation, Other Punctuation, Dash Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Math Symbol Math Symbol Math Symbol Punctuation, Other Punctuation, Other
HORIZONTAL TABULATION LINE FEED CARRIAGE RETURN SPACE EXCLAMATION MARK QUOTATION MARK NUMBER SIGN PERCENT SIGN AMPERSAND APOSTROPHE LEFT PARENTHESIS RIGHT PARENTHESIS ASTERISK PLUS SIGN COMMA HYPHEN-MINUS FULL STOP SOLIDUS COLON SEMICOLON LESS-THAN SIGN EQUALS SIGN GREATER-THAN SIGN QUESTION MARK COMMERCIAL AT
208
Hexadecimal Code 0x005b 0x005c 0x005d 0x005f 0x007b 0x007c 0x007d 0x007e 0x00a0 0x00a1 0x00ab
Decimal Code
Type
Character Name
91 92 93 95 123 124 125 126 160 161 171
Punctuation, Open Punctuation, Other Punctuation, Close Punctuation, Connect Punctuation, Open Math Symbol Punctuation, Close Math Symbol Separator, Space Punctuation, Other
LEFT SQUARE BRACKET REVERSE SOLIDUS RIGHT SQUARE BRACKET LOW LINE LEFT CURLY BRACKET VERTICAL LINE RIGHT CURLY BRACKET TILDE NO-BREAK SPACE INVERTED EXCLAMATION MARK
Punctuation, Initial quote LEFT-POINTING DOUBLE ANGLE QUOTATION MARK Math Symbol Punctuation, Dash Math Symbol Punctuation, Other Punctuation, Final quote NOT SIGN SOFT HYPHEN PLUS-MINUS SIGN MIDDLE DOT RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK INVERTED QUESTION MARK MULTIPLICATION SIGN DIVISION SIGN GREEK QUESTION MARK GREEK ANO TELEIA ARMENIAN APOSTROPHE ARMENIAN EMPHASIS MARK ARMENIAN EXCLAMATION MARK ARMENIAN COMMA ARMENIAN QUESTION MARK ARMENIAN ABBREVIATION MARK ARMENIAN FULL STOP ARMENIAN HYPHEN HEBREW PUNCTUATION MAQAF HEBREW PUNCTUATION PASEQ HEBREW PUNCTUATION SOF PASUQ HEBREW PUNCTUATION GERESH HEBREW PUNCTUATION GERSHAYIM
0x00ac 0x00ad 0x00b1 0x00b7 0x00bb
172 173 177 183 187
0x00bf 0x00d7 0x00f7 0x037e 0x0387 0x055a 0x055b 0x055c 0x055d 0x055e 0x055f 0x0589 0x058a 0x05be 0x05c0 0x05c3 0x05f3 0x05f4
191 215 247 894 903 1370 1371 1372 1373 1374 1375 1417 1418 1470 1472 1475 1523 1524
Punctuation, Other Math Symbol Math Symbol Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Dash Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other
209
Hexadecimal Code 0x060c 0x061b 0x061f 0x066a 0x066b 0x066c 0x066d 0x06d4 0x0700 0x0701 0x0702 0x0703 0x0704 0x0705 0x0706 0x0707 0x0708 0x0709 0x070a 0x070b 0x070c 0x070d 0x0964 0x0965 0x0970 0x0df4 0x0e4f 0x0e5a 0x0e5b 0x0f04 0x0f05 0x0f06
Decimal Code
Type
Character Name
1548 1563 1567 1642 1643 1644 1645 1748 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 2404 2405 2416 3572 3663 3674 3675 3844 3845 3846
Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other
ARABIC COMMA ARABIC SEMICOLON ARABIC QUESTION MARK ARABIC PERCENT SIGN ARABIC DECIMAL SEPARATOR ARABIC THOUSANDS SEPARATOR ARABIC FIVE POINTED STAR ARABIC FULL STOP SYRIAC END OF PARAGRAPH SYRIAC SUPRALINEAR FULL STOP SYRIAC SUBLINEAR FULL STOP SYRIAC SUPRALINEAR COLON SYRIAC SUBLINEAR COLON SYRIAC HORIZONTAL COLON SYRIAC COLON SKEWED LEFT SYRIAC COLON SKEWED RIGHT SYRIAC SUPRALINEAR COLON SKEWED LEFT SYRIAC SUBLINEAR COLON SKEWED RIGHT SYRIAC CONTRACTION SYRIAC HARKLEAN OBELUS SYRIAC HARKLEAN METOBELUS SYRIAC HARKLEAN ASTERISCUS DEVANAGARI DANDA DEVANAGARI DOUBLE DANDA DEVANAGARI ABBREVIATION SIGN SINHALA PUNCTUATION KUNDDALIYA THAI CHARACTER FONGMAN THAI CHARACTER ANGKHANKHU THAI CHARACTER KHOMUT TIBETAN MARK INITIAL YIG MGO MDUN MA TIBETAN MARK CLOSING YIG MGO SGAB MA TIBETAN MARK CARET YIG MGO PHUR SHAD MA TIBETAN MARK YIG MGO TSHEG SHAD MA TIBETAN MARK SBRUL SHAD TIBETAN MARK BSKUR YIG MGO
0x0f07 0x0f08 0x0f09
3847 3848 3849
Punctuation, Other Punctuation, Other Punctuation, Other
210
Hexadecimal Code 0x0f0a 0x0f0b 0x0f0c 0x0f0d 0x0f0e 0x0f0f 0x0f10 0x0f11 0x0f12 0x0f3a 0x0f3b 0x0f3c 0x0f3d 0x0f85 0x104a 0x104b 0x104c 0x104d 0x104e 0x104f 0x10fb 0x1361 0x1362 0x1363 0x1364 0x1365 0x1366 0x1367 0x1368 0x166d 0x166e 0x1680 0x169b 0x169c 0x16eb
Decimal Code
Type
Character Name
3850 3851 3852 3853 3854 3855 3856 3857 3858 3898 3899 3900 3901 3973 4170 4171 4172 4173 4174 4175 4347 4961 4962 4963 4964 4965 4966 4967 4968 5741 5742 5760 5787 5788 5867
Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Separator, Space Punctuation, Open Punctuation, Close Punctuation, Other
TIBETAN MARK BKA- SHOG YIG MGO TIBETAN MARK INTERSYLLABIC TSHEG TIBETAN MARK DELIMITER TSHEG BSTAR TIBETAN MARK SHAD TIBETAN MARK NYIS SHAD TIBETAN MARK TSHEG SHAD TIBETAN MARK NYIS TSHEG SHAD TIBETAN MARK RIN CHEN SPUNGS SHAD TIBETAN MARK RGYA GRAM SHAD TIBETAN MARK GUG RTAGS GYON TIBETAN MARK GUG RTAGS GYAS TIBETAN MARK ANG KHANG GYON TIBETAN MARK ANG KHANG GYAS TIBETAN MARK PALUTA MYANMAR SIGN LITTLE SECTION MYANMAR SIGN SECTION MYANMAR SYMBOL LOCATIVE MYANMAR SYMBOL COMPLETED MYANMAR SYMBOL AFOREMENTIONED MYANMAR SYMBOL GENITIVE GEORGIAN PARAGRAPH SEPARATOR ETHIOPIC WORDSPACE ETHIOPIC FULL STOP ETHIOPIC COMMA ETHIOPIC SEMICOLON ETHIOPIC COLON ETHIOPIC PREFACE COLON ETHIOPIC QUESTION MARK ETHIOPIC PARAGRAPH SEPARATOR CANADIAN SYLLABICS CHI SIGN CANADIAN SYLLABICS FULL STOP OGHAM SPACE MARK OGHAM FEATHER MARK OGHAM REVERSED FEATHER MARK RUNIC SINGLE PUNCTUATION
211
Hexadecimal Code 0x16ec 0x16ed 0x17d4 0x17d5 0x17d6 0x17d7 0x17d8 0x17d9 0x17da 0x17dc 0x1800 0x1801 0x1802 0x1803 0x1804 0x1805 0x1806 0x1807
Decimal Code
Type
Character Name
5868 5869 6100 6101 6102 6103 6104 6105 6106 6108 6144 6145 6146 6147 6148 6149 6150 6151
Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Dash Punctuation, Other
RUNIC MULTIPLE PUNCTUATION RUNIC CROSS PUNCTUATION KHMER SIGN KHAN KHMER SIGN BARIYOOSAN KHMER SIGN CAMNUC PII KUUH KHMER SIGN LEK TOO KHMER SIGN BEYYAL KHMER SIGN PHNAEK MUAN KHMER SIGN KOOMUUT KHMER SIGN AVAKRAHASANYA MONGOLIAN BIRGA MONGOLIAN ELLIPSIS MONGOLIAN COMMA MONGOLIAN FULL STOP MONGOLIAN COLON MONGOLIAN FOUR DOTS MONGOLIAN TODO SOFT HYPHEN MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER MONGOLIAN MANCHU COMMA MONGOLIAN MANCHU FULL STOP MONGOLIAN NIRUGU EN QUAD EM QUAD EN SPACE EM SPACE THREE-PER-EM SPACE FOUR-PER-EM SPACE SIX-PER-EM SPACE FIGURE SPACE PUNCTUATION SPACE THIN SPACE HAIR SPACE ZERO WIDTH SPACE HYPHEN NON-BREAKING HYPHEN
0x1808 0x1809 0x180a 0x2000 0x2001 0x2002 0x2003 0x2004 0x2005 0x2006 0x2007 0x2008 0x2009 0x200a 0x200b 0x2010 0x2011
6152 6153 6154 8192 8193 8194 8195 8196 8197 8198 8199 8200 8201 8202 8203 8208 8209
Punctuation, Other Punctuation, Other Punctuation, Other Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Separator, Space Punctuation, Dash Punctuation, Dash
212
Hexadecimal Code 0x2012 0x2013 0x2014 0x2015 0x2016 0x2017 0x2018 0x2019 0x201a 0x201b 0x201c 0x201d 0x201e 0x201f 0x2020 0x2021 0x2022 0x2023 0x2024 0x2025 0x2026 0x2027 0x2028 0x2029 0x202f 0x2030 0x2031 0x2032 0x2033 0x2034 0x2035 0x2036 0x2037 0x2038 0x2039
Decimal Code
Type
Character Name
8210 8211 8212 8213 8214 8215 8216 8217 8218 8219 8220 8221 8222 8223 8224 8225 8226 8227 8228 8229 8230 8231 8232 8233 8239 8240 8241 8242 8243 8244 8245 8246 8247 8248 8249
Punctuation, Dash Punctuation, Dash Punctuation, Dash Punctuation, Dash Punctuation, Other Punctuation, Other
FIGURE DASH EN DASH EM DASH HORIZONTAL BAR DOUBLE VERTICAL LINE DOUBLE LOW LINE
Punctuation, Initial quote LEFT SINGLE QUOTATION MARK Punctuation, Final quote Punctuation, Open RIGHT SINGLE QUOTATION MARK SINGLE LOW-9 QUOTATION MARK
Punctuation, Initial quote SINGLE HIGH-REVERSED-9 QUOTATION MARK Punctuation, Initial quote LEFT DOUBLE QUOTATION MARK Punctuation, Final quote Punctuation, Open RIGHT DOUBLE QUOTATION MARK DOUBLE LOW-9 QUOTATION MARK
Punctuation, Initial quote DOUBLE HIGH-REVERSED-9 QUOTATION MARK Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Separator, Line Separator, Paragraph Separator, Space Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other DAGGER DOUBLE DAGGER BULLET TRIANGULAR BULLET ONE DOT LEADER TWO DOT LEADER HORIZONTAL ELLIPSIS HYPHENATION POINT LINE SEPARATOR PARAGRAPH SEPARATOR NARROW NO-BREAK SPACE PER MILLE SIGN PER TEN THOUSAND SIGN PRIME DOUBLE PRIME TRIPLE PRIME REVERSED PRIME REVERSED DOUBLE PRIME REVERSED TRIPLE PRIME CARET
Punctuation, Initial quote SINGLE LEFT-POINTING ANGLE QUOTATION MARK
213
Hexadecimal Code 0x203a
Decimal Code
Type
Character Name
8250
Punctuation, Final quote
SINGLE RIGHT-POINTING ANGLE QUOTATION MARK REFERENCE MARK DOUBLE EXCLAMATION MARK INTERROBANG OVERLINE UNDERTIE CHARACTER TIE CARET INSERTION POINT ASTERISK HYPHEN BULLET LEFT SQUARE BRACKET WITH QUILL RIGHT SQUARE BRACKET WITH QUILL QUESTION EXCLAMATION MARK EXCLAMATION QUESTION MARK TIRONIAN SIGN ET REVERSED PILCROW SIGN BLACK LEFTWARDS BULLET BLACK RIGHTWARDS BULLET SUPERSCRIPT LEFT PARENTHESIS SUPERSCRIPT RIGHT PARENTHESIS SUBSCRIPT LEFT PARENTHESIS SUBSCRIPT RIGHT PARENTHESIS LEFT-POINTING ANGLE BRACKET RIGHT-POINTING ANGLE BRACKET IDEOGRAPHIC SPACE IDEOGRAPHIC COMMA IDEOGRAPHIC FULL STOP DITTO MARK LEFT ANGLE BRACKET RIGHT ANGLE BRACKET LEFT DOUBLE ANGLE BRACKET RIGHT DOUBLE ANGLE BRACKET LEFT CORNER BRACKET RIGHT CORNER BRACKET LEFT WHITE CORNER BRACKET
0x203b 0x203c 0x203d 0x203e 0x203f 0x2040 0x2041 0x2042 0x2043 0x2045 0x2046 0x2048 0x2049 0x204a 0x204b 0x204c 0x204d 0x207d 0x207e 0x208d 0x208e 0x2329 0x232a 0x3000 0x3001 0x3002 0x3003 0x3008 0x3009 0x300a 0x300b 0x300c 0x300d 0x300e
8251 8252 8253 8254 8255 8256 8257 8258 8259 8261 8262 8264 8265 8266 8267 8268 8269 8317 8318 8333 8334 9001 9002 12288 12289 12290 12291 12296 12297 12298 12299 12300 12301 12302
Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Connect Punctuation, Connect Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Separator, Space Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open
214
Hexadecimal Code 0x300f 0x3010 0x3011 0x3014 0x3015 0x3016 0x3017 0x3018 0x3019 0x301a 0x301b 0x301c 0x301d 0x301e 0x301f 0x3030 0x30fb 0xfd3e 0xfd3f 0xfe30
Decimal Code
Type
Character Name
12303 12304 12305 12308 12309 12310 12311 12312 12313 12314 12315 12316 12317 12318 12319 12336 12539 64830 64831 65072
Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Dash Punctuation, Open Punctuation, Close Punctuation, Close Punctuation, Dash Punctuation, Connect Punctuation, Open Punctuation, Close Punctuation, Other
RIGHT WHITE CORNER BRACKET LEFT BLACK LENTICULAR BRACKET RIGHT BLACK LENTICULAR BRACKET LEFT TORTOISE SHELL BRACKET RIGHT TORTOISE SHELL BRACKET LEFT WHITE LENTICULAR BRACKET RIGHT WHITE LENTICULAR BRACKET LEFT WHITE TORTOISE SHELL BRACKET RIGHT WHITE TORTOISE SHELL BRACKET LEFT WHITE SQUARE BRACKET RIGHT WHITE SQUARE BRACKET WAVE DASH REVERSED DOUBLE PRIME QUOTATION MARK DOUBLE PRIME QUOTATION MARK LOW DOUBLE PRIME QUOTATION MARK WAVY DASH KATAKANA MIDDLE DOT ORNATE LEFT PARENTHESIS ORNATE RIGHT PARENTHESIS PRESENTATION FORM FOR VERTICAL TWO DOT LEADER PRESENTATION FORM FOR VERTICAL EM DASH PRESENTATION FORM FOR VERTICAL EN DASH PRESENTATION FORM FOR VERTICAL LOW LINE PRESENTATION FORM FOR VERTICAL WAVY LOW LINE PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET
0xfe31 0xfe32 0xfe33 0xfe34
65073 65074 65075 65076
Punctuation, Dash Punctuation, Dash Punctuation, Connect Punctuation, Connect
0xfe35
65077
Punctuation, Open
0xfe36
65078
Punctuation, Close
0xfe37
65079
Punctuation, Open
0xfe38
65080
Punctuation, Close
0xfe39
65081
Punctuation, Open
0xfe3a
65082
Punctuation, Close
215
Hexadecimal Code 0xfe3b
Decimal Code
Type
Character Name
65083
Punctuation, Open
PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET DASHED OVERLINE CENTRELINE OVERLINE WAVY OVERLINE DOUBLE WAVY OVERLINE DASHED LOW LINE CENTRELINE LOW LINE WAVY LOW LINE SMALL COMMA SMALL IDEOGRAPHIC COMMA SMALL FULL STOP SMALL SEMICOLON SMALL COLON SMALL QUESTION MARK SMALL EXCLAMATION MARK SMALL EM DASH SMALL LEFT PARENTHESIS SMALL RIGHT PARENTHESIS SMALL LEFT CURLY BRACKET SMALL RIGHT CURLY BRACKET SMALL LEFT TORTOISE SHELL BRACKET
0xfe3c
65084
Punctuation, Close
0xfe3d
65085
Punctuation, Open
0xfe3e
65086
Punctuation, Close
0xfe3f
65087
Punctuation, Open
0xfe40
65088
Punctuation, Close
0xfe41
65089
Punctuation, Open
0xfe42
65090
Punctuation, Close
0xfe43
65091
Punctuation, Open
0xfe44
65092
Punctuation, Close
0xfe49 0xfe4a 0xfe4b 0xfe4c 0xfe4d 0xfe4e 0xfe4f 0xfe50 0xfe51 0xfe52 0xfe54 0xfe55 0xfe56 0xfe57 0xfe58 0xfe59 0xfe5a 0xfe5b 0xfe5c 0xfe5d
65097 65098 65099 65100 65101 65102 65103 65104 65105 65106 65108 65109 65110 65111 65112 65113 65114 65115 65116 65117
Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Connect Punctuation, Connect Punctuation, Connect Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Dash Punctuation, Open Punctuation, Close Punctuation, Open Punctuation, Close Punctuation, Open
216
Hexadecimal Code 0xfe5e 0xfe5f 0xfe60 0xfe61 0xfe63 0xfe68 0xfe6a 0xfe6b 0xff01 0xff02 0xff03 0xff05 0xff06 0xff07 0xff08 0xff09 0xff0a 0xff0c 0xff0d 0xff0e 0xff0f 0xff1a 0xff1b 0xff1f 0xff20 0xff3b 0xff3c 0xff3d 0xff3f 0xff5b 0xff5d 0xff61 0xff62 0xff63 0xff64
Decimal Code
Type
Character Name
65118 65119 65120 65121 65123 65128 65130 65131 65281 65282 65283 65285 65286 65287 65288 65289 65290 65292 65293 65294 65295 65306 65307 65311 65312 65339 65340 65341 65343 65371 65373 65377 65378 65379 65380
Punctuation, Close Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Dash Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Other Punctuation, Other Punctuation, Dash Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Other Punctuation, Open Punctuation, Other Punctuation, Close Punctuation, Connect Punctuation, Open Punctuation, Close Punctuation, Other Punctuation, Open Punctuation, Close Punctuation, Other
SMALL RIGHT TORTOISE SHELL BRACKET SMALL NUMBER SIGN SMALL AMPERSAND SMALL ASTERISK SMALL HYPHEN-MINUS SMALL REVERSE SOLIDUS SMALL PERCENT SIGN SMALL COMMERCIAL AT FULLWIDTH EXCLAMATION MARK FULLWIDTH QUOTATION MARK FULLWIDTH NUMBER SIGN FULLWIDTH PERCENT SIGN FULLWIDTH AMPERSAND FULLWIDTH APOSTROPHE FULLWIDTH LEFT PARENTHESIS FULLWIDTH RIGHT PARENTHESIS FULLWIDTH ASTERISK FULLWIDTH COMMA FULLWIDTH HYPHEN-MINUS FULLWIDTH FULL STOP FULLWIDTH SOLIDUS FULLWIDTH COLON FULLWIDTH SEMICOLON FULLWIDTH QUESTION MARK FULLWIDTH COMMERCIAL AT FULLWIDTH LEFT SQUARE BRACKET FULLWIDTH REVERSE SOLIDUS FULLWIDTH RIGHT SQUARE BRACKET FULLWIDTH LOW LINE FULLWIDTH LEFT CURLY BRACKET FULLWIDTH RIGHT CURLY BRACKET HALFWIDTH IDEOGRAPHIC FULL STOP HALFWIDTH LEFT CORNER BRACKET HALFWIDTH RIGHT CORNER BRACKET HALFWIDTH IDEOGRAPHIC COMMA
217
Appendix Character set encoding
Hexadecimal Code 0xff65
Decimal Code
Type
Character Name
65381
Punctuation, Connect
HALFWIDTH KATAKANA MIDDLE DO
Email | Email Policies | Dictionaries [+] List of terms
Character set encoding

Encoding Big5 Codepage 850 Codepage 851 Codepage 856 Codepage 857 Codepage 858 Codepage 860 Codepage 861 Codepage 862 Codepage 863 Codepage 864 Codepage 865 Codepage 866 Codepage 868 Codepage 869 Codepage 922 Region China Europe Greece Israel Europe Europe Portugal Iceland Israel French Canada Arabic Norway Russia Arabic Greece Estonia
EUC-JP EUC-KR GB 18030 GB 2312 HZ GB 2312 ISO-2022-CN ISO-2022-CN-EXT ISO-2022-JP ISO-2022-JP-2 ISO-2022-KR ISO-8859-1
Japan Korea China China China China China Japan Japan Korea Europe
218
Appendix Features of the Alert Editor
Encoding ISO-8859-2 ISO-8859-3 ISO-8859-4 ISO-8859-5 ISO-8859-6 ISO-8859-7 ISO-8859-8 ISO-8859-9 ISO-8859-13 ISO-8859-15
Region Europe Europe Europe Cyrillic Arabic Greece Hebrew Turkey Baltic West Europe
KOI8-R KSC 5601
Russia Korea
Macintosh Mac CER Mac Cyrillic Mac Greek Mac Turkish
Europe China Cyrillic Greece Turkey
Shift-JIS
Japan
US ASCII UTF-7 UTF-8
USA Unicode Transformation Format Unicode Transformation Format
Email | Email Policies | Scanning Policies [Scanner Options] -- Content handling | Email Options | Character sets
Features of the Alert Editor

Menus Menu [Style] Description Changes the style (or tag) of the selected text, such as its heading level.
219
Menu [Font] [Size] [Tokens]
Description Changes the font of the selected text, for example to serif. Changes the size of the selected text. Inserts a token (or substitution variable) such as the local time at the cursor.
Toolbar Icon Description When clicked, makes the selected text bold.
When clicked, converts the selected text to italics.
When clicked, underlines the selected text.
When clicked, forces the paragraph at the cursor or the selected paragraphs to the left.
When clicked, centers the paragraph at the cursor or the selected paragraphs.
When clicked, forces the paragraph at the cursor or the selected paragraphs to the right.
When clicked, justifies the paragraph at the cursor or the selected paragraphs .
When clicked, converts the paragraph at the cursor or the selected paragraphs into a numbered list. Select again to undo.
220
Icon
Description When clicked, converts the paragraph at the cursor or the selected paragraphs into a bulleted list. Select again to undo.
When clicked, indents the paragraph at the cursor or indent the selected paragraphs.
When clicked, removes the indent from the paragraph at the cursor or the selected paragraphs.
When clicked, changes the color of the selected text.
When clicked, changes the background color of the selected text.
When clicked, inserts a horizontal rule at the cursor.
When clicked, inserts a hyperlink at the selected text or at the cursor). Type its URL and text.
When clicked, inserts an image at the cursor, by providing its URL. If your network suppresses graphics to reduce network load, we recommend that you type some alternative text for the image. When clicked, inserts a table at the cursor.
221
Appendix Files that are always scanned
Files that are always scanned

Some files are susceptible to carrying viruses and other threats. These files are always scanned. (This list was current at April 2006 and is often updated.) Table 25: Files scanned by default
Type Files that contain macros Example DO?, XL?, and ASD, CDR, CPT, CSV, D?B, DIF, DQY, GF?, GIM, GIX, GMS, GNA, GW?, ICS, IQY, MPP, MPT, MSG, MSO, OLE, OTM, OUT, PDF, POT, PP?, PWZ, QQY, RQY, RTF, SH?, SKV, SLK, UUU, VS?, WIZ, WBK, WP?.WRI, XML, {?? DL?, EX?, and ACM, ADE, ADP, ADT, AP?, ASA, ASD, ASP, AX?, B64, BA?, BIN, BMP, BO?, CGI, CC?, CDX, CEO, CHM, CLA, CMD, CNV, CO?, CPL, CPT, CPY, CRT, CSC, CSS, DAT, DEV, DOC, DOT, DRV, EE?, EFV, EML, FDF, FMT, FO?, FPH, FPW, GWI, HDI, HHT, HLP, HT?, HWD, IM?, IN?, ION, ISP, ITS, JAR, JP?, JS?, LGP, LNK, LWP, LIB, M3U, MBR, MB0, MB1, MB2, MD?, MHT, MOD, MPD, MRC, MS?, NEW, NWS, OB?, OC?, OL?, OUT, OV?, PCD, PCI, PD?, PF?, PHP, PI?, PL?, PNG, PRC, QLB, QPW, QTC, RAR, REG, RMF, RTF, SCR, SCT, SH?, SIS, SMM, SPL, SRF, SYS, SWF, TFT, TLB, TSP, VBS, VB?, VVV, VWP, VXD, URL, UNP, WIZ, WMV, WP?, WRL, WRZ, WS?, X32, XML, XRF, XSL, XTP, ZI?, Z0M, ZL?, ZZZ, 00?, 386, 3GR, {??, GZ?, TD0, TGZ, ??_ ACE, ARC, ARJ, B64, BIN, CAB, CHM, COM, EXE, GZ?, ICE, JAR, LZH, NAP, OUT, PPZ, RAR, TAR, TAZ, TD0, TGZ, ZIP, Z??, ??_ DL?, EX?, and ACM, ADE, ADP, ADT, AP?, ASA, ASD, ASP, AX?, B64, BA?, BIN, BMP, BO?, CGI, CC?, CDX, CEO, CHM, CLA, CMD, CNV, CO?, CPL, CPT, CPY, CRT, CSC, CSS, DAT, DEV, DOC, DOT, DRV, EE?, EFV, EML, FDF, FMT, FO?, FPH, FPW, GWI, HDI, HHT, HLP, HT?, HWD, IM?, IN?, ION, ISP, ITS, JAR, JP?, JS?, LGP, LNK, LWP, LIB, M3U, MBR, MB0, MB1, MB2, MD?, MHT, MOD, MPD, MRC, MS?, NEW, NWS, OB?, OC?, OL?, OUT, OV?, PCD, PCI, PD?, PF?, PHP, PI?, PL?, PNG, PRC, QLB, QPW, QTC, RAR, REG, RMF, RTF, SCR, SCT, SH?, SIS, SMM, SPL, SRF, SYS, SWF, TFT, TLB, TSP, VBS, VB?, VVV, VWP, VXD, URL, UNP, WIZ, WMF, WMP, WMV, WP?, WRL, WRZ, WS?, X32, XML, XRF, XSL, XTP, ZI?, Z0M, ZL?, ZZZ, 00?, 386, 3GR, {??, GZ?, TD0, TGZ, ??_
Compressed executable files
Archive files All types
Email | Email Policies | Scanning Policies [Anti-Virus] Web | Web Policies | Scanning Policies [Anti-Virus]
Formats for network and domain names

Name Domain Description example.com example.com/server1 example.example*.com IP address (v4) IP address (v4) with CIDR notation IP address (v6) IP address (v6) with CIDR notation 192.168.254.200:255.255.255.0 to define the network and its subnet 192.168.254.200/24 to define the network and its subnet FD4A:A1A1:A1A1:A1A1:A1A1:A1A1:A1A1:A1A1 FD4A:A1A1:A1A1:A1A1:A1A1:A1A1:A1A1:A1A1/64
222
Appendix CIDR notation for IP addresses
CIDR notation for IP addresses

Classless Inter Domain Routing (CIDR) is a method for writing network masks in IP addresses. In CIDR notation, an IP address is represented as A.B.C.D /n, where "/n" is called the IP prefix or network prefix. The IP prefix identifies the number of significant bits used to identify a network. Common prefixes are 8, 16, 24, and 32. The table shows the full list. For example, 192.168.254.200 /18 means: The first 18 bits represent the network. The remaining 14 bits identify hosts. 192.168.254.200 /18 is equivalent to 192.168.254.200:255.255.192.0. Table 26: CIDR notation
Prefix /1 /2 /3 /4 /5 /6 /7 /8 Mask 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0 Number of hosts -
/9 /10 /11 /12 /13 /14 /15 /16
255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0
/17 /18 /19 /20 /21 /22 /23 /24
255.255.128 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0
256
223
Appendix CSV file formats for importing to lists
Prefix /25 /26 /27 /28 /29 /30 /31 /32
Mask 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255
Number of hosts 128 64 32 16 8 4 2 1
CSV file formats for importing to lists

If you have a .CSV (comma-separated values) file that contains information about your network, you can import that file into the appliance to help you build your lists quickly. Each entry in the file must be on a single line and must follow the correct format.
Type Domain Email Address Network Address Format D, <domain> E, <email address> N, <IP address>, <IP subnet mask> Example D, www.example.com E, user@example.com N, 192.168.254.200, 255.255.255.0
Communication port numbering

The appliance and other devices use these port numbers for communications.
Port Number 21 22 25 80 80 88 110 161 162 389 443 465 514 Protocol TCP TCP TCP TCP TCP UDP TCP UDP * UDP * TCP TCP TCP UDP * Communication type FTP SSH SMTP HTTP ePolicy Orchestrator Kerberos POP3 SNMP (general messages) SNMP (trap messages) LDAP HTTPS SMTPS Syslog
224
Appendix Acronyms and Abbreviations
Port Number 587 636 1344 5432 9011 9012 9111 9112 9121 49500
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
Communication type SMTP (authenticated/secure) LDAP (secure) ICAP SQL SmartReporter SmartReporter (SSL/secure port) WebReporter WebReporter (SSL/secure port) WebReporter (FTP) MQM
Acronyms and Abbreviations

Term 8BITMIME AC ACL AIM APOP ARP ASCI ASCII BPDU Bps bps CPU CRL DDoS DES DHA DHCP DKIM DMZ DN DNS Definition eight-bit data transfer access control Access Control List AOL Instant Messenger Authenticated Post Office Protocol Address Resolution Protocol agent-server communications interval American Standard Code for Information Interchange Bridge Protocol Data Unit bytes per second bits per second central processing unit certificate revocation list distributed denial-of-service Data Encryption Standard directory harvest attack Dynamic Host Configuration Protocol DomainKeys Identified Mail demilitarized zone Distinguished Name Domain Name System
225
Term DNSBL DoS DRAC DSN EICAR ePO ESMTP EULA FDoS FQDN FTP GARE GLBA GMT GPO GTUBE GUI HIPAA HTML HTTP HTTPS IAC ICAP IETF IIS IP IRC ISO ISP JPEG LAN LDAP LED MAC MAC
Definition DNS-based blackhole list denial-of-service Dell Remote Access Control Delivery Sender Notification European Institute for Computer Antivirus Research (McAfee) ePolicy Orchestrator enterprise management software Extended Simple Mail Transfer Protocol end-user license agreement flooder denial-of-service fully qualified domain name File Transfer Protocol Global Attack Response Editor Gramm-Leach-Bliley Act Greenwich Mean Time Group Policy Object Generic Test for Unsolicited Bulk Email graphical user interface Health Insurance Portability and Accountability Act HyperText Markup Language HyperText Transfer Protocol HyperText Transfer Protocol Over Secure Socket Layer Internet Access Control Internet Content Adaptation Protocol Internet Engineering Task Force Internet Information Service Internet Protocol Internet Relay Chat International Organization for Standardization Internet service provider Joint Photographic Experts Group Local Area Network Lightweight Directory Access Protocol light emitting diode media access control message authentication code
226
Term MAPI MBR MD5 MER MIB MIME MPEG MQM MSI MSN MTA MTU MWS NAC NAD NDS NIC NMS NTFS NTLM NTP OCC OID OLE OOB OS OSI OSPF OUI PDA PDF PE PEM PGP POP
Definition Messaging Application Program Interface master boot record Message-Digest algorithm 5 Minimum Escalation Report Management Information Base Multipurpose Internet Mail Extensions Moving Picture Experts Group McAfee Quarantine Manager Microsoft Windows Installer Microsoft Network message transfer agent maximum transmission unit (McAfee) Messaging and Web Security Network Access Control Network Access Device (Novell) NetWare Directory Services Network Interface Card Network Management System New Technology File System (Microsoft Windows) NT LAN Manager Network Time Protocol Outbound Content Compliance Object Identifier Object Linking and Embedding out-of-band operating system Open Systems Interconnection Open Shortest Path First Organizationally Unique Identifier Personal Digital Assistant Portable Document Format Portable Executable Privacy-enhanced Electronic Mail, Privacy Enhanced Mail Pretty Good Privacy Post Office Protocol
227
Term POP3 PRA PUP RAID RBL RDBMS RFC RIP S/MIME SMTP SMTPS SNMP SOX SPF SPF/PRA SSH SSID SSL STP TCP TCP/IP TFTP TLS UBE UDP UI URL USB UTC UTF VBS VLAN VPN VSAPI WAN
Definition HyperText Transfer Protocol 3 Purported Responsible Address potentially unwanted program Redundant Arrays of Independent Disks real-time blackhole list relational database management system request for comments Routing Information Protocol Secure / Multipurpose Internet Mail Extensions Simple Message Transfer Protocol Secure Simple Message Transfer Protocol Simple Network Management Protocol Sarbanes-Oxley Act Sender Policy Framework Sender Policy Framework/Purported Responsible Address Secure Shell Service Set Identifier Secure Socket Layer Spanning Tree Protocol Transmission Control Protocol Transmission Control Protocol/Internet Protocol Trivial File Transfer Protocol Transport Layer Security unsolicited bulk email User Datagram Protocol user interface Uniform Resource Locator Universal Serial Bus Temps Universel Coordonn (Coordinated Universal Time) Unicode Transformation Format Visual Basic Scripting Virtual Local Area Network Virtual Private Network Virus Scanning Application Program Interface Wide Area Network
228
Appendix RFCs (Request for Comments)
Term WAP Wi-Fi WLAN WYSIWYG XML XSL
Definition wireless access point wireless fidelity Wireless Local Access Network what you see is what you get Extensible Markup Language Extensible Stylesheet Language
RFCs (Request for Comments)

The appliance conforms to many RFCs.
Number 1305 Description Network Time Protocol
2449 2616 2821 2822
POP3 Extension Mechanism Hypertext Transfer Protocol -- HTTP/1.1 Simple Mail Transfer Protocol (SMTP) Internet Message Format
3164 3207 3507
BSD syslog Protocol SMTP Service Extension for Secure SMTP over Transport Layer Security Internet Content Adaptation Protocol (ICAP)
For a full list of all RFCs, visit http://www.apps.ietf.org/rfc/index.html
KnowledgeBase articles
Several KnowledgeBase articles are referenced in this documentation.
Number 54323 60616 Description https://kc.mcafee.com/corporate/index?page=content&id=KB54323 https://kc.mcafee.com/corporate/index?page=content&id=KB60616
To view recent articles, popular articles, and search KnowledgeBase by text or article number: https://mysupport.mcafee.com/Eservice/templatepage.aspx?sURL=3 To view KnowledgeBase articles, grouped by product and version: https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=3
229
Appendix Additional License Terms for ePolicy Orchestrator Software
Additional License Terms for ePolicy Orchestrator Software

McAfee has included a copy of the McAfee ePolicy Orchestrator software with this software. The use of the ePolicy Orchestrator software is subject to the terms and conditions of the License Agreement accompanying the product and subject to these additional terms and conditions. The ePolicy Orchestrator software is intended for use only with a validly licensed copy of the appliance software and is not intended or licensed as a stand-alone product or for use with any other products other than the McAfee appliance software. Only use this copy of the ePolicy Orchestrator software to report on the appliance software on your network. Unless you have purchased licences to use McAfee ePolicy Orchestrator separately, you are not entitled to use the copy contained herein to manage, or report from, any other computers on your network or within your organization. Contact your local McAfee representative if you need to obtain a fully licensed copy of the ePolicy Orchestrator software.
230
Index
%ADD_BLACK_LIST% and others 203 %LOCALTIME% 203 8-bit ASCII 134 authentication group 168 authentication, browser setup 171 authentication, formats for user names 176 authentication, sender 96 authentication, user 168 automatic updates 188
A
abbreviations 225 accounts, user 170 acronyms 225 actions against threats 40 actions, FTP 40 actions, HTTP 41 actions, ICAP 41 actions, POP3 42 actions, scanning 111 actions, SMTP email 42 Active Directory, Kerberos user authentication 173 Active Directory, set up with Kerberos 172 Active X 109 address masquerading, digital signatures 57 address masquerading, regular expressions 58 administrators 170 adware 82, 141 alert editor, features 219 alert messages, substitution variables for 203 alert settings, header and footer 110, 152 alerting 180 alerting, considerations 186 alerts 185 alerts, menu 180 anabolic steroid, whitelist example 113, 154 anti-relay, concept 69 anti-relay, not working 195 anti-relay, why you need 70 anti-virus scanning 79, 138 anti-virus scanning, types of 82, 141 anti-virus updates, nothing happens 200 anti-virus, customized settings 83, 142 anti-virus, features 80, 139 anti-virus, introduction 79, 139 anti-virus, understanding policy for 78, 81, 138, 140 Appliance Management menu 162 appliance security 26 appliance security, how to improve 26 appliance security, introduction 8 appliance, basic concepts 13 appliance, maintaining the 28 appliance, monitoring the 27 Artemis 85, 144 attachments 108 attachments, email is blocked 197 attacks, denial of service 105, 151 attacks, directory harvesting 72 audience 10
B
Back button, problem 195 banned terms, where they apply 116, 157 best practices, content scanning 118 black bar 49 blackhole list 98 blacklist, how RBL works 98 blacklist, user-submitted 95 blackout, UPS 165 blocked connections 68 blocked connections, counter 49 blocked senders 68 breaks between words 207 brownout, UPS 165 browsers, setup for user authentication 171 Bubbleboy 84, 144 bypass unit 28
C
Certificate Management menu 177 certificate, structure of 65 certificates, using 65 changes, making to appliance operation 31 channel, for alerts 185 character-set encoding, list 218 CIDR 223 classifications, SiteAdvisor 147 Classless Inter Domain Routing (CIDR) 223 cloud anti-virus protection 85, 144 cluster management 21 Cluster Management menu 165 cluster management, failover 24 cluster management, tasks 22 cluster, making changes to appliance in 23 comma-separated values (CSV) file 224 community threat intelligence 85, 144 complex terms, example in email messages 117, 158 compliancy, introduction to 159 compliancy, policies 159 Component Management menu 187 compressed files, nesting in 105, 151 concepts, introduction 13 configuration ePolicy Orchestrator 30 configuration changes 166 configuration, apply to many appliances 166 connections, blocked 68 contact information 12
231
Index
content filter dictionary 112, 153 content handling 106, 152 content policies, FTP 14 content policies, HTTP 14 content policies, ICAP 14, 129 content policies, POP3 14 content policies, SMTP 15 content rules, complex terms in email messages 117, 158 content scanning rules 113, 154 content scanning, email content 101 content scanning, email options 104 content scanning, limitations in 116, 157 content scanning, spam 85 content scanning, URL filtering 144 content scanning, web 149 content scanning, web content 148 content, understanding scanning of 101 conventions 10 corrupt content 110, 152 counters, blocked connections 49 CSV file formats 224 customer submission tool 92
E
EICAR test virus, email gets through 198 email configuration 55 Email Configuration menu 54 email headers, hiding 108 Email menu 54 email messages, how multiple policies affect 112 email options 106 Email Policies menu 76 Email Protocol Configuration menu 55 email replication, not working 196 Email Scanning Policies menu 77 email template 111 email, all blocked 197 email, blocked as spam 200 email, blocked by attachments 197 email, blocked by policy 196 email, control of access and content 15 email, how messages are processed 121 email, queues 120 email, Receiving Email menu 67 emergency power 165 Enable protocol, effect of checkbox 20 enable, ePO Management 30 encoding, character sets 218 encrypted content 110, 152 ePO extension, download 29 ePO extension, installing 29 ePO, install the ePO extension 29 ePolicy Orchestrator, controlling your appliance with 29 ePolicy Orchestrator, license terms 230 ePolicy Orchestrator, menu 187 ePolicy Orchestrator, what is 29, 190 events 186 events, limits 180 events, monitoring of 182 events, overriding 186 events, types logged 180 examples, disclaimers 107 examples, file filtering 103 examples, HTML embedded objects 109 examples, priority in policies 46 examples, spam report 91 examples, spam scores 88 examples, SPF record 101 export, from a list 34 external-body messages 106 Extra DAT 187
D
dashboard 18 Dashboard menu 48 data trickling, disadvantages 135 data trickling, downloads 134 data trickling, upload 135 date setting 166 dedicated ports, POP3 66 default policy 37 deferred mail 197 delimiters, for words 207 delivery 197 delivery methods 75 depth of nesting 105, 151 dictionaries, choosing a name 116, 156 dictionaries, icons 114, 155 dictionaries, supplied 114, 155 dictionaries, terms 114, 155 dictionary, conditions described 115, 155 dictionary, content filter 112, 153 dictionary, terms described 115, 155 digital signature 110 digital signatures, address masquerading 57 directory harvest prevention 71 Directory Harvest Prevention, does not work 72 Directory Harvest Prevention, not working 196 directory harvesting attack 72 disclaimer 107 disclaimers, examples of 107 disk space, control of 192 DKIM signing 73 DKIM verification 100 DKIM, how it works 97 DKIM, key management 100 DKIM, sender authentication 96 DNSBL 98 documentation 11 domain names, formats 222 download status 134 DRAC 164
F
Fail-Open Unit 28 failover, cluster management 24 FAQ, ICAP 202 FAQs 195 features, anti-virus 80, 139 features, how to enable 31 file filtering 102 file filtering, example 103 files, scanned by default 222 filtering, example of file 103 filtering, file 102 filtering, mail size 102 fish (phish) 95 Flash 109 formats, CSV file 224
232
Index
formats, domain names 222 formats, network 222 formats, user names for authentication 176 frequently asked questions 195 FTP actions 40 FTP protocol settings 134 FTP, configuration menu 133 FTP, content policies 14 FTP, handoff 135 FTP, introduction 133 FTP, on browsers 199 FTP, traffic flow 133 FTP, uploads over HTTP 199
instant anti-virus update 85, 144 Instant messaging 149 intercept ports 34 interface, common tasks 31 interface, layout of 16 Internet Explorer with Active Directory, user authentication 172 Internet Explorer, user authentication 171 Internet usage reports 185 IP address, CIDR format 223 issues, KnowledgeBase 229
K
KB, KnowledgeBase 229 Kerberos user authentication, Microsoft Active Directory 2003 173 Kerberos with Active Directory, setting up 172 Kerberos, user name formats 176 KnowledgeBase articles 229 known issues, KnowledgeBase 229
G
generic connections, POP3 66 getting started 13 GLBA 159 graceful shutdown 165 greylisting service 70 greylisting, how it deters zombies 71 group membership 152 groups, menu 166 groups, policies for complex 38, 167
L
LDAP, user name formats 176 legal implications, for email 39 legal implications, for web 39 license terms, ePolicy Orchestrator 230 Links bar 49 Links bar, interface 49 listeners, no longer available 24 listening ports 35 lists, making and viewing 32 lists, viewing long 33 load sharing, no longer available 24 lockout period 68 logging 180 Logging, Alerting and SNMP menu 180 logon time 26 logs, control the size of 199 logs, transport logging 51 Lotus Domino 196 Lotus Domino, configuring mail clients 194
H
handoff 135 harvesting 72 Help extension, installing 30 heuristic analysis 84, 143 heuristic network checking 85, 144 HIPAA, and compliancy 159 HIPAA, ruleset 160 HotFix, not accepted 199 hotfixes 28 HTML editor, features 219 HTML embedded objects, examples 109 HTML objects 109 HTTP actions 41 HTTP configuration 125 HTTP protocol settings 125 HTTP scanning policies 14 HTTP, cannot upload over HTTP 199 HTTP, configuration menu 124 HTTP, introduction 124 HTTP, use of ICAP without HTTP 133
M
mail 197 mail clients, configuring 193 mail clients, configuring Lotus Domino 194 mail clients, configuring Outlook 194 mail clients, setting up appliance 194 mail size filtering 102 mail, delivery problems 197 mailboxes are full 201 McAfee Quarantine Manager (MQM) 119 Melissa 84, 144 menu, Appliance Management 162 menu, Certificate Management 177 menu, Cluster Management 165 menu, Component Management 187 menu, Dashboard 48 menu, Email 54 menu, Email Configuration 54 menu, Email Policies 76 menu, Email Protocol Configuration 55 menu, Email Reports 50 menu, Email Scanning Policies 77 menu, Logging, Alerting and SNMP 180 menu, Notification and Routing 111
I
ICAP 130 ICAP actions 41 ICAP FAQ 202 ICAP, configuration menu 126 ICAP, content policies 14, 129 ICAP, defined 127 ICAP, headers 127 ICAP, how it works 127 ICAP, introduction 126 ICAP, preview 127 ICAP, server 132 ICAP, without HTTP 133 icons, dictionaries and terms 114, 155 ICQ 149 IM 149 import, to a list 34
233
Index
menu, Quarantine 120 menu, Quarantine Configuration 119 menu, Receiving Email 67 menu, Reports 50 menu, Sender Authentication 96 menu, System 162 menu, Troubleshoot 191 menu, Troubleshoot Reports 192 menu, Troubleshoot Tools 191 menu, Users, Groups and Services 166 menu, Web 123 menu, web configuration 123 menu, Web configuration for FTP 133 menu, web configuration for HTTP 124 menu, web configuration for ICAP 126 menu, Web Policies 136 menu, Web reports 51 menu, Web Scanning Policies 136 message processing 56 message structure 130 Microsoft Exchange servers, ESMTP problem 196 MIME 106 MIME formats 108 MIME types 108 monitor events 182 Mozilla Firefox, user authentication 172 MQM 119 MSN Messenger 149 Multipurpose Internet Mail Extensions (MIME) 108
N
navigation bar 19 nesting in compressed files 105, 151 nesting, denial of service 105, 151 Network Time Protocol 166 network, formats 222 news websites, deter use of 145 Notification and Routing menu 111 NTLM authentication 171 NTLM, user name formats 176 NTP 166
O
open relay 70 OpenSSL, TLS certificate by 178 operational mode, choosing the 16 operational modes, cluster management 24 Optional components 8 out-of-band management 26, 163 Outlook, configuring mail clients 194 Outlook, transparent authentication with 126
policies, example of priority 46 policies, general guidelines 39 policies, group membership 152 policies, introducing 37 policies, introduction to 13 policies, introduction to priorities 46 policies, issues with network sources 38 policies, menu 77 policies, menu for email 76 policies, planning 39 policies, priority in 44 policies, user names 153 policies, web scanning menu 136 policy groups, how to use 38, 167 policy planning 39 policy, anti-virus settings 78, 81, 138, 140 policy, spam 90 POP3 actions 42 POP3, content policies 14 POP3, dedicated ports 66 POP3, does not work 198 POP3, introduction 66 POP3, protocol policy 67 POP3, two copies of mail 199 port numbering 224 ports, intercept 34 ports, listening 35 power loss 165 preset, protocol 24 previous page 195 priority in policies 44 priority in policies, introduction 46 privacy 159 privacy policies 159 privacy, HIPAA 160 privacy, threshold values 113, 154, 160 problems, Back button 195 product features 9 product information 11 protected content 110, 152 protocol policy, POP3 67 protocol preset 24 protocol settings, FTP 134 protocol settings, HTTP 125 protocol support 20 protocol traffic 20 protocol, email configuration menu 55 protocols, configuring the 34 protocols, enabling and disabling 35 PUPs 82, 141 PUPs, special actions 84, 143
Q P
packers 84, 143 page, Back 195 password, change 26 password, change your own 49 password, reset all 170 patch releases 28 permit and deny lists 68 permitted recipients 71 permitted senders 68 phish 95 policies, default 37 qmail, Microsoft Exchange 2000 and 2003 196 quarantine digests 119 Quarantine menu 120 quarantine, configuration menu 119 quarantine, MQM 119 queues, email 120
R
RBL, how it works 98 Real-time block list 98 reboot appliance 164 Received-From header 108
234
Index
Receiving Email menu 67 recovery 165 reference material 193 regular expressions 58 regular expressions, limitations 57 related products 8 relaying, prevention of 70 remote access card 164 reporting 180 Reports for Email, menu 50 Reports menu 50 reports, HTML example 52 reports, Internet usage 185 reports, menu for web 51 reports, PDF example 53 reports, SmartReporter 183 reports, spam report example 91 reports, types of 27 reputation service 97 reputation, SiteAdvisor 147 Request for Comment 229 restoring the system 165 retry fails 197 retry fails on deferred 197 Retryer 75 reverse lookup 35 RFC 229 roles, administrators 170
S
samples, submitting spam 92 SBL 98 scanner control 105, 150 scanner options, email 104 scanner options, web 149 scanning policies, HTTP 14 scanning, exceptions in network 25 scanning, extra actions 111 scanning, menu 77 scanning, policies menu 136 scoring, sender authentication 98 scripts, blocking Visual Basic and JavaScript 109 Secure Shell 26, 163 sender authentication 96 Sender Authentication menu 96 sender authentication, considerations 99 sender authentication, scoring 98 Sender ID 96 Sender ID, how it works 97 Sender Policy Framework 98 Sender Policy Framework/Purported Responsible 97 services, menu 166 session time 26 settings, duplicate across many appliances 166 shutdown appliance 164 shutdown, gracefully 165 signature, or disclaimer 107 signatures, digital 110 signed content 110 signing, DKIM 73 single sign-on 168 SiteAdvisor 147 SmartReporter reports 183 SmartReporter, introduction 185 SMTP, content policies 15
SNMP alerts 182 SNMP monitoring 182 SNMP trap, as an alert 185 SNMP, menu 180 SOX 159 spam 86 spam scores 90 spam scores, examples 88 spam thresholds 90 spam, clicknet 92 spam, example of report 91 spam, handling missed 92 spam, how McAfee tackles 90 spam, how to avoid it 94 spam, introduction 86 spam, mailboxes are full 201 spam, no normal email gets through 200 spam, problems with identifying 88 spam, settings 85 spam, still gets through despite RBL 200 spam, stopping any type of 201 spam, submitting new samples of 92 spam, updating your protection against 92 spam, users still receive 201 spam, what a policy does 90 Spanning Tree Protocol, cluster 24 special actions 84, 143 specifications, technical (RFCs) 229 SPF 98 SPF, example of record for 101 SPF, sender authentication 96 SPF/PRA, how it works 97 spoofed email 95 spreadsheet, example of blocking 103 spyware 82, 141 Squid 127 SSH 26, 163 stop appliance 164 STP 164 streaming media 148 substitution variables 203 summary, dashboard 18 syslog monitoring 182 System menu 162 system settings, restore 165
T
templates, email address 111 terms, icons 114, 155 threats, blocking specific 84, 144 threshold values, privacy 113, 154, 160 time setting 166 time, for session 26 tips, avoiding spam 94 TLS (Transparent Layer Security), handshake 62 TLS (Transparent Layer Security), intercepting 64 TLS certificate, create with OpenSSL 178 TLS, defined 60 tokens, substitution variables 203 topologies 21 traffic flow, FTP 133 traffic flow, web 124 transparency options 56 transparent authentication 168 transparent authentication, effect on Outlook email 126
235
Index
transparent exceptions 25 transparent mode, email options 56 Transport Layer Security (TLS) 60 transport logging 51 trap, alerts for SNMP 185 Troubleshoot menu 191 Troubleshoot Reports menu 192 Troubleshoot Tools menu 191 troubleshooting 28 troubleshooting, introduction 195 TrustedSource, how it works 97 TrustedSource, sender authentication 96 tunneling, instant messaging 149
virtual host 179 Virtual Router Redundancy Protocol, cluster 24 virus scanning, types of 82, 141 virus, causes content violation 198 viruses, detecting new 84, 143 viruses, VBS/Bubbleboy@MM 84, 144 viruses, W97M/Melissa@MM 84, 144
W
warnings 185 Web configuration, menu 123 Web menu 123 Web Policies menu 136 Web reports menu 51 web reputation 147 Web Scanning Policies menu 136 websites, deter use of news 145 weighting, sender authentication 98 white space, breaks between words 207 whitelist, in content scanning rule 113, 154 whitelist, user-submitted 95 word delimiters 207 word separators 208 word separators, usage 207
U
uninterruptible power supply 165 updates, anti-virus and spam 187 updates, automatic 188 upload status 135 UPS 165 URL blocking 145 URL filtering 146 user authentication 168 user authentication, browser setup 171 user authentication, how it works 168 user authentication, where to use 169 user names, policy selection 153 Users, Groups and Services menu 166
Y
Yahoo! Messenger 149
V
variables, substitution 203
Z
ZIP files, nesting in 105, 151
236
700-2358A00

Mcafee Email and Web Security Appliance Version 5.5 Product Guide

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mcafee Email and Web Security Appliance Version 5.5 Product Guide

Caricato da

Copyright:

Formati disponibili

McAfee Email and Web Security Appliance version 5.

McAfee Email and Web Security 5.5

McAfee Email and Web Security 5.5

Monitoring activity on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

McAfee Email and Web Security 5.5

Preventing email threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Preventing web threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Configuring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

McAfee Email and Web Security 5.5

Troubleshooting on the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

McAfee Email and Web Security 5.5

McAfee Email and Web Security 5.5

Introducing Appliance Security

Optional components and related products

Some appliances support auxiliary hardware: Table 2: Auxiliary hardware

3400 3300, 3400 3300, 3400

McAfee Email and Web Security 5.5

Introducing Appliance Security Product features

McAfee Email and Web Security 5.5

Introducing Appliance Security Using this information

Timed web access ICAP support

No Yes Yes Yes Yes Yes

Yes Yes Yes No No No

Yes Yes Yes Yes Yes Yes

SiteAdvisor IP v6 UPS support Bounce Address Tag Validation

Load balancing Virtual Hosting

Using this information

McAfee Email and Web Security 5.5

Introducing Appliance Security How to get product information

Files\McAfee\EPO\3.5.0 Run this command on the client computer: scan --help

How to get product information

McAfee Email and Web Security 5.5

Introducing Appliance Security Contact information

McAfee Email and Web Security 5.5

McAfee Email and Web Security 5.5

Getting Started Basic concepts

FTP content policies

HTTP scanning policies

ICAP content policies

POP3 content policies

McAfee Email and Web Security 5.5

Getting Started Basic concepts

SMTP content policies

How the appliance controls email access and content

McAfee Email and Web Security 5.5

Getting Started Basic concepts

Choosing the operational mode

McAfee Email and Web Security 5.5

Getting Started Basic concepts

Navigation bar User information bar Section icons Tab bar

Support control buttons View control Content area

Log off About Resources

McAfee Email and Web Security 5.5

Getting Started Basic concepts

McAfee Email and Web Security 5.5

Getting Started Basic concepts

Use the System pages to configure various features on the appliance.

McAfee Email and Web Security 5.5

Getting Started Basic concepts

Effect of enabling or disabling protocol traffic

McAfee Email and Web Security 5.5

Getting Started Basic concepts