SMSMSE Implementation Guide

Symantec™ Mail Security for
Microsoft® Exchange 7.9.1

Implementation Guide
Exchange Server
2010/2013/2016/2019
Symantec™ Mail Security for Microsoft® Exchange
Implementation Guide
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.
Knowledge Base Articles and Symantec Connect

Before you contact Technical Support, you can find free content in our online Knowledge Base,
which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the
search box of the following URL, type the name of your product:
https://support.symantec.com
Access our blogs and online forums to engage with other customers, partners, and Symantec
employees on a wide range of topics at the following URL:
https://www.symantec.com/connect
Technical Support and Enterprise Customer Support

Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical
Support’s primary role is to respond to specific queries about product features and functionality.
Enterprise Customer Support assists with non-technical questions, such as license activation,
software version upgrades, product access, and renewals.
For Symantec Support terms, conditions, policies, and other support information, see:
https://entced.symantec.com/default/ent/supportref
To contact Symantec Support, see:
https://support.symantec.com/en_US/contact-support.html
Contents
Symantec Support .............................................................................................. 4

Chapter 1 Introducing Symantec Mail Security for Microsoft
Exchange ......................................................................... 12
About Symantec Mail Security for Microsoft Exchange ......................... 12
What's new in Mail Security 7.9.1 .................................................... 13
Components of Mail Security .......................................................... 13
How Mail Security works ................................................................ 14
What you can do with Mail Security .................................................. 15
Where to get more information about Mail Security .............................. 20
Chapter 2 Installing Symantec Mail Security for Microsoft

Exchange ......................................................................... 21
Before you install .......................................................................... 21
Software component locations .................................................. 23
About security and access permissions ...................................... 26
Reducing Mail Security installation time ...................................... 27
System requirements .................................................................... 28
Server system requirements ..................................................... 28
Console system requirements ................................................... 29
Port requirements .................................................................. 30
Installing Symantec Mail Security for Microsoft Exchange ..................... 31
Installing Mail Security on a local server ...................................... 32
Installing the Mail Security console ............................................ 36
About installing Mail Security on remote servers ........................... 38
Silently installing Mail Security using an automated installation
tool ............................................................................... 42
Post-installation tasks ................................................................... 43
Implementing SSL communications ........................................... 43
Accessing the Mail Security console .......................................... 45
About using Mail Security with other antivirus products .................. 48
Configuring Mail Security transport agents .................................. 48
Setting scanning threads and number of scan processes ............... 50
Uninstalling Symantec Mail Security for Microsoft Exchange ................. 51
Contents 6
Chapter 3 Activating licenses .............................................................. 52

About licensing ............................................................................ 52
About activating the Mail Security license .......................................... 53
About the Mail Security license serial number .............................. 54
Obtaining a license file ............................................................ 54
Installing license files .............................................................. 55
About renewing the Mail Security license ........................................... 56
Chapter 4 Managing your Exchange servers .................................... 58

About managing your Exchange servers ........................................... 58
Deploying settings and changes to a server or group ........................... 60
Managing servers and server groups ................................................ 61
Logging onto servers .............................................................. 62
Configuring Symantec Mail Security for Exchange on DAG
setup ............................................................................. 64
Changing the password of the domain user account ...................... 64
Changing the service account used by Mail Security service ........... 65
Modifying or viewing server or server group settings ...................... 66
Viewing the status of a server ................................................... 67
Creating a user-defined server group ......................................... 67
Adding servers to a group ........................................................ 68
Moving a server to another user-defined server group ................... 69
Synchronizing group settings to a server ..................................... 70
Restoring default settings to a server or group ............................. 70
Removing a server from group management ............................... 71
Removing a server group ......................................................... 71
Exporting and importing settings ............................................... 72
Modifying the port and the communication properties of a
server ............................................................................ 73
Creating and assigning a custom throttling policy to the Mail
Security service account user ............................................. 73
Configuring .NET 3.5 for TLS 1.2 protocol ................................... 74
About transport submission queue monitor .................................. 74
Chapter 5 Quarantining messages and attachments ..................... 76

About the quarantine ..................................................................... 76
Forwarding quarantined items to the Quarantine Server ....................... 77
Establishing local quarantine thresholds ............................................ 78
Viewing the contents of the local quarantine ....................................... 79
Filtering the quarantined items ........................................................ 80
Specifying an action to take when a quarantine threshold is met ............ 81
Contents 7
About releasing messages from the local quarantine ........................... 82

Releasing messages from the local quarantine by email ................. 83
Releasing messages from the local quarantine to a file .................. 84
Deleting items from the local quarantine ............................................ 85
Chapter 6 Protecting your server from risks .................................... 86

About Mail Security policies ............................................................ 87
About protecting your server from risks ............................................. 87
How Mail Security detects risks ................................................. 88
Configuring a threat detection ......................................................... 89
Configuring a security risk detection ................................................. 92
Configuring file scanning limits ........................................................ 95
Configuring rules to address unscannable and encrypted files ............... 96
Remediation overview ................................................................... 98
How remediation works ................................................................. 99
Configuring remediation options .................................................... 100
Types of Remediation .................................................................. 100
Remediation feed settings ............................................................ 100
Creating an email remediation feed ................................................ 101
Enabling authentication key .......................................................... 103
Managing certificates ................................................................... 103
About file reputation ................................................................... 104
Chapter 7 Identifying spam ................................................................ 105

About spam detection .................................................................. 105
About reputation technology ......................................................... 106
Configuring whitelists ................................................................... 106
How to detect spam using Symantec Premium AntiSpam .................... 107
About registering Symantec Premium AntiSpam through an ISA
server .......................................................................... 107
Configuring your proxy server to download spam definition
updates ........................................................................ 108
Configuring Symantec Premium AntiSpam to detect spam ............ 108
Processing suspected spam messages ..................................... 111
Processing the suspected spam messages that exceed an SCL
threshold ...................................................................... 114
Processing spam messages ................................................... 116
About applying X-headers to messages for archiving ................... 119
Contents 8
Chapter 8 Filtering content ................................................................ 121

About content and file filtering ....................................................... 121
About file type filtering .......................................................... 123
About default content filtering rules .......................................... 126
About default file type filtering rules .......................................... 127
About creating the filtering rules ..................................................... 128
Configuring the conditions of a content filtering rule ..................... 128
Creating a file type filtering rule ............................................... 129
Specifying the users and groups in a filtering rule ........................ 129
Specifying whom to notify if a filtering rule is violated ................... 131
Configuring rule actions ......................................................... 133
Elements of a content filtering rule ........................................... 142
What you can do with the filtering rules ........................................... 147
Enabling or disabling the filtering for Auto-Protect scanning ........... 148
Prioritizing the filtering rules .................................................... 148
Deleting a filtering rule ........................................................... 149
Specifying inbound SMTP domains ......................................... 150
Refreshing the Active Directory group cache .............................. 151
About enforcing email attachment policies ....................................... 151
Blocking attachments by file name ........................................... 151
About match lists ........................................................................ 155
Creating or editing a match list ................................................ 159
Deleting a match list .............................................................. 160
About DOS wildcard style expressions ...................................... 160
About regular expressions ...................................................... 161
About content filtering policy templates ............................................ 164
Editing a content filtering policy template ................................... 168
Chapter 9 Scanning your Exchange servers for threats and

violations ....................................................................... 170
About the types of scanning that you can perform .............................. 170
Excluding Journal database from On Access and Background
scanning ...................................................................... 171
How Mail Security scans messages ............................................... 172
How Mail Security offloads Mailbox server scanning for Exchange
Server 2010 .................................................................. 175
How Mail Security optimizes scanning performance for Exchange
Server 2010 .................................................................. 176
Configuring Auto-Protect scanning ................................................. 176
Configuring background scanning for Exchange Server 2010 mailbox
role .................................................................................... 177
Contents 9
Background scan log status for Exchange Server 2010 mailbox

role .............................................................................. 179
Stopping background scanning on Exchange Server 2010 mailbox
role .............................................................................. 179
Configuring advanced scanning options for Auto-Protect and
background (Exchange Server 2010 only) scanning ..................... 180
About manual scans .................................................................... 181
Configuring the manual scan parameters .................................. 182
Performing a manual scan ...................................................... 186
Stopping a manual scan ........................................................ 186
Viewing manual scan results ................................................... 186
About scheduling a scan .............................................................. 187
Creating a scheduled scan ..................................................... 187
Editing a scheduled scan ....................................................... 187
Configuring scheduled scan options ......................................... 188
Enabling a scheduled scan ..................................................... 192
Deleting a scheduled scan ..................................................... 192
Configuring notification settings for scan violations ............................ 193
Chapter 10 Managing outbreaks ......................................................... 194

About outbreak management ........................................................ 194
About the criteria that defines an outbreak ................................. 195
About outbreak triggers ......................................................... 197
Best practices for managing outbreak conditions on Exchange
2010 mailbox server ........................................................ 197
Enabling outbreak management .................................................... 198
Configuring outbreak triggers ........................................................ 198
Configuring outbreak notifications .................................................. 200
Clearing outbreak notifications ....................................................... 203
Chapter 11 Logging events and generating reports ........................ 204

About logging events ................................................................... 204
Viewing the Mail Security Event log .......................................... 205
Specifying the duration for storing data in the Reports
database ...................................................................... 207
Purging the Reports database ................................................. 208
About logging performance counters to the MMC Performance
console ........................................................................ 208
About generating reports .............................................................. 209
About report templates ................................................................. 210
About report output formats .................................................... 211
Creating or modifying a Summary report template ....................... 211
Contents 10
Creating or modifying a Detailed report template ......................... 216

Deleting a report template ...................................................... 219
Managing reports ....................................................................... 220
Configuring the initial setup of the report consolidation
feature ......................................................................... 220
Generating a consolidated report ............................................. 221
Scheduling a consolidated report ............................................. 222
Generating a report on demand ............................................... 225
Accessing a report ................................................................ 225
Printing a report ................................................................... 227
Saving report data ................................................................ 228
Deleting a report .................................................................. 228
Resetting statistics ................................................................ 229
Chapter 12 Keeping your product up to date ................................... 230

Monitoring your version support status ............................................ 230
About keeping your server protected ............................................... 231
About setting up your own LiveUpdate server ............................. 233
Configuring a proxy server to permit LiveUpdate definitions ........... 233
Configuring a proxy server to permit rapid release
definitions ..................................................................... 234
Updating definitions ..................................................................... 235
Updating definitions on demand .............................................. 235
Scheduling definition updates ................................................. 235
About enhancing performance when you update definitions on
Exchange 2010 mailbox server ................................................ 236
About alert notifications for out-of-date virus definitions ....................... 237
Appendix A Using variables to customize alerts and

notifications .................................................................. 239
Alert and notification variables ....................................................... 239
Appendix B Troubleshooting ................................................................. 241

Why a file triggers the Unscannable File Rule ................................... 241
Reducing the incidence of malformed MIME false positives ................. 243
Common error messages ............................................................. 244
Resolving installation issues ......................................................... 246
Resolving consolidated report issues .............................................. 248
About the Symantec Help utility ..................................................... 249
LiveUpdate fails to update the definitions ........................................ 250
Troubleshooting the missing performance counters in SCOM .............. 250
Contents 11
Index ................................................................................................................... 251

Chapter 1
Introducing Symantec Mail
Security for Microsoft
Exchange
This chapter includes the following topics:
■ About Symantec Mail Security for Microsoft Exchange
■ What's new in Mail Security 7.9.1
■ Components of Mail Security
■ How Mail Security works
■ What you can do with Mail Security
■ Where to get more information about Mail Security
About Symantec Mail Security for Microsoft Exchange

Symantec™ Mail Security for Microsoft® Exchange (Mail Security) provides a complete,
customizable, and scalable solution that scans the emails that transit or reside on the Microsoft
Exchange Server.
Mail Security protects your Exchange server from the following:
■ Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks)
■ Security risks (such as adware and spyware)
■ Unwanted content
■ Unwanted file attachments
Introducing Symantec Mail Security for Microsoft Exchange 13
What's new in Mail Security 7.9.1
■ Unsolicited email messages (spam)

Mail Security also lets you manage the protection of one or more Exchange servers from a
single console.
See “What you can do with Mail Security” on page 15.
The Exchange environment is only one avenue by which a threat or a security risk can penetrate
a network. For complete protection, ensure that you protect every computer and workstation
by an antivirus solution.
See “About using Mail Security with other antivirus products” on page 48.
What's new in Mail Security 7.9.1

Table 1-1 lists the new and the enhanced features in Mail Security.
Table 1-1 New or enhanced features in 7.9.1
Feature Description
Mailbox database level selection in Now, you can select mailbox database level in manual and
manual and scheduled scan scheduled scan.
Support for Microsoft Exchange 2019 Symantec Mail Security for Microsoft Exchange now supports
Microsoft Exchange 2019.
Exchange transport submission Now, you can monitor the Exchange transport submission queue.
queue manager
You can monitor the queue by configuring the queue size. When
the queue reaches 90% of the configured size, emails are skipped
from scanning.
See “About transport submission queue monitor” on page 74.
Support for Microsoft System Center Mail Security for Microsoft Exchange Management Pack lets you
Operations Manager (SCOM) 2016 integrate Symantec Mail Security for Microsoft Exchange events
with SCOM 2016.
Components of Mail Security

Symantec Mail Security for Microsoft Exchange
This software protects your Exchange servers from threats (such as viruses and
denial-of-service attacks) and security risks (such as adware and spyware). It also detects
spam email messages and unwanted email attachments.
Location in the installation package:
\SMSMSE\Install\
How Mail Security works
LiveUpdate™ Administration Utility

This utility lets you configure one or more intranet FTP, HTTP, or LAN servers to act as internal
LiveUpdate servers. LiveUpdate lets Symantec products download program and definition file
updates directly from Symantec or from a LiveUpdate server.
For more information, see the LiveUpdate Administrator documentation on the Mail Security
installation package in the following location:
https://support.symantec.com/en_US/article.TECH134809.html
Symantec Central Quarantine
This utility lets Mail Security forward infected messages and the messages that contain certain
types of violations from the local quarantine to the Central Quarantine. This utility acts as a
central repository.
For more information, see the Symantec Central Quarantine Administrator's Guide on the Mail
Security installation package at the following location:
\DOCS\DIS\CentQuar.pdf
Location in the installation package: \ADMTOOLS\DIS
Mail Security for Microsoft Exchange Management Pack
This component lets you integrate Symantec Mail Security for Microsoft Exchange events with
Microsoft System Center Operations Manager (SCOM) 2007 R2/2012.
Preconfigured Computer Groups, Rule Groups/Rules, and Providers are automatically created
when you import the management pack. These rules monitor specific Symantec Mail Security
for Microsoft Exchange events in the Windows Event Log and the Windows Performance
Monitor.
For more information, see the Symantec Mail Security for Microsoft Exchange Management
Pack.
Location in the installation package: \ADMTOOLS\Mgmt_Pack
How Mail Security works

Mail Security can scan messages and their attachments to detect the following:
■ Risks
Risks are comprised of threats and security risks
■ Threats
Threats include viruses, worms, and Trojan horses
See “Configuring a threat detection” on page 89.
■ Security risks
What you can do with Mail Security
Security risks include adware, spyware, and malware

See “Configuring a security risk detection” on page 92.
■ Spam
See “About spam detection” on page 105.
■ Email attachment violations
See “About file type filtering ” on page 123.
See “Blocking attachments by file name” on page 151.
■ Content filtering rule violations
See “About content and file filtering” on page 121.
Mail Security takes the actions that you specify in the respective policies when a violation is
detected.
See “About Mail Security policies” on page 87.
Mail Security contains a decomposer that extracts container files so that they can be scanned.
The decomposer continues to extract container files until it reaches the base file or until it
reaches its extraction limit. If the decomposer reaches the set limit before the base file is
reached, the scanning process stops. Mail Security then logs the violation to the specified
logging destinations, and the file is handled according to Unscannable File Rule.
See “Configuring rules to address unscannable and encrypted files” on page 96.

Table 1-2 lists the tasks that you can perform with Mail Security.
Table 1-2 What you can do with Mail Security
Task Description
Manage your Exchange You can configure Mail Security for Microsoft Exchange to scan email
environment by using messages and their attachments for threats such as viruses, Trojan horses,
policies adware, spyware, and spam. You can define policies to detect potential
risks to your Microsoft Exchange email system and process email messages
and attachments that contain threats.
See “About Mail Security policies” on page 87.

Table 1-2 What you can do with Mail Security (continued)
Task Description
Scan your Exchange server You can keep your server protected by performing any of the following
for risks and violations types of scans:
■ Auto-Protect scans
■ Manual scans
■ Scheduled scans
■ Background scans (for Exchange Server 2010 only)
See “About the types of scanning that you can perform” on page 170.
Protect against threats Symantec engineers track reported outbreaks of threats (such as viruses,
Trojan horses, and worms) to identify new risks. After a threat is identified,
information about the threat (a signature) is stored in a definition file. This
file contains information to detect and eliminate the threat. When Mail
Security scans for threats, it searches for these signatures. Definition files
are downloaded using LiveUpdate or Rapid Release.
See “About keeping your server protected” on page 231.
Mail Security also uses Symantec Bloodhound heuristics technology to

scan for threats for which no known definitions exist. Bloodhound heuristics
technology scans for unusual behaviors such as self-replication to target
potentially infected message bodies and attachments.
Keep your protection Mail Security relies on up-to-date information to detect and eliminate risks.
up-to-date One of the most common reasons computers are vulnerable to attacks is
that definition files are out-of-date. Symantec regularly supplies updated
definition files.
Using LiveUpdate, Mail Security connects to a Symantec server over the

Internet and automatically determines if definitions need to be updated. If
they do, the definition files are downloaded to the proper location and
installed. If you need a quicker response for emerging threats, you can
enable Rapid Release to get the most current definitions that are available.
Note: You must have a valid license to update definitions.
See “About licensing” on page 52.

Task Description
Identify spam email Spam is unsolicited bulk email, which most often advertises messages for
a product or service. It wastes productivity, time, and network bandwidth.
Symantec Premium AntiSpam provides continuous updates to the premium

antispam filters to ensures that your Exchange server has the most current
spam detection filters.
See “How to detect spam using Symantec Premium AntiSpam” on page 107.
See “Configuring whitelists” on page 106.
You must have a valid Symantec Premium AntiSpam license to enable

Symantec Premium AntiSpam.
Filter undesirable message Mail Security lets you create the filtering rules that you can use to filter
content and attachments email messages and attachments. Mail Security provides the predefined
file name and file type filtering rules that you can use to enforce email
attachment policies. Mail Security uses match lists to filter email messages
and attachments for specific words, terms, and phrases. Mail Security also
provides the predefined content filtering policy templates that help prevent
data leakage.
Apply X-headers to Mail Security provides default X-headers that you can apply to the email
messages for archiving messages that contain filtering rule violations or are spam or suspected
spam. You can modify the default X-headers, or you can create your own.
See “About applying X-headers to messages for archiving” on page 119.

Task Description
Manage outbreaks An outbreak occurs when the number of threats to the Microsoft Exchange
system that are detected over a period of time exceeds a specified limit.
Mail Security lets you manage outbreaks quickly and effectively by setting
outbreak rules and sending notifications when an outbreak is detected.
You can also select an action to take when an outbreak is detected, such
as the following:
■ Delete the entire message.

■ Delete the attachment or the message body.
■ Quarantine entire message and replace with text.
■ Quarantine the attachment or the message body.
■ Log the event.
■ Add Tag to the beginning of the subject line.
You can set rules to define an outbreak based on event. For example, the
same threat occurs a specified number of times within a specified time
period. You can also configure Mail Security to send notifications and alerts
in the case of an outbreak.
See “About outbreak management” on page 194.
Quarantine infected Mail Security for Microsoft Exchange includes a local quarantine that can
message bodies and store the infected message bodies and attachments that are detected during
attachments scans. You can configure Mail Security to quarantine threats and security
risks, and file filtering violations in the local quarantine.
The quarantined items that contain threats can be forwarded to the

Symantec Central Quarantine, if it is installed. The Symantec Central
Quarantine program is available on the Mail Security installation package.
You can quarantine the entire message or by parts.
See “About the quarantine” on page 76.

Task Description
Monitor Mail Security Mail Security logs events to the Windows Application event log. You can
events view the events that are logged to the Windows Application event log from
the console.
See “Viewing the Mail Security Event log” on page 205.
Mail Security logs extensive report data on threats, security risks, violations,
spam, and server information to the reports database. You can use this
data to generate summary or detailed reports based on different subsets
of the data.
See “About logging events” on page 204.
See “Creating or modifying a Summary report template” on page 211.
See “Creating or modifying a Detailed report template” on page 216.
Generate reports Mail Security collects scan data from your Exchange servers and generates
reports.
Mail Security provides the preconfigured report templates that you can
modify. You can also create your own report templates.
You can create the following types of report templates:
■ Summary
■ Detailed
See “About generating reports” on page 209.
Send notifications when a Mail Security provides several options for notifying administrators, internal
threat or violation is senders, and email recipients of threats and violations.
detected
Mail Security lets you define the conditions in which to send an alert. You
can also customize the alert message text for each alert condition that you
define.
See “Configuring rules to address unscannable and encrypted files”

on page 96.
See “Specifying whom to notify if a filtering rule is violated” on page 131.
See “About enforcing email attachment policies” on page 151.
See “Configuring notification settings for scan violations” on page 193.

Where to get more information about Mail Security
Task Description
Manage single and multiple Mail Security can protect one or more Exchange servers. If your organization
Exchange servers has multiple Exchange servers, you can manage all the servers from the
same console that you use to manage a single server.
By switching between the server view and group view, you can manage
the following:
■ Configuration settings for individual servers

■ All servers in a specific location
See “About managing your Exchange servers” on page 58.
Where to get more information about Mail Security

Mail Security includes a comprehensive Help system that contains conceptual, procedural,
and context-sensitive information.
Press F1 to access information about the page on which you work. Start typing in the search
box to search for the desired content.
You can visit the Symantec website for more information about your product; the following
online resources are available:
■ Provides the access to the Technical Support knowledge base, newsgroups, contact
information, downloads, and mailing list subscriptions
www.symantec.com/techsupp/ent/enterprise.html
■ Provides the information about registration, frequently asked questions, how to respond
to error messages, and how to contact Symantec License Administration
www.symantec.com/products-solutions/licensing/
■ Provides product news and updates
www.symantec.com/enterprise/index.jsp
■ Provides the access to the Threat Explorer, which contains information about all known
threats
www.symantec.com/enterprise/security_response/threatexplorer/azlisting.jsp
Chapter 2
Installing Symantec Mail
Security for Microsoft
Exchange
■ Before you install
■ System requirements
■ Installing Symantec Mail Security for Microsoft Exchange
■ Post-installation tasks
■ Uninstalling Symantec Mail Security for Microsoft Exchange
Before you install

Ensure that you meet all system requirements before you install Mail Security. Select the
installation plan that best matches your organization's needs, and ensure that you have met
the preinstallation requirements.
See “System requirements” on page 28.
See “Installing Symantec Mail Security for Microsoft Exchange” on page 31.
See “Uninstalling Symantec Mail Security for Microsoft Exchange” on page 51.
Installing Symantec Mail Security for Microsoft Exchange 22
Before you install
Note: Symantec Mail Security for Microsoft Exchange console only connects to the server of
the same version.
You must uninstall and reinstall the product if you change the server role on which Mail Security
is installed.
Do the following before you install the product:
■ If you use the optional email tools feature of Symantec Endpoint Protection or Symantec
AntiVirus Corporate Edition, you must uninstall the feature before you install Mail Security.
These email tools are not compatible with Mail Security or Microsoft Exchange.
■ If you have any antivirus software installed on the server, you must disable it before you
install Mail Security.
After installation but before you turn on the antivirus protection, configure your other antivirus
programs to exclude certain folders from scanning.
■ If you have any malware agent installed on the server (Exchange Server 2013/2016/2019)
on which you want to install Mail Security, you must disable it.
Note: The Mail Security installer disables the Microsoft Exchange malware agent during
installation. If the installer fails to disable the malware agent, then make sure that you
disable it manually after the installation. Mail Security may not function properly if any other
malware agent is enabled. Therefore, make sure that you disable the malware agent before
you use Mail Security.
■ Log on as a Windows domain administrator to install Mail Security components correctly.

See “Software component locations” on page 23.
■ Modify your screen resolution to a minimum of 1024 x 768. Mail Security does not support
a resolution less than 1024 x 768.
■ Configure the default receive connector for the Exchange Hub Transport server to permit
connections from anonymous users.
While installing Symantec Mail Security on Exchange mailbox role, the installer needs a domain
user account for installing Mail Security services. This domain account is used as a service
account for running Mail Security services. Before running the installer, you must create a
domain user account that fulfills following criteria.
■ The domain account must have a mailbox.
■ The domain account must not be member of domain administrator's group.
■ The user (domain account) must be a member of Organization Management group under
the Microsoft Exchange Security Groups Organizational Unit.
Before you install
■ By default, Organization Management group is a member of the local Administrators

group on all the exchange servers in the organization. If not, then add the user to the local
Administrators group.
■ You may use different user account for installations of Mail Security on other Exchange
mailbox servers within that domain for better performance.
■ When the user updates the password, the same password must be provided to the Mail
Security Service on all Exchange mailbox role servers.
Note: While installing Mail Security on local Exchange Mailbox server, in the Logon Information
screen, specify the domain user credentials in the User name and Password fields. Mail
Security provides this user account Application Impersonation and Logon as service rights.
Ensure that the following IIS Role Service components are installed when you install Mail
Security on Windows Server 2008 for Exchange servers. This installation is applicable for both
remote installation and local installation.
■ Application Development - ASP.NET
■ Security - Windows Authentication, Basic Authentication, Digest Authentication
■ Management Tools - IIS management console, IIS 6 Scripting Tools
Software component locations

Table 2-1 lists the default locations in which Mail Security installs software components.
Table 2-1 Software component locations
Component Location
Mail Security C:\Program Files\Symantec\SMSMSE\7.9\Server

program files
Before you install
Table 2-1 Software component locations (continued)
Component Location
Quarantined C:\Program Files\Symantec\SMSMSE\7.9\Server \Quarantine

items in
encrypted
format
Note:
Configure all
antivirus file
system
scanners to
exclude the
quarantine
directory from
scanning. The
system
scanners might
try to scan and
delete the Mail
Security files
that are placed
in the
quarantine
directory.
Reporting data C:\Program Files\Symantec\SMSMSE\7.9\Server \Reports
Data files for C:\Program Files\Symantec\SMSMSE\7.9\Server \Reports\<report name>

the reports that
are generated
Report C:\Program Files\Symantec\SMSMSE\7.0\Server \Reports\Templates

templates
Match list files C:\Program Files\Symantec\SMSMSE\7.9\Server \MatchLists
Allowed C:\Program Files\Symantec\SMSMSE\7.9\Server \SpamPrevention

senders files
and Symantec
Premium
AntiSpam
configuration
files
Before you install
Component Location
Location where C:\Program Files\Symantec\SMSMSE\7.9\Server \Temp

Mail Security
scans items
Note:
Configure all
antivirus
products that
scan files to
exclude the
Temp directory
from scanning.
The system
scanners might
try to scan and
delete the Mail
Security files
that are placed
in the Temp
directory during
the scanning
process.
Dynamic-link C:\Program Files\Symantec\SMSMSE\7.9\Server \bin

libraries for
Symantec
Premium
AntiSpam
Manual and C:\Program Files\Symantec\SMSMSE\7.9\Server \Config

scheduled scan
mailbox
configuration
data
Configuration C:\Program Files\Symantec\SMSMSE\7.9\Server \etc

files for allowed
and blocked
senders for
Symantec
Premium
AntiSpam
Before you install
Component Location
Component C:\Program Files\Symantec\SMSMSE\7.9\Server \logs

logs for
Symantec
Premium
AntiSpam
Statistical C:\Program Files\Symantec\SMSMSE\7.9\Server \stats

information on
the
effectiveness of
Symantec
Premium
AntiSpam rules
Console files C:\Program Files\Symantec\CMaF\2.3
Definitions C:\Program Files\Symantec\SMSMSE\7.9\Server\definitions\AntiVirus\
License files ■ C:\ProgramData\Symantec Shared\Licenses

Note: This license file location only applies to Windows Server 2008.
■ C:\Program Files\Common Files\Symantec Shared\Licenses
Verity content C:\Program Files\Symantec\SMSMSE\7.9\Server\Verity\bin

extraction
component
Mail Security C:\Program Files\Symantec\CMaF\2.3\bin

Web service
components
Filtering rules C:\Program Files\Symantec\SMSMSE\7.9\Server \Policies
Scan job C:\Program Files\Symantec\SMSMSE\7.9\Server \ScanJobs

configuration
See “Before you install” on page 21.
About security and access permissions

Mail Security automatically creates the following user groups and assigns them access when
you install the product:
Before you install
SMSMSE Admins Permits read and write access to all Mail Security
components and features.
Users in this group can change settings for Mail

Security through the console.
The user who installs Mail Security is automatically

added to the SMSMSE Admins group.
SMSMSE Viewers Permits the read-only access to Mail Security

components and features.
Users in this group cannot change settings for Mail

Security. Users can view reports, event logs, and
settings through console-only installations.
See “Installing the Mail Security console”

on page 36.
The user groups are domain-wide for Active Directory. You can use the Active Directory Users
and Computers Microsoft Management Console (MMC) snap-in to change membership in the
groups.
Users must be designated in one of the SMSMSE user groups to access the product. For
example, administrators who are not in one of the SMSMSE user groups are not granted
access to Mail Security. Adding a user to the SMSMSE Admins group does not automatically
grant the user Windows Local Administrator, Windows Domain Administrator, or Exchange
administrator rights.
Security is also set for the Mail Security registry key and file folders during the security set-up
process. You must have administrator access to the local servers and domain administrator
rights for the security set-up to proceed.
Reducing Mail Security installation time

If you do not have Internet connection on your system, then installing Mail Security may take
a long time to complete. Verification of certificate revocation list (CRL) is performed for every
digitally signed binary which gets installed using its digital certificate. When Mail Security is
not connected to the Internet, each CRL request may timeout before the installation can
continue and increases the installation time.
For more information see:
http://www.symantec.com/business/support/index?page=content&id=TECH168751
For more information see: http://msdn.microsoft.com/en-us/library/bb629393.aspx
System requirements
To reduce Mail Security installation time

1 Start Internet Explorer.
2 On the Tools menu, click Internet Options.
3 Click the Advanced tab, and then locate the Security section.
4 Uncheck Check for publisher’s certificate revocation and then click OK.
5 After the installation is complete, check Check for publisher’s certificate revocation.
Note: The Check for publisher's certificate revocation option is set on a per-account basis.

System requirements
Ensure that you meet the appropriate system requirements for the type of installation that you
want to perform.
See “Server system requirements” on page 28.
See “Console system requirements” on page 29.
See “Port requirements” on page 30.
Mail Security supports various platforms of Microsoft Small Business Server. For the support
matrix information, go to the following article:
Server system requirements

You must have domain administrator-level privileges to install Mail Security.
The server system requirements are as follows:
Exchange platform ■ Exchange Server 2010 (Mailbox, Transport, Edge Role)

■ Exchange Server 2013 (Mailbox, Edge Role)
System requirements
Minimum system ■ 2 GB of memory for Mail Security besides the minimum requirements for the
requirements operating system and Exchange.
Approximately 4GB or more of memory is required.
■ 4 GB disk space is required for Mail Security. This space does not include the
disk space that is required for items such as quarantined messages and
attachments, reports, and log data.
■ Supported version of .NET Framework version is 3.5
■ MDAC 2.8 or higher
■ DirectX 9 or higher
■ Microsoft Internet Information Services (IIS) Manager
■ Microsoft .NET Framework 3.5 and Microsoft Windows PowerShell 2.0
■ Microsoft ASP.Net 3.5 extension
Ensure that the components.NET Framework, MDAC, and DirectX are installed before you
install Mail Security.
Adobe Acrobat Reader is not a requirement to install and run Mail Security. However, it is
required to view the reports that are generated in .pdf format. You can download Adobe Acrobat
Reader from www.adobe.com. You must also have Internet Explorer 8.0 or later to view the
reports.
See “Installing Mail Security on a local server” on page 32.
See “Silently installing Mail Security using an automated installation tool” on page 42.
See “About installing Mail Security on remote servers” on page 38.
Console system requirements

You can install the Mail Security console on a computer on which Mail Security is not installed.
Table 2-2 describes the Mail Security console system requirements.
System requirements
Table 2-2 Console system requirements
Requirement Description
Operating system Mail Security supports the following operating systems:

■ Windows Server 2008
■ Windows Server 2008 R2
■ Windows 7
■ Windows 8
■ Windows 2012
■ Windows 10
■ Windows Server 2016 Standard or Datacenter
■ Windows Server 2019 Standard or Datacenter
Mail Security Console supports 64-bit processors on all supported

operating systems.
Memory 2 GB
Available disk space 2 GB
This requirement does not include the space that Mail Security
requires for items such as quarantined messages and attachments,
reports, and log data.
.NET Framework Version 3.5
Ensure that .NET Framework is installed before you install Mail

Security.
Adobe Acrobat Reader is not a requirement to install and run the Mail Security console.
However, it is required to view the reports that are generated in .pdf format. You can download
Adobe Acrobat Reader from www.adobe.com. You must also have Internet Explorer 8.0 or
later to view the reports.
See “Installing the Mail Security console” on page 36.
Port requirements
Symantec Mail Security for Microsoft Exchange scans the SMTP mail traffic that passes through
Exchange servers on port 25. Mail Security does not interact with MAPI or any other mail
protocols, such as POP3 on port 110 or IMAP on port 143.
Some Mail Security components require certain ports for communication.
Table 2-3 lists the ports that Mail Security components use by default.
Installing Symantec Mail Security for Microsoft Exchange
Table 2-3 Ports used by Mail Security components
Mail Security Port Process Purpose

component
Rapid Release 80 SAVFMSELive.exe Frequent antivirus

Definitions definition updates
Conduit 443 Conduit.exe Continuous Premium

AntiSpam updates
DEXL Service 8081 Process ID: 0 or 4 Console communications

(System)
CmafReportSrv 58081 CmafReportSrv.exe Reporting database
Note: If Symantec Premium AntiSpam is enabled, ensure that you open port 443 on the firewall
for bi-directional traffic to aztec.brightmail.com. If Symantec Premium AntiSpam is not licensed
and enabled, Mail Security does not initiate activity on port 443. Similarly, if the optional Rapid
Release feature is not enabled, Mail Security does not initiate activity on port 21.
The port that is used for communication with Mail Security Console can be configured during
installation or at any time after the installation. You can see activity only on these ports when
you use the console to administer a remote server.
Note: There are no port conflicts or incompatibility between Mail Security and Symantec
Endpoint Protection 11.x or the Symantec Endpoint Protection Manager.

See “Server system requirements” on page 28.
Installing Symantec Mail Security for Microsoft

Exchange
Use any of the following installation procedures based on the type of installation that you want
to perform:
Local server You can install or upgrade Mail Security on a local computer that is running the
Microsoft Exchange Server.
See “Installing Mail Security on a local server” on page 32.

Remote server You can install Mail Security on remote servers through the product console.
Console You can install the product console on a computer that is not running Mail
Security. This way you can manage your servers from any computer that has
access to your Exchange servers.
See “Installing the Mail Security console” on page 36.
Silent/automated You can install Mail Security using automated installation tools.
installation
See “Silently installing Mail Security using an automated installation tool”
on page 42.
Installing Mail Security on a local server

Ensure that you have met the system requirements before you begin the installation process.
Note: Symantec automatically installs MSXML 6.0 during installation if the installer does not
detect this component.
To install mail security, you must:

■ Be logged on as a member of Administrator group on the local computer.
■ Be logged on as a member of Exchange Organization Management group (this privilege
is required to install the transport agents) on the local computer.
■ Have domain administrator privileges on the computer on which you want to install Mail
Security.
Computers must support 8dot3 formatted file names for all NTFS file systems.
To install Mail Security on a local server, do the following:
Begin the installation process You can use the installation wizard to select the product
installation folder location and the type of installation
that you want to perform
You can choose to retain existing settings or use the

new default settings if you want to upgrade from a
previous version of Mail Security.
When Mail Security detects a previous version of the

product, it automatically uninstalls the previous version
and then installs the new version.
Note: If you choose to retain your existing settings,
then Mail Security saves the existing items in the
quarantine at the following temporary directory:
C:\Program Files\Symantec\
SMSMSEServerUpgradeTemp\Quarantine
This temporary directory is typically not configured as

an exclusion for the virus scanning software. As a
result, the virus scanning software detects and flags
any viruses or security threats in the quarantine. To
avoid this situation, configure your virus scanning
software to exclude this temporary directory from
scanning or delete all the items from the directory.
Configure additional setup options and confirm You can specify whether you want to automatically
settings restart the Exchange Transport Service after
installation. You can also specify the Web service
set-up values, designate an email notification address
and SMTP server address, and review your setup
configurations.
Install your licenses You can install your licenses during installation.
If you install a valid license, Mail Security lets you

perform a LiveUpdate to obtain the most current
definitions.
To begin the installation process

1 Download and extract the Symantec Mail Security for Microsoft Exchange installation
package.
2 Navigate to /SMSMSE/Install, and run Setup.exe.
3 Warning message appears that you may need to restart your computer after installation.
Click OK.
4 Click Next until you reach the License Agreement panel.
5 In the License Agreement panel, click I accept the terms in the license agreement,
and then click Next.
You must accept the terms of the license agreement for the installation to continue.
6 In the Existing Settings panel, select one of the following:
Retain existing settings Retains the existing settings that are supported
for migration to the new version.
This option is the default setting.
Install with default settings Installs the product with the default settings, as
if you install Mail Security for the first time.
This panel appears only if you upgrade from a previous version of Mail Security.
7 In the Destination Folder panel, do one of the following:
■ To install the product in the default location, click Next.
The default directory is as follows:
■ To install the product in a different location, click Change, select the location of the
installation folder, click OK, and then click Next.
Mail Security does not support the directory names that contain multi-byte characters.
If you intend to use the Symantec Premium AntiSpam, you cannot install the product
to a directory whose name contains high ASCII characters.
8 In the Setup Type panel, click Complete, and then click Next.
9 In the Symantec Endpoint Protection or Symantec AntiVirus Corporate Edition Users
warning dialog box, click OK.
To configure additional setup options
1 In the Exchange Transport Service Reset Options panel, click Next to accept the default
setting to automatically restart the Exchange Transport Service after installation.
If you choose not to automatically restart the Exchange Transport Service after installation,
you must do so manually. Otherwise, Mail Security does not function properly.
2 In the Web Service Setup panel, do one of the following:
■ Click Next to accept the default values.
■ Modify the following settings, and then click Next:
IP/Name By default, the computer name resolves to the primary external network
identification card (NIC). You can also use an IP address.
The IP address validates the availability of the port.
Port # By default, port 8081 is the port number for the Web service that Mail Security
uses. A different default port number appears if another application is using
port 8081.
If you change the port number, ensure that another application is not using
that. You should not use port 80. The default Web service uses port 80 and
IIS hosts this port.
3 In the Notification Email Address panel, do one of the following to specify the email
address from which email notifications are sent and to which notifications to the
administrator are sent:
■ Click Next to accept the default value.
The default value is: Administrator
■ Modify the originator email address, and then click Next.
You can modify the address after installation is complete.
4 In the SMTP Server Host panel, specify the SMTP receive connector server address for
sending email messages.
The default server address is as follows: localhost.
5 In the Service Account Information panel, specify the user name and password of the
domain user account.
Do not specify the user name and password of the domain administrator account.
6 In the Setup Summary panel, review the information, and then click Next.
If you need to make any modifications, click Back to return to the appropriate panel.
7 In the Ready to Install the Program panel, click Install.
To install a license and the update definitions
1 In the Install Content License File panel, do one of the following:
To install a license file Do the following:
■ Click Browse, locate the license file, and then click

Open.
■ Click Install, and in the confirmation dialog box, click
OK.
■ Click Next.
To install a license file later through Click Skip, and then click Next.
the console
2 In the LiveUpdate panel, do one of the following:
To perform a LiveUpdate Click Yes, and then click Next.
In the LiveUpdate Options window, click Start.
When LiveUpdate is complete, click Close.
To perform a LiveUpdate at a later time Click No, and then click Next.
This panel appears only if you installed a valid license.

3 Click Finish.
Show the readme file is checked by default. The Readme file contains the information
that is not available in the product documentation.
A Mail Security icon is placed on the computer desktop when installation is complete.
4 In the User Credential Refresh Required panel, click OK.
5 Log off and log on again.
See “Post-installation tasks ” on page 43.
Installing the Mail Security console

The Mail Security console is a Windows application. The console lets you manage local and
remote installations of Mail Security from a single computer. You can install and use the console
on a computer on which Mail Security is not installed. This way you can manage Mail Security
from a convenient location.
Ensure that you meet the system requirements before you install the console.
A Mail Security icon is placed on the computer desktop when installation is complete.
Note: To ensure secured communication between the Mail Security console and server, it is
recommended that you enable SSL.
To install the Mail Security console

1 Download and extract the Symantec Mail Security for Microsoft Exchange installation
package.
2 Navigate to /SMSMSE/Install, and run Setup.exe.
3 Warning message appears that you may need to restart your computer after installation.
Click OK.
4 Click Next until you reach the license agreement.
5 On the License Agreement screen, check I accept the terms in the license agreement,
and then click Next.
6 On the Destination Folder screen, do one of the following:
■ To install the product in the default location, click Next.
The default destination directory is as follows:
■ To install the product in a different location, click Change, select the location of the
installation folder, click OK, and then click Next.
Mail Security does not support the directory names that contain multi-byte characters.
If you intend to use the Symantec Premium AntiSpam service, you cannot install the
product to a directory whose name contains high ASCII characters.
7 On Setup Type screen select Custom.

If the installation program detects that no version of Exchange server is installed, the
installation program proceeds with console-only installation by default.
8 If Exchange server is installed, select Custom on Setup Type and then click Next.
On Custom Setup screen, select This feature will not be available under Symantec
Mail Security for Microsoft Exchange Server.
9 Click Next until you reach the Notification Email Address panel.
10 On the Notification Email Address screen, do one of the following to specify the email
address from which email notifications are sent. It is also used as the recipient of the
notifications that are sent to the administrator.
■ Click Next to accept the default value.
The default value is: Administrator
■ Modify the originator email address, and then click Next.
You can modify the address after installation is complete.

11 In the Setup Summary screen, review the information, and then click Next.
If you need to make any modifications, click Back to return to the appropriate screen.
12 On Ready to Install the Program page, click Install.
13 Click Finish.
Show the readme file is checked by default. The Readme file contains the information
that is not available in the product documentation.
14 Log off and log on again.
About installing Mail Security on remote servers

After you install Mail Security on a local server or install the console, you can install the Mail
Security server component on remote servers.
Review the pre-installation information and system requirements before you install the product
on remote servers.
If you are installing the product on Windows 2019 Server, following additional components are
required. These components are available in Prerequisites folder in the package.
■ Microsoft Visual C++ 2008 Redistributable (x86 and x64 both)
■ Microsoft Visual C++ 2010 SP1 Redistributable (x86 and x64 both)
■ Microsoft Visual C++ 2012 Redistributable (x64 only)
■ Microsoft Access 2010 Database Engine (x64 only)
To install Mail Security on remote servers, do the following:
■ Customize installation settings, if needed.
Remote servers are installed with default installation settings. If you want to customize the
installation settings and apply them to a remote server, you can add the custom features
to the vpremote.dat file.
See “Customizing remote server installation settings” on page 39.
■ Install Mail Security on remote servers.
See “Installing Mail Security on a remote server” on page 41.
Customizing remote server installation settings

There may be cases in which you want to customize the installation of Mail Security on a
remote Exchange server. For example, you might want to change the following settings:
■ Installation location
■ Default email address for notifications
■ Stop/start of IIS
Table 2-4 lists the remote customization options that you can modify.
Table 2-4 Remote customization options
Property Description Default value Optional value
EMAIL ADDRESS= Serves as the address of the N/A (Email address of domain
domain administrator for the administrator)
“Address of sender” and
“Administrator and others to
notify” Notification/Alert
settings.
EXISTING Controls whether to retain a Retain Restore

SETTING GROUP= previous version's settings or
apply the default settings of
the new version.
IIS_RESET Controls whether to stop and Yes No

restart Microsoft Exchange
Transport Service during
installation. This setting is
only available if the Exchange
Transport Service is installed.
INSTALLDIR= Serves as the default product \Program Files\ (Any valid path)
installation directory. Symantec\
Note: If you install Mail
Security in a non-default
location and the path name
contains spaces, then you
must enclose the path name
in quotation marks. For
example,
INSTALLDIR="E:\test
vpremote"
Table 2-4 Remote customization options (continued)
Property Description Default value Optional value
PORTNUMBER= Serves as the port that the 8081 (Any valid port)
product uses for Web
services.
SMSMSE_SMTP_ Serves as the host through localhost (Any valid host)

SERVER_HOST which notifications are sent
using SMTP.
CONSOLE_ONLY Specifies that installation 0 Set to 1 to perform a console

should be for the console installation.
only.
REINSTALLMODE Controls the mechanism for N/A Set to voums to perform a silent
reinstall. installation.
REINSTALL Controls what features to ALL Set to 1 to perform a silent

install during reinstall. installation.
Warning: The following entry should not be changed: {setup.exe /s /v" NOT_FROM_ARP=1
REMOTEINSTALL=ALL REINSTALLMODE=voums REINSTALL=ALL”}. You can append the entry.
For example, setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums
REINSTALL=ALL PORTNUMBER=1010”
To customize remote server installation settings

1 Locate the folder that contains the Mail Security console files. The default location is as
follows:
\Program Files\Symantec\CMaF\2.3\bin\Products\SMSMSE\7.9\Remote Install
Files\vpremote.dat
2 Open the following file by using WordPad or a similar tool:
vpremote.dat
3 Insert one or more properties by doing the following:
■ Type a space after the previous or the existing entry inside the quotation marks.
■ Type the new property.
The property portion of each entry is case-sensitive.
■ Type the value immediately after the = sign with no space.
The values are not case-sensitive.
For example, to specify a silent installation, the entry would appear as follows:
{setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums
REINSTALL=1”}

See “Installing Mail Security on a remote server” on page 41.
Installing Mail Security on a remote server

During remote installation, the Windows Login screen prompts you to provide administrator
or domain user credentials. The domain user must fulfill all pre-requisites before the installation
of Mail Security on a remote server. See “Before you install” on page 21.
When installation is complete, a Mail Security icon is placed on the computer desktop.
Note: The Mail Security installation may automatically restart your computer at the end of the
installation. If you have selected the Send group settings option, you have to manually deploy
the group settings on the remote server after the computer restarts.
To install Mail Security on a remote server

1 In the console on the toolbar, click Assets.
2 In the Asset Management window, in the sidebar under Tasks, click Install/Upgrade
server(s).
3 In the Select Server(s) window, in the Servers and server groups list, highlight one or
more servers and click the >> command icon.
4 Under Server options, check Keep installation files on server(s) to maintain the
installation files on the server.
5 Check Send group settings to apply group settings.
If unchecked, existing server settings are retained. Any future changes that you make to
the server group are applied to the server.
6 Click OK.
7 In the Windows Login window, provide user name and password of a domain user who
is a member of the Organization Management Exchange group and click OK.
Note: Remote install must be performed from the computer which is part of the same domain.

Silently installing Mail Security using an automated installation tool

Mail Security supports installing the product using automated installation tools, such as Microsoft
Systems Management Server.
Ensure that you have met the system requirements before you perform a silent installation.
You can modify certain installation properties to configure Mail Security installations. You can
also provide command-line properties during manual or automated installation by using an
automated installation tool
Modify the installation properties for Mail Security in the following file:
\Program Files \Symantec\CMaF\2.3\bin\Products\SMSMSE\7.9\Remote Install
Files\vpremote.dat
See Table 2-4 on page 39.
Note: After the Mail Security silent installation, the Symantec Mail Security Utility Service
and the Symantec Mail Security for Microsoft Exchange services do not start automatically.
You must start these services manually.
To silently install Mail Security using an automated installation tool on Exchange 2010 hub
role
1 Copy the installation media in its entirety to the location from which installation is launched.
For example: xcopy [Drive]:\*.* /s [Destination drive]
2 Launch setup.exe using the following command to initiate a silent installation:
[Destination drive]:\setup.exe /v"/lvx* “c:\smsmse_install.log”
NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL" /s
Where "c:\smsmse_install.log" is the path of installation log file that gets generated during
installation.
Post-installation tasks
To silently install Mail Security using an automated installation tool on mailbox role of Exchange
1 Copy the installation media in its entirety to the location from which installation is launched.
For example: xcopy [Drive]:\*.* /s [Destination drive]
2 Launch setup.exe using the following command to initiate a silent installation:
[Destination drive]:\setup.exe /v"/lvx* "c:\smsmse_install.log"
NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL
SMSMSE_RBAC_USERNAME=<username> SMSMSE_RBAC_PASSWORD=<password>" /s
where "c:\smsmse_install.log" is the path of installation log file that is generated during
installation.
After you install Mail Security, you can perform the following post-installation tasks:
■ Implement SSL communications.
See “Implementing SSL communications” on page 43.
■ Install license files if they were not installed during setup.
■ Update definitions if a LiveUpdate was not performed during setup.
■ Access the Mail Security console.
See “Accessing the Mail Security console” on page 45.
■ Configure other antivirus products that are on the same computer as Mail Security.
■ Configure Mail Security transport agents.
See “Configuring Mail Security transport agents” on page 48.
■ Configure the number of scanning threads and scan processes, if necessary.
See “Setting scanning threads and number of scan processes” on page 50.
■ Reduce the launch time of Mail Security console.
See “Resolving installation issues” on page 246.
Implementing SSL communications

You can configure Mail Security to use Secure Sockets Layer (SSL) communications by using
a valid server certificate. You can create your own server certificate using Microsoft Certificate
Services 2.0 or request one from a certificate authority.
After you implement SSL, you must enable SSL from the console and specify the SSL port for
each server.
See “Modifying the port and the communication properties of a server” on page 73.
To install a server certificate
1 On the computer on which Mail Security is installed, click Start > Administrative Tools
> Internet Information Services (IIS) Manager.
2 In the server list, expand the folder for the server that hosts Mail Security.
3 In the Web sites folder, right-click Symantec Mail Security for Microsoft Exchange,
and then click Properties.
4 Under Secure communications, select the Directory Security tab, and click Server
Certificate.
5 Follow the instructions in the Web server Certificate wizard to install the server certificate.
To implement SSL communications
1 Ensure that a valid server certificate is installed.
2 Under Secure Communications, click the Directory Security tab, and then click Edit.
3 In the Secure Communications dialog box, check Require secure channel (SSL), and
then click OK.
4 On the Web Site tab, under Web site identification, in the IP Address text box, type
the IP address of the Mail Security server.
5 In the SSL Port text box, type the port to use for SSL communications.
6 Click OK to close the Mail Security Properties window.
To implement SSL communications on Windows Server
1 On the local computer, ensure that a valid server certificate is installed in Trusted Root
Certification Authorities.
2 Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
3 In the Web sites folder, right-click Symantec Mail Security for Microsoft Exchange,
click Edit Bindings and select Add.
4 From the drop-down list, select https and All Unassigned for Type and IP addresses
respectively.
5 In the SSL Port text box, type the port number.
For example, type 8082 for SSL communications.
To avoid port conflicts, ensure that you do not use the ports that Exchange server uses.
For example, TCP port 80 and SSL port 443.
6 From the SSL certificate, select the certificate that you installed and restart the Symantec
Mail Security for Microsoft Exchange website.
7 In the right pane, double-click Authentication and ensure that Windows Authentication
and ASP.NET Impersonation are enabled.
8 From the Web sites folder, select Symantec Mail Security for Microsoft Exchange.
9 In the right pane, double-click SSL Settings and check Require SSL and Require 128-bit
SSL.
10 Click Apply to apply the changes.
To implement SSL communications on client computer
1 Export the server certificate from the server and install it to the client computer where Mail
Security console is installed in Trusted Root Certification Authorities.
2 Open Certificate snap-in and ensure that the certificate resides in Trusted Root
Certification Authorities.
3 On the Mail Security console, click the Assets tab and click Add server(s) to add a server.
4 Right-click the server that you added and then click Properties.
5 Provide the SSL port number that is configured on the server.
6 Check Use SSL and click OK.
You can now connect to the server from the console by using the SSL connection.
Accessing the Mail Security console

You can access the Mail Security console from the Windows Start menu or from your desktop.
You must have the appropriate administrator or viewer rights to open the console. If you do
not have the required rights, the following error message appears:
"You either have insufficient permissions to access this application or your user credentials
are not refreshed. Try logging off and logging on again to reload the user credentials. You
either have insufficient permissions to access this application or your user credentials are not
refreshed. Try logging off and logging on again to reload the user credentials."
You can only access the servers that run Mail Security 7.9 from the Mail Security console.
See “About security and access permissions” on page 26.
To access the Mail Security console
◆ Do one of the following:
■ On the desktop, double-click the SMSMSE 7.9 icon.
■ On the Windows taskbar, click Start > Programs > Symantec Mail Security for
Microsoft Exchange > Mail Security for Microsoft Exchange Console.
See “About the Mail Security console” on page 46.
About the Mail Security console

Figure 2-1 shows the Mail Security console.
Figure 2-1 Mail Security Server Home page view
Menu bar
Tool bar
Primary
navigation
bar
Content area
Figure 2-2 shows additional console elements.

Figure 2-2 Additional console elements
List pane
Sidebar
Preview
pane
Resizing bars
See “About the primary navigation bar” on page 47.
About the primary navigation bar

Management operations are grouped into the following categories on the primary navigation
bar:
Home Lets you view server status, recent activities, and violations statistics
Policies Lets you create and configure the sets of rules that specific scans implement
Monitors Lets you configure notification addresses and quarantine settings and monitor quarantine
data and events
Scans Lets you create, configure, schedule, and run scans
Reports Lets you view and print the data that Mail Security collects
Admin Lets you update definitions, configure system settings, and install licenses
See “About the Mail Security console” on page 46.
Refreshing the console

You might periodically need to refresh the console to view changes or updated statuses.
To refresh the console
1 On any page in the console, click F5.
2 Click OK to log onto the current asset group.
This message only appears if you are not logged onto the current asset group.
See “Logging onto servers” on page 62.
About using Mail Security with other antivirus products

Configure your other antivirus programs to exclude certain folders from scanning. If another
antivirus scans the Exchange directory structure or the Mail Security processing folder, it can
cause false-positive threat detection. It also can cause unexpected behavior on the Exchange
server, or damage to the Exchange databases.
For information about how to prevent Symantec Endpoint Protection or Symantec AntiVirus
Corporate Edition from scanning the Exchange directory, go to the following article:
See “Components of Mail Security” on page 13.
If you have Symantec AntiVirus Corporate Edition or Symantec Endpoint Protection (SEP)
11.x installed on the same computer as Mail Security, configure Symantec AntiVirus Corporate
Edition or SEP version 11.x to perform definition updates. You must also configure Mail Security
to perform definition updates. You can also use LiveUpdate Administrator to perform definition
updates for both the products.
See “About setting up your own LiveUpdate server” on page 233.
Configuring Mail Security transport agents

Mail Security automatically installs custom transport agents when you install the product on
the Exchange servers. The Mail Security transport agents consist of an antispam transport
agent and an antivirus transport agent.
Mail Security transport agents must act on email messages before any other spam or virus
scanning transport agent. For example, Microsoft Exchange antispam agents such as follows:
■ Connection Filtering Agent

■ Sender ID Agent
■ Sender Filter Agent
■ Recipient Filter Agent
■ Protocol Analysis Agent
■ Content Filter Agent
By default, the Mail Security transport agents are installed with a lower priority than the Microsoft
Exchange antispam agents. This means that the Microsoft Exchange antispam agents act on
emails before Mail Security transport agents. As a result, Mail Security may not detect spam
or viruses. Therefore, ensure that the Mail Security transport agents are set with a higher
priority than any other spam filtering agents.
To configure Mail Security transport agents
1 Click Start > Programs > Microsoft Exchange Server server version > Exchange
Management Shell.
2 Run the following command to check the transport agent priorities:
Get-TransportAgent
The following result appears, which shows that the Mail Security transport agents have
a lower priority than the Exchange antispam transport agents:
Identity Enabled Priority

---------------------------
Transport Rule Agent True 1
Journaling Agent True 2
AD RMS Prelicensing Agent False 3
Connection Filtering Agent True 4
Content Filter Agent True 5
Sender Id Agent True 6
Sender Filter Agent True 7
Recipient Filter Agent True 8
SMSMSERoutingAgent True 9
SMSMSESMTPAgent True 10
Protocol Analysis Agent True 11
3 Perform one of the following tasks:

■ Set the priority of the Mail Security transport agents higher than the Exchange antispam
transport agents by running the following commands:
Set-transportagent -identity "SMSMSESMTPAgent" -priority 4
Set-transportagent -identity "SMSMSERoutingAgent" -priority 5
■ Disable Exchange transport agents by running the following commands:

disable-transportagent -identity "Connection Filtering Agent"
disable-transportagent -identity "Sender Id Agent"
disable-transportagent -identity "Sender Filter Agent"
disable-transportagent -identity "Recipient Filter Agent"
disable-transportagent -identity "Protocol Analysis Agent"
disable-transportagent -identity "Content Filter Agent"
You might encounter an error about not being able to edit the config file when running
these commands. You can resolve the error by opening the Exchange Management Shell
as an administrator and running the commands again.
4 Run the following command to restart the transport agent service:
restart-service -force MSExchangeTransport
Setting scanning threads and number of scan processes

Mail Security lets you set the number of scan processes to control scanning speed and
performance. The default is configured using the following formula: (number of processors) x
2 + 1. Accept the default unless you have a compelling reason to do otherwise.
Mail Security considers a hyper-threaded processor as more than one processor. For example,
if you have a dual hyper-threaded processor on your computer, Mail Security calculates the
number of scanning processes as follows:
Number or processors (4) x 2 + 1 = 9
When the load is heavy, all nine scanning processes scan messages. Increasing the number
of scan processes can consume a lot of memory if the server has few resources. This situation
can severely affect the performance of your Exchange server.
Configure the number of scan processes based on the actual number of physical processors
if you have a hyper-threaded processor on your computer. For example, if you have a dual
hyper-thread processor, configure the number of scan processes as follows:
Number of physical processors (1) x 2 +1 = 3
Note: If you use Intel Xeon processors, you must set this value using the formula based on
the number of physical processors, instead of the number that is reported by the operating
system.
To set scanning threads and number of scan processes

1 In the console on the primary navigation bar, click Admin.
2 In the sidebar under Views, click System Settings.
Uninstalling Symantec Mail Security for Microsoft Exchange
3 In the Number of VSAPI scanning threads box, type the number of threads to use for
VSAPI scanning.
The default value is 3.
Note: This step is applicable only for Exchange Server 2010.
4 In the Number of scan processes box, type the number of scan processes.
The default is configured during installation using the formula 2 times the number of
processors plus 1.
5 On the toolbar, click Deploy changes to apply your changes.
See “Deploying settings and changes to a server or group” on page 60.
Uninstalling Symantec Mail Security for Microsoft

Exchange
Stop Microsoft Internet Information Service (IIS) before you uninstall the product. This task
ensures that all of the files that are installed with the product are removed.
To stop Microsoft IIS
1 On the Windows taskbar, click Start > Administrative Tools > Services.
2 In Services window, right-click IIS Admin Service and click Stop.
3 Close the Stop Other Services window.
To uninstall Mail Security
1 On the server on which Mail Security is installed, on the Windows taskbar, click Start >
Settings > Control Panel.
2 In the Control Panel window, double-click Add or Remove Programs.
3 Click Symantec Mail Security for Microsoft Exchange, and then click Remove.
4 In the confirmation dialog box, click Yes.
5 In the Information dialog box, click OK to confirm that you have stopped IIS.
6 When the uninstallation is complete, click OK.
After you uninstall Mail Security, the users that you added and the groups to which you assigned
them remain in the Active Directory. You can remove them manually from the Active Directory.
Chapter 3
Activating licenses
■ About licensing
■ About activating the Mail Security license
■ About renewing the Mail Security license
About licensing
Key features of Symantec Mail Security, which include definition updates and Symantec
Premium AntiSpam, are activated by a license. When a license expires or no license is installed,
limited functionality is available. To regain product functionality when your license expires, you
must renew and reactivate your license subscription.
Table 3-1 describes the licenses that are required.
Table 3-1 Symantec Mail Security Licenses
License Description
Content license A content license is required to update Symantec software with the latest
associated content (such as new definitions) through LiveUpdate and
Rapid Release. A valid content license enables your servers to stay
protected.
When the content license is missing or invalid, you cannot download

definition updates to keep protection current.

Activating licenses 53
About activating the Mail Security license
Table 3-1 Symantec Mail Security Licenses (continued)
License Description
Symantec Premium AntiSpam This license is required to enable Symantec Premium AntiSpam. Symantec
license Premium AntiSpam is a subscription service that provides enhanced
spam detection. Continuous updates to the premium antispam filters
ensure that your Exchange server has the most current spam detection
filters that are available.
When the Symantec Premium AntiSpam license is missing or invalid,

Symantec Premium AntiSpam does not function.
See “How to detect spam using Symantec Premium AntiSpam”

on page 107.
Definition updates and updates to Symantec Premium AntiSpam are limited to the period of
time that the license specifies. The start and the end dates of the license period depend on
the terms of your license agreement.
You must install one license file on each server that is running Symantec Mail Security. You
cannot replicate license files.
See “About renewing the Mail Security license” on page 56.
You can view the status of your license on the Home page of the Mail Security console.

Symantec issues a serial number when you purchase Mail Security. If you upgrade from a
previous version and you have an active maintenance contract, Symantec issues an upgrade
voucher with an alpha-numeric code. Register the serial number or upgrade code to receive
a license key for the associated license file.
License keys are delivered in a Symantec license file (.slf). The serial number is provided on
a license certificate, which is mailed separately and arrives in the same time frame as your
software. For security reasons, the license certificate is not included in the Mail Security
software distribution.
See “About renewing the Mail Security license” on page 56.
License activation involves the following process:
Obtain a license file from To request a license file, you must have the license serial number or
Symantec upgrade voucher code. After you complete the registration process,
Symantec sends you the appropriate license file by email.
See “Obtaining a license file” on page 54.

Install the license file Install the license file on each server on which you run Mail Security.
See “Installing license files” on page 55.
About the Mail Security license serial number

Your license certificate or upgrade voucher, which contains the license number, arrives within
three to five business days of when you receive your software. Contact Symantec Customer
Service at 800-721-3934 or your reseller to check the status of your order if you do not receive
the license certificate or upgrade voucher. Contact Symantec License Administration if you
have lost your license certificate or upgrade voucher.
See “Where to get more information about Mail Security” on page 20.
Obtaining a license file

You must have the serial number or upgrade voucher code to request a license file and to
register for support.
See “About the Mail Security license serial number” on page 54.
The license file that you receive from Symantec is contained within a .zip file. The .slf file that
is contained within the .zip file is the actual license file. Ensure that your inbound email
environment permits .zip email message attachments.
If you purchased multiple types of licenses but registered them separately, Symantec sends
you a separate license file for each license. You must install each license file separately. If
you registered multiple licenses at the same time, Symantec sends you a single license file
that contains all of your licenses.
Warning: License files are digitally signed. When you try to edit a license file, it corrupts the
file and renders it invalid.
To obtain a license file

1 In a web browser, type the following address:
https://licensing.symantec.com
Your web browser must use 128-bit encryption to view the site.
2 If the Security Alert dialog box appears, click OK.
3 Follow the procedures on the Symantec Licensing website to register your license and
request your license file.
Symantec sends you an email message that contains the license file in an attachment. If
the email message does not arrive within two hours, an error might have occurred. Try
again to obtain the license file through the Symantec website. If the problem continues,
contact Symantec Technical Support.
Installing license files

Install the license file on each server on which Mail Security is installed.
You can install your license file during product installation or in the console. Mail Security
issues periodic messages in the event log to notify you that your license is invalid or expired
until a valid license is installed. You can view the status of your license on the Home page of
the console.
The procedures for installing license files vary for a local server installation and a remote server
or server group.
To install license files to a local server
2 In the sidebar under Views, click Licensing.
3 In the content area, do one of the following:
■ In Step 3, under Enter path to the license file, type the fully qualified path to the
license file.
You can specify a mapped drive or Universal Naming Convention path to the file if the
license file does not reside on the same computer.
■ Click Browse, select the license file, and then click Open.
You can locate the file using My Network Places if the license file does not reside on
the same computer.
4 Click Install.
About renewing the Mail Security license
To install license files to a remote server or server group

1 In the console on the toolbar, click Change.
2 In the Select Asset window, select a server or server group from the menu.
3 Click Select.
4 On the primary navigation bar, click Admin.
5 In the sidebar under Views, click Licensing.
6 In the content area, do one of the following:
■ In Step 3, under Enter path to the license file, type the fully qualified path to the
license file.
You can specify a mapped drive or UNC path to the file if the license file does not
reside on the same computer.
■ Click Browse, select the license file, and then click Open.
You can locate the file using My Network Places if the license file does not reside on
the same computer.
7 Click Install.
If a server within a server group is already licensed, the license file is reapplied. The
license file with the latest expiration date is applied.

Content updates and spam definition updates are not applied when a server has an expired
license or when the license is missing or invalid. A missing or an invalid license can leave your
server vulnerable to attacks. Renew your maintenance agreement to receive content updates
when your license expires.
The process for license renewal is specific to how you purchased your software. The license
renewal process is as follows:
If you purchased Mail Security Contact your administrator, reseller, or Symantec account manager
through the Symantec Value or Elite to determine whether your maintenance agreement has been
Enterprise Licensing programs renewed and if new licenses are available.
After your maintenance agreement is renewed, you receive the

new serial numbers that you can register to obtain your new license
files.
If you purchased Mail Security Small To find more information about license renewal on the Internet,
Business Edition go to the following URL:
http://www.symantec.com/products-solutions/licensing/renewals/
See “Obtaining a license file” on page 54.

Chapter 4
Managing your Exchange
servers
■ About managing your Exchange servers
■ Deploying settings and changes to a server or group
■ Managing servers and server groups
About managing your Exchange servers

Mail Security can simplify the management of one or more Microsoft Exchange Servers across
your organization. You can create the server groups that have a common purpose and,
therefore, require the same protection. By grouping servers, you can apply a common set of
protection settings once, rather than repeatedly to each server. The reduction in configuration
time and maintenance costs can be considerable in a large network with multiple servers that
perform similar roles.
Symantec Mail Security for Microsoft Exchange primarily consists of two components, server
and console. With this console, you can manage your Mail Security from a single computer.
When you open this console, mail security automatically logs onto all of your managed servers.
The console logs onto a server to check status or apply settings to it. Several settings like
remote install and upgrade can be done with the console. As per your requirement you can
create the various server groups that serve a similar purpose. You can also deploy settings
to all you managed servers in the group from the console. By grouping servers, you can apply
a set of security rules or policies settings once, rather than repeatedly to each server.
You can configure settings for each server individually. You can use the following groups to
configure and manage multiple servers:
Managing your Exchange servers 59
About managing your Exchange servers
Global Group The Global Group consists of all of the servers that you manage through the Mail Security
console.
The changes are propagated to all servers in all groups when you configure and apply
Global Group settings. Changes that are made at the Global Group level overwrite all
individual server and user-defined server group settings.
Mail Security provides the following Global Groups:
■ Global Group - Exchange 2010

All Exchange 2010 servers belong to the Global Group - Exchange 2010. No other
exchange server group other than Exchange 2010 Server is supported in this group.
Global Groups include the servers that are added to user-defined groups. They also
include the servers that are added to multi-server management control but are not assigned
to a specific server group.
You cannot create or delete Global Groups.
User-defined A user-defined server group is a grouping of servers that have common roles and,
server therefore, require similar configurations. You can create a user-defined server group and
group(s) configure settings for the group to simplify server management. For example, a server
group can be the mail servers that are used by department such as marketing or the
physical location of servers such as third floor of Building A).
A managed server can only belong to one user-defined group.
See “Moving a server to another user-defined server group” on page 69.
See “Viewing the status of a server” on page 67.

Server stores the settings for that individual server. Mail Security saves the settings for groups
in the following default file location:
\Program Files\Symantec\CMaF\2.3\Settings\Groups
The associated files are automatically deleted when you delete a group.
Deploying settings and changes to a server or group
Deploying settings and changes to a server or group

Mail Security lets you make changes to multiple pages before you apply those settings. When
the Deploy changes icon on the toolbar is active, it indicates that you have made the changes
that you need to apply.
You can manage change deployment by using the following toolbar icons:
Deploy changes Deploys your changes.
Deploys your changes to the server if you are in the server view.
Deploys your changes to each server in the group and to the group settings
if you are in the group view.
See “To deploy pending changes to a server or group” on page 60.
Discard Cancels the pending changes.

changes
When you cancel pending changes, settings are returned to their configuration
as of the last time changes were successfully deployed.
See “To cancel pending changes” on page 61.
Deploy all Applies the pending changes to the group settings, and then pushes out the
settings group settings to all the servers in the group.
Pushes out the group settings to all of the servers in the group if there are no
pending changes.
Note: Any configuration settings that were made to an individual server within
the group are overwritten.
This option is only available in the group view.
See “To apply pending changes (if any) and deploy group settings to each
server in the group” on page 61.
After you deploy your changes, the Operation Status window indicates whether changes
were successfully applied.
To deploy pending changes to a server or group
1 In the console on the toolbar, click Deploy changes.
2 In the Pending changes window, click Deploy changes.
3 In the Operation Status window, click Close when the operation is complete.
Managing servers and server groups
To apply pending changes (if any) and deploy group settings to each server in the group
1 In the console on the toolbar, click Deploy all settings.
The Deploy all settings icon is only enabled in the group view.
2 In the Deploy all settings dialog box, click OK.
To cancel pending changes
1 In the console on the toolbar, click Discard changes.
2 In the Discard changes dialog box, click OK.
See “Modifying or viewing server or server group settings” on page 66.

You can manage servers and server groups by performing the following tasks:
■ Logon to the servers.
See “Logging onto servers” on page 62.
■ Modify or view server or server group settings.
■ View the status of a server.
See “Viewing the status of a server” on page 67.
■ Create a user-defined server group.
See “Creating a user-defined server group” on page 67.
■ Add servers to a group.
See “Adding servers to a group” on page 68.
■ Move a server to another user-defined server group.
See “Moving a server to another user-defined server group” on page 69.
■ Synchronize group settings to a server.
See “Synchronizing group settings to a server” on page 70.
■ Restore default settings to a server or group.
See “Restoring default settings to a server or group” on page 70.
■ Remove a server from group management.
See “Removing a server from group management” on page 71.
■ Remove a server group.
See “Removing a server group” on page 71.
■ Export and import the settings.
See “Exporting and importing settings” on page 72.

■ Modify the port and the communication properties of a server.
■ Create and assign a custom throttling policy to the Mail Security service account user.
See “Creating and assigning a custom throttling policy to the Mail Security service account
user” on page 73.
Logging onto servers

Mail security consists of two components, server and console. The console logs onto a server
to check status or apply settings to it. Console logs onto all of your managed servers when
you open (start) the console.
You might experience a delay when you open the console while Mail Security logs onto the
managed servers. The length of the delay depends on the number of managed servers that
you have. If you frequently open the console to view settings or to make changes without
applying them, you can disable the automatic logon feature. When you disable the automatic
logon feature, the console opens more quickly.
If you disable the automatic logon feature, Mail Security logs onto your servers in the following
ways:
Single server Mail Security logs onto a single server when you do any of the following:
■ Open the console when a single server is the current asset.

■ Select a single server as the current asset.

Server group (user-defined Mail Security logs onto all of the servers in the current asset list when
server groups and Global you do any of the following:
Groups)
■ Manually refresh the console.
See “Refreshing the console” on page 48.
■ Apply settings to a server group.
Mail Security logs onto all of the servers in a group when you apply
settings to that group. If you apply settings to a user-defined server
group, Mail Security logs onto all of the servers in the user-defined
group. If you apply settings to a Global Group, Mail Security logs onto
all of the servers in the Global Group. Mail Security also logs onto all
of the servers in the user-defined groups within that Global Group.
For example, assume that you have Global Group - Exchange - 2010
and Global Group - Exchange - 2013. Within Global Group - Exchange
- 2010, you have user-defined groups named ServersEast and
ServersWest
If you apply settings to Global Group - Exchange - 2010, Mail Security
logs onto all of the servers in the ServersEast group and the
ServersWest group. Mail Security does not log onto any of the servers
in the Global Group - Exchange - 2013.
Another example assumes that you apply settings to the ServersEast
group. Mail Security logs onto all of the servers in the ServersEast
group. But Mail Security does not log onto any of the servers in the
ServersWest group.
See “About managing your Exchange servers” on page 58.
To log onto servers when you open the console

2 In the Asset Management window in the Assets box, check Automatically connect to
the servers in the current group on startup.
Mail Security logs onto all of the servers that you have listed in the Assets box every time
you open the console.
This option is enabled by default.
3 Click Close.
To log onto servers when you apply settings or refresh the console
2 In the Asset Management window in the Assets box, uncheck Automatically connect
to the servers in the current group on startup.
Mail Security only logs onto a server when you apply settings to that server or when you
view or modify the settings of that server.
3 Click Close.
Configuring Symantec Mail Security for Exchange on DAG setup

You must follow the configurations that are recommended for Exchange Server on Database
Availability Group (DAG) setup.
To configure Symantec Mail Security for Exchange on DAG setup
2 In the Asset Management window, under Tasks, click New group.
Create a new group for exchange DAG servers.
Create separate groups for each DAG if there are multiple DAG groups. Set up a quarantine
server on each DAG group from the console so that the quarantine data is available if any
DAG server is unavailable.
3 Click Add server(s) and add all DAG member servers to the new group.
4 Create and apply the same security policies to every server in the group. This ensures
that all the mailboxes have the same Mail Security settings if a database failover occurs.
See “Forwarding quarantined items to the Quarantine Server” on page 77.
Changing the password of the domain user account

For every installation of Mail Security on Exchange 2010 in the mailbox role, the user credentials
must be updated whenever the password of the domain user account is changed.
Note: The password must be changed before it expires or select the Password never expires
option for the user account.
To change password of the domain user account

1 From the Windows taskbar, click Start > Programs > Administrative Tools > Services.
2 Right-click Symantec Mail Security for Microsoft Exchange and click Stop to stop the
Mail Security service.
3 Click Start > Programs > Administrative Tools > Services.

4 Right-click Symantec Mail Security for Microsoft Exchange and click Properties.
5 On the Log On tab, enter new password and click Apply to change the password.
6 Start the Symantec Mail Security for Microsoft Exchange service.
See “Changing the service account used by Mail Security service” on page 65.
Changing the service account used by Mail Security service

If you want to change the service account for the Mail Security service, perform the following
steps:
To remove service account from the Mail Security service
2 Right-click Symantec Mail Security for Microsoft Exchange and click Stop to stop the
Mail Security service.
3 Click Start > Programs > Microsoft Exchange Server (version) > Exchange
Management Shell.
4 Remove the RBAC right by typing the following command from the Exchange Management
Shell.
remove-ManagementRoleAssignment SMSMSE_RBAC_domainname\username
5 Click Start > Programs > Administrative Tools > Active Directory Users and
Computers.
6 In the Active Directory Users and Computers window in the left pane, click Microsoft
Exchange Security Groups.
7 In the right pane, right-click Organization Management and then click Properties.
8 On the Members tab, select the user that you want to remove and click Remove.
9 Click Start > Programs > Administrative Tools > Local Security Policy.
10 In the Local Security Policy window in the left pane, click Local Policies.
11 In the right pane, double-click User Rights Assignment.
12 In the right pane, right-click Log on as a Service and then click Properties.
13 Select the user that you want to remove and click Remove.
To assign new service account to the Mail Security service

1 Assign the RBAC right to the new user by typing the following command from the same
Exchange Management Shell:
new-ManagementRoleAssignment -name SMSMSE_RBAC_domainname\username -role
ApplicationImpersonation -user <username>
2 Click Start > Programs > Administrative Tools > Active Directory Users and
Computers.
3 In the Active Directory Users and Computers window in the left pane, click Microsoft
Exchange Security Groups.
4 In the right pane, right-click Organization Management and then click Properties.
5 On the Members tab, select the user that you want to add and click Add.
You must ensure that the user is a member of the Local Administrators Group.
6 Click Start > Programs > Administrative Tools > Local Security Policy.
7 In the Local Security Policy window in the left pane, click Local Policies.
8 In the right pane, double-click User Rights Assignment.
9 In the right pane, right-click Log on as a Service and then click Properties.
10 Select the user that you want to add and click Add.
12 Right-click Symantec Mail Security for Microsoft Exchange and click Properties.
13 On the Log On tab, enter the new user's credentials and click Apply to apply the settings.
14 Start the Mail Security service.
See “Changing the password of the domain user account” on page 64.
Modifying or viewing server or server group settings

Mail Security lets you manage one or more servers from a single console. The Server/group
box on the toolbar indicates the server or group that is currently selected. The settings that
you make and deploy are applied to that server or group.
You can view and modify the settings of a different server or group by selecting the server or
group in the Select Asset window.
To modify or view server or server group settings

1 In the console on the toolbar, click Change.
2 In the Select Asset window, select the server or group whose settings you want to modify
or view.
3 Click Select.
Viewing the status of a server

Mail Security provides server status information on the Home page of the Mail Security console.
You can view more detailed information about the status of a server by accessing Monitors
> Server Status.
The server status details appear in the Server Status preview pane. If you are in a group
view, the Server Status list contains all of the servers in the group. The first time that you
access the Server Status in a group view, you must refresh the page to view the list of servers.
If you are in a single-server view, the Server Status list contains the server that you selected.
To view the status of a server
1 In the console on the primary navigation bar, click Monitors.
2 In the sidebar under Views, click Server Status.
3 In the Server Status table, select the server whose status you want to view.
If you are in a server view, the server is already selected.
4 Press F5 to refresh the list.
Refreshing the list might take several minutes for a large group.
Creating a user-defined server group

If your network contains a large number of Exchange servers, create user-defined groups.
Add servers to your user-defined groups that have a common purpose and, therefore, require
the same protection. This lets you administer all of your servers that run Mail Security on a
group basis.
To create a user-defined server group
2 In the Asset Management window, in the sidebar under Tasks, click New group.
3 In the New Group window, in the Group Name box, type a name for the user-defined
server group.
4 In the Global Group list, select the appropriate group, and then click OK.
5 Click Close.
Adding servers to a group

You can add servers to the Global Group or to a user-defined server group within a Global
Group. Group servers together that have a common purpose and, therefore, require the same
protection. By adding a server to a group, you can apply a common set of protection settings
once, rather than repeatedly to each server. In a large network with multiple servers that
perform similar roles, the reduction in configuration time and maintenance costs can be
considerable.
Mail Security automatically detects the Exchange servers that are within your domain. Identify
servers outside of your domain by their name or IP address.
You can install Mail Security on the servers that you add to a server group. All servers must
be running the version same as Mail Security to be managed from the console.
Note: The Global Groups have version association with the Exchange Servers. For example,
Exchange 2013 Global Group can have Exchange 2013 Servers only.
To add servers to a group
2 In the Asset Management window, in the sidebar under Tasks, click Add server(s).
3 In the Add Server(s) window, under Management group, do one of the following:
To select an existing group Click Select group, select the existing group in which you want to
add the server, and then click OK.
To create a new group In the Group box, type the name of the new server group that you
want to create.
4 Under Servers to add, do one of the following:

■ In the Available servers list, select one or more servers, and then click the >>
command icon.
■ In the Server name or IP box, type the server name or IP address of the server that
you want to add, and then click the >> command icon.
5 Under Server options, in the TCP port number box, type the TCP port number for the
server or group of servers that you want to add.
The default port number is 8081. The port number must be the same for all servers that
you want to add. The port number and SSL setting must be identical for the console to
communicate with the server.
6 Check Send group settings to apply group settings to the newly added server.
If unchecked, existing server settings are retained, and the future changes that are made
to the server group are applied to the server.
7 Check Install SMSMSE to install Mail Security to the newly added server.
8 Check Keep installation files on server(s) to maintain the installation files on the server.
9 Click OK, and then click Close.
Moving a server to another user-defined server group

You can move a server from one user-defined group to another user-defined group. You can
choose to retain the server's settings or apply the settings of the new group.
If you have already created the user-defined group to which you want to move the server and
you do not want to apply the group's settings, you can move the server by dragging it to the
group.
Use the Move Server window to create a new user-defined group, move multiple servers, or
apply group settings to the newly added server.
To drag a server to another user-defined server group
2 In the Asset Management window, in the Assets list, expand the group that contains the
server that you want to move and the group you want to move the server to, if necessary.
3 Select the server that you want to move and drag it into the new server group.
4 In the confirmation dialog box, click OK.
5 Click Close.
To move a server to another user-defined server group using the Move Server window
2 In the Asset Management window, in the Assets list, expand the group that contains the
server that you want to move and the group you want to move the server to, if necessary.
3 Do one of the following:
■ Select the server that you want to move and under Tasks, click Move server.
■ Right-click on the server that you want to move, and then click Move server.
4 In the Move Server window, do one of the following:

■ Select the user-defined server group to which you want to add the server.
■ In the Select a group or add a new group box, type the name of a new user-defined
server group.
5 Check Send group settings to server to apply the settings of the targeted user-defined
server group to the server.
See “Synchronizing group settings to a server” on page 70.
Synchronizing group settings to a server

Settings on a particular server might not be synchronized with its server group settings. This
situation can occur if a server is configured in the server view.
To synchronize group settings to a server
2 In the Asset Management window, under Assets, select the server to which you want
to apply group settings.
3 In the sidebar under Tasks, click Send group settings to server.
This step applies the settings of the server group to the selected server.
5 In the Asset Management window, click Close.
Restoring default settings to a server or group

You can restore all of the settings for a server or group to their initial, default settings. Restoring
default settings also deletes any custom content filtering rules, file type filtering rules, match
lists, report templates, and scheduled scans that you have created. It does not delete existing
reports.
Close and reopen the Mail Security console to see the updated settings.
To restore default settings to a server or group
2 In the Asset Management window, under Assets, select the server in which you want
to restore the Mail Security default settings.
3 In the sidebar under Tasks, click Reset to factory defaults.

4 In the Reset to factory defaults confirmation dialog box, click OK.
6 In the Asset Management window, click Close.
Removing a server from group management

Removing a server from group management does not uninstall Mail Security from the server.
Mail Security continues to provide protection. However, you can no longer manage a server
through the Mail Security console when you remove it from the Global Group.
To remove a server from group management
2 In the Asset Management window, under Assets, in the Global Group - Exchange Server
list, select one or more servers that you want to remove.
3 In the sidebar under Tasks, click Remove server.
5 Click Close.
See “Removing a server group” on page 71.
Removing a server group

Remove a server group when it is no longer needed. The server group settings are retained
on the servers that are in the group until new settings are applied.
If you remove a user-defined server group, the servers that belong to the group can be managed
through the Global Group.
Note: Global Groups cannot be removed.
To remove a server group

2 In the Asset Management window, under Assets, select the group that you want to
remove.
3 In the sidebar under Tasks, click Remove group.

5 Click Close.
See “Removing a server from group management” on page 71.
Exporting and importing settings

Mail Security provides a feature that lets you export the settings for a server or group to .xml
file. This feature lets you save the settings as a backup file or import the settings to another
computer.
You can view the setting configurations in the console when you import settings. However,
the settings are not applied until you deploy them. You can only deploy settings for Symantec
Premium AntiSpam if the computer on which you import the settings has a valid Symantec
Premium AntiSpam license.
You can only export setting configurations, not data such as items in the event log. Deploy
pending changes before you export settings.
Note: Importing settings file exported from version 7.5 into version 7.9 is not supported.
To export settings
1 In the console on the toolbar, click File > Export.
3 In the Select the file to save exported settings window, choose the location where you
want to save the file.
4 In the File name box, type the file name.
5 Click Save.
To import settings
1 In the console on the toolbar, click File > Import.
3 In the Select an SMSMSE settings file window, locate the file that you want to import.
4 Click Open.
5 In the console on the toolbar, click Deploy changes to apply your changes.
Note: You must manually re-create any consolidated report schedules after you import
the settings.
Modifying the port and the communication properties of a server

You can change the Transmission Control Protocol (TCP) port if you use the default port
(8081). You can change the TCP after the server is added to Management Control. If you
change the port number, use a number that is not in use by another program or service.
You can also specify whether to use Secure Socket Layer (SSL) for communication between
the console and a server.
See “Implementing SSL communications” on page 43.
To modify the port and the communication properties of a server
2 In the Asset Management window, under Assets, select a server.
3 In the sidebar under Tasks, click Server properties.
4 In the Properties window, in the Port number box, type the new port number.
The default port number is 8081.
5 Check Use SSL to use SSL for communication between the console and server.
Creating and assigning a custom throttling policy to the Mail Security

service account user
Microsoft Exchange Server uses client throttling policies to manage the performance of your
Exchange organization. Exchange Server tracks the resources that each user consumes and
enforces connection bandwidth limits, as necessary.
The Mail Security service account has a default Client Access Server (CAS) throttling policy.
However, the bandwidth that is allocated to the default policy parameters is not sufficient in
the case of multithreaded manual scanning. You may see degradation in the performance of
a manual scan if you use the default throttling policy. Therefore, you must create a custom
throttling policy and assign it to the Mail Security service account user.
See “About manual scans” on page 181.
To create and assign a custom throttling policy to the Mail Security service account user
1 Click Start > Programs > Microsoft Exchange Server server version > Exchange
Management Shell.
2 Type the following command to create the throttling policy and then press Enter:
New-ThrottlingPolicy -Name <PolicyName> -EWSPercentTimeInAD $null
-EWSPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null
-EWSMaxSubscriptions $null -EWSPercentTimeInCAS $null
3 Type the following command to assign the throttling policy to the Mail Security service
account user and then press Enter:
Set-ThrottlingPolicyAssociation -Identity Service Account User Name
-ThrottlingPolicy Throttling Policy Name
Configuring .NET 3.5 for TLS 1.2 protocol

With the Windows Server 2019, you get the Transport Layer Security (TLS) 1.2 protocol enabled
by default. As a result, some SMSMSE features like manual scan, remote connection from
console to server may not work properly. Symantec Mail Security for Microsoft Exchange uses
.NET Framework 3.5 that you must configure to work with TLS 1.2 protocol for these features
to work properly.
Note: This configuration is applicable for other Windows platforms where TLS 1.2 protocol is
enabled.
To configure .NET 3.5 for TLS 1.2 protocol

1 Open the Windows Registry Editor and navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
Add the DWORD Value: SystemDefaultTlsVersions=00000001
2 In the Windows Registry Editor, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
Add the DWORD Value: SystemDefaultTlsVersions=00000001
About transport submission queue monitor

Now, you can monitor the Exchange transport submission queue. You can monitor the queue
by configuring the queue size. When the queue reaches 90% of the configured size, emails
are skipped from scanning until the queue size drops back within the configured limit.
This feature is useful in the following situations:
■ Email delivery is a priority over scanning it

■ Server is running on low resources
■ Any other reason that causes the queue build-up
Using this feature in normal conditions is not recommended.
To configure the transport submission queue monitor
1 Open the Windows Registry Editor and navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\7.9\Server
2 Add the following DWORD values:
Task DWORD Value
To enable the queue SubmissionQThresholdEnabled=1

monitor
To configure the queue size SubmissionQThreshold=1000
Fine-tune this value as per the requirement and the system

configuration.
To configure the current CurrentSubmissionQCount

submission queue count
Following Windows events are saved in Windows Application event log.

■ Event when threshold hit is 422 - Transport Submission Queue Threshold reached
■ Event when threshold recovered is 423 - Transport Submission Queue Threshold recovered
Chapter 5
Quarantining messages and
attachments
■ About the quarantine
■ Forwarding quarantined items to the Quarantine Server
■ Establishing local quarantine thresholds
■ Viewing the contents of the local quarantine
■ Filtering the quarantined items
■ Specifying an action to take when a quarantine threshold is met
■ About releasing messages from the local quarantine
■ Deleting items from the local quarantine
About the quarantine

Mail Security provides the following options for quarantining messages:
Local You can choose to send infected messages and attachments to the local quarantine when
quarantine you configure Mail Security policies. You can also configure policies to quarantine the
messages that trigger violations.
See “Establishing local quarantine thresholds” on page 78.
See “Viewing the contents of the local quarantine” on page 79.
See “Deleting items from the local quarantine” on page 85.

Quarantining messages and attachments 77
Forwarding quarantined items to the Quarantine Server
Quarantine You can forward the infected files that are in the local quarantine to the Symantec
Server Quarantine Server, if it is set up on your network. Mail Security forwards infected files to
the Quarantine Server at 60-minute intervals.
Files that are sent to the Quarantine Server are then forwarded to Symantec for analysis
in real-time using HTTPS communications. Symantec automatically distributes updated
definitions to the Quarantine Server when they are available.
The Quarantine Server is a component of Symantec AntiVirus Central Quarantine. Mail

Security supports version 3.4 or later of the Symantec AntiVirus Central Quarantine Server.
Version 3.4 is provided with the Mail Security installation package at the following location
and must be installed separately:
\ADMTOOLS\DIS
See the Symantec Central Quarantine Administrator's Guide for more information about
the Symantec AntiVirus Central Quarantine, which is provided with the installation package
at the following location:
\DOCS\DIS\CentQuar.pdf
Note: Files that contain non-viral threats, are unscannable, or violate filtering rules are
not forwarded to the Quarantine Server.
Forwarding quarantined items to the Quarantine

Server
You can configure Mail Security to forward local quarantine events to the Quarantine Server,
if you have the Quarantine Server installed.
You can only forward the events that contain threats to the Quarantine Server.
To forward quarantined items to the Quarantine Server
2 In the sidebar under Views, click Quarantine Settings.
3 In the content area under Quarantine Server, check Send quarantined items to
Quarantine Server.
4 Check Delete local quarantined items after forwarding to Quarantine Server to remove
items from the local quarantine.
5 In the Server Address box, type the IP address of the Quarantine Server.
6 In the Server Port box, type the port number for the Quarantine Server.
Establishing local quarantine thresholds
7 In the Network Protocol list, click the drop-down menu and select the appropriate network
protocol.
Establishing local quarantine thresholds

You can specify the thresholds for the local quarantine and how you want Mail Security to
respond when a threshold is met.
See “Specifying an action to take when a quarantine threshold is met” on page 81.
When you establish the quarantine thresholds for the local quarantine, you can specify the
following limits:
Maximum number The maximum number of messages or attachments that are stored in the quarantine
of items
Maximum size of The maximum file size (in megabytes or gigabytes) of the quarantine
quarantine
Retain items in The maximum number of days to retain a message or attachment in the quarantine
quarantine
To establish local quarantine thresholds

2 In the sidebar under Views, click Quarantine Settings.
3 In the content area, under Quarantine Thresholds, check Maximum number of items,
and then type the maximum number of messages or attachments to retain in the quarantine.
4 To limit the maximum size of the quarantine, do the following:
■ Check Maximum size of quarantine.
This item is checked by default.
■ Type the maximum size of the quarantine.
■ Click the drop-down menu and select MB or GB.
The default value is MB.
5 Check Retain items in quarantine to limit how long an item is quarantined, and then
type the number of days.
Viewing the contents of the local quarantine
Viewing the contents of the local quarantine

You can view the contents of the local quarantine for a server and server group. For a sever
group view, quarantined items are consolidated and displayed for last seven days for all the
servers.
Table 5-1 lists the information that is found in the Quarantine list pane.
Table 5-1 Quarantined file summary information
Item Description
Time encrypted The date and time when Mail Security intercepted and encrypted the file.
Recipient Intended recipient(s) of the message.
Sender Address of the sender of the message.
Message part Part of the message that was sent to the quarantine.
Location Location where the file was intercepted.
Rule violated The policy or the rule that was violated.
Quarantine Id The Alpha-numeric identifier that Mail Security assigns to the quarantined
file.
Sent to QServer Whether the file was sent to the Quarantine Server.
When you select an item in the Quarantine, details about the message (and attachments, if
any) appear in the preview pane.
Table 5-2 lists the detailed information that is shown in the preview pane.
Table 5-2 Quarantined file detailed information
Item Description
Time encrypted The date and time when Mail Security intercepted and encrypted the file.
Attachment Name Name of the attachment that triggered the violation.
If the message body triggered the violation, this entry is: Message Body.
Rule violated The policy or the rule that was violated.
Location Location where the file was intercepted.
Sender Address of the sender of the message.

Filtering the quarantined items
Table 5-2 Quarantined file detailed information (continued)
Item Description
Recipient(s) Intended recipient(s) of the message.
Sent to QServer Whether the file was sent to the Quarantine Server.
Virus Name Name of the virus, if a virus was detected.
To view the contents of the local quarantine

2 In the sidebar under Views, click Quarantine.
3 In the list pane, click an item to view the item's details.
The data appears in the preview pane.
4 Press F5 to refresh the display.
Filtering the quarantined items

You can view the quarantined items in the group as well as server view. For a sever group
view, quarantined items are consolidated and displayed for last seven days for all the servers.
You can use the following filters to filter the items. Use one or multiple filters to narrow down
your search.
■ Quarantine ID
■ Violated rule
■ Attachment name
■ Item encryption time
To filter the quarantined items
3 In the sidebar under Tasks, click Search Item.
Specifying an action to take when a quarantine threshold is met
4 In the Search Criteria for Quarantine window, use the following filters:
Quarantine ID Filter the items based on the Quarantine ID.
Rule violated Type the name of the violated rule to filter the items that are
quarantined for the specific rule violation.
Message part (Attachment Filter the items based on the attachment name.
name)
Time encrypted Select the option and specify the date range to filter the items that
are quarantined (encrypted) during the specified period.
Note: You can type the complete filter name or part of the filter name (literal string) to filter
the items. Regular expression and wildcard expression search is not supported.
5 To clear the search results on the page, in the sidebar under Tasks, click Clear Search.
Specifying an action to take when a quarantine

threshold is met
You can define thresholds for the local quarantine and specify the actions that you want Mail
Security to take when a quarantine threshold is met.
See “Establishing local quarantine thresholds” on page 78.
You can specify any of the following actions:
Notify Administrator Sends a notification message to the administrator

when a threshold is met.
This item is checked by default.
Notify others Sends a notification to the other recipients that you

specify when a threshold is met.
Delete oldest items Removes the oldest items in the local quarantine
when a threshold is met.
To specify an action to take when a quarantine threshold is met

1 In the console on the primary navigation bar, click Monitors
2 In the sidebar under Views, click Quarantine Settings
About releasing messages from the local quarantine
3 Under When a threshold is met, check Notify Administrator to send notification

messages to the administrator.
4 Check Notify others to send notification messages to additional people.
5 In the Notify others box, type the email addresses of the people to whom you want Mail
Security to send notifications.
Separate email addresses with commas.
6 Check Delete oldest items to remove the items that reach a threshold.
This option is not enabled by default.
If Delete oldest items is not checked and a quarantine size threshold is reached, the
event is logged. Mail Security sends a notification to the recipients that are specified on
the Quarantine Settings page.
7 Under Administrator Notification, in the Subject Line box, type your subject line text.
The default text is: Administrator Alert: The Symantec Mail Security Quarantine has
exceeded a set limit.
8 In the Message Body box, type the administrator notification message body.
The default text is: You should manage the Quarantine to remove files or change the
Quarantine settings. Details: %details%.
You can use variables in the message body.
See “Alert and notification variables” on page 239.

You can release messages from the local quarantine in the following ways:
■ Release messages by email
See “Releasing messages from the local quarantine by email” on page 83.
■ Release messages to a file
See “Releasing messages from the local quarantine to a file” on page 84.
Note: By default, Mail Security version 7.5 and later do not re-scan the items that are
quarantined due to antivirus and file filtering violations, once they are released. However, if
the items are quarantined due to content filtering violations, Mail Security scans these items
only for virus policies and file filtering conditions. This behavior is configurable through registry.
Messages that are released from the quarantine are not filtered for spam and filtering rules.
Releasing messages from the local quarantine by email

You can send quarantined files to specified destinations by email. When you release a file
from the quarantine by email, you remove it from the quarantine.
The released email is then sent with revised sender information to the recipients that are
specified in the to box. Rather than being sent from the original sender's email address, it is
sent from the email account that you specify on the Notification Settings page. The email is
not delivered to the recipients that are specified in the cc or bc boxes.
If Mail Security releases an email by taking the Quarantine entire message and replace
with text action, then the email contains the original message in the .msg format as an
attachment.
To release messages from the local quarantine by email
This option is not available in the group view.
■ In the sidebar under Tasks, click Select all to select all of the items in the quarantine.
■ In the list pane under Quarantine, select the items that you want to release.
To select multiple items, press CTRL and select the items that you want to release.
To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 In the sidebar under Tasks, click Release by mail.
5 In the Releasing item(s) by mail window, select from the mail options that Mail Security
provides.
Mail Security provides the following mail options:
Send to original intended recipient(s) Sends the message to the original intended
recipient(s).
Send to administrators Sends the message to administrators.
List administrators' email addresses in the

Administrators box. Separate multiple email
addresses with commas.
Send to the following Sends the message to alternate recipients.
List recipients' email addresses one per line in

the Alternate recipients box.
6 Click OK.
Releasing messages from the local quarantine to a file

You can move quarantined messages to a folder for review or analysis. The folder is in the
following location:
\Program Files\Symantec\SMSMSE\7.9\Server\Quarantine\Release
The file location cannot be modified.
Messages that Mail Security quarantines by taking the Quarantine entire message and
replace with text action are saved at this location in the .msg format.
See “Releasing messages from the local quarantine by email” on page 83.
To release messages from the local quarantine to a file
2 Under Views, click Quarantine.
This option is not available in group view.
■ In the list pane under Quarantine, select the items that you want to release.
To select multiple items, press CTRL and select the items that you want to release.
To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
Deleting items from the local quarantine
4 In the sidebar under Tasks, click Release to file (Save).

5 In the Releasing to file and delete dialog box, select one of the following options:
Yes Removes the item from the quarantine after it has been saved to the Release folder
No Keeps the item in the quarantine after it has been saved to the Release folder
Cancel Cancels the file release operation

Deleting items from the local quarantine

You can delete one or more items from the quarantine at a time.
See “About releasing messages from the local quarantine” on page 82.
To delete items from the local quarantine
■ In the list pane under Quarantine, select the items that you want to remove.
To select multiple items, press CTRL and select the items that you want to delete. To
unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 In the sidebar under Tasks, click Delete.

Chapter 6
Protecting your server from
risks
■ About Mail Security policies
■ About protecting your server from risks
■ Configuring a threat detection
■ Configuring a security risk detection
■ Configuring file scanning limits
■ Configuring rules to address unscannable and encrypted files
■ Remediation overview
■ How remediation works
■ Configuring remediation options
■ Types of Remediation
■ Remediation feed settings
■ Creating an email remediation feed
■ Enabling authentication key
■ Managing certificates
■ About file reputation

Protecting your server from risks 87
About Mail Security policies
About Mail Security policies

Mail Security scans email messages and their attachments for violations to policies. A policy
is a set of rules that are designed to detect potential risks to your Microsoft Exchange mail
system.
Mail Security contains the following policies:
General Contains the rules controlling scanning limits, exceptions, and outbreak
management
Antivirus Contains the rules for detecting threats in messages and attachments
with viruses, virus-like characteristics, or security risks, such as adware
or spyware
Antispam Contains the rules for the following:
■ Detect spam.
■ Allow specified senders to bypass antispam scanning.
■ Specify the recipients whose email messages are not scanned for
spam.
Content Enforcement Contains the rules to filter inappropriate content in message bodies and
attachments.
Also contains file filtering rules and match the lists that let you detect and
block messages by file name and file type.
See “About protecting your server from risks” on page 87.

See “How Mail Security detects risks” on page 88.
About protecting your server from risks

Mail Security can detect risks in all major file types (for example, Windows®, DOS, Microsoft®
Office Word, and Microsoft® Office Excel files).
Table 6-1 describes the risks against which Mail Security protects your Exchange server.
Table 6-1 Risks that can threaten your Exchange server
Risk Description
Threats Mail Security detects viruses, worms, and Trojan horses in all major file
types.

About protecting your server from risks
Table 6-1 Risks that can threaten your Exchange server (continued)
Risk Description
Mass-mailer worms Mail Security detects that an email message is a mass-mailer worm. It
automatically deletes the infected email message and any attachments.
Denial-of-service attacks Mail Security protects your network from the file attachments that can
overload the system and cause denial-of-service attacks. The attachments
include the container files that are overly large. They contain large
numbers of embedded, compressed files or are designed to maliciously
use resources and degrade performance. You can impose limits to control
how Mail Security handles container files to reduce your exposure to
denial-of-service threats.
See “Configuring file scanning limits” on page 95.
Security risks Mail Security detects security risks, such as adware, dialers, hacking
tools, joke programs, remote access programs, spyware, and trackware.
Mail Security also helps you detect and block other potential risks from entering your network,
such as unscannable and encrypted container files.
When a risk is detected, the incident is logged to the locations that you specify. You can also
configure Mail Security to issue alerts when risks are detected or when an outbreak occurs.
How Mail Security detects risks

Mail Security uses the following tools to detect risks:
Definitions Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses,
worms) to identify new threats. After a threat is identified, information about the threat (a
signature) is stored in a definition file. This file contains information to detect and eliminate
the threat. Mail Security searches for these signatures when it scans for threats.
Configuring a threat detection
Heuristics Mail Security uses Symantec Bloodhound heuristics technology to scan for threats for
which no known definitions exist. Bloodhound heuristics technology scans for unusual
behavior such as self-replication to target potentially infected message bodies and
attachments. Bloodhound technology is capable of detecting upwards of 80 percent of
new and unknown executable file threats.
Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown
macro viruses. Bloodhound requires minimal overhead since it examines only message
bodies and the attachments that meet stringent prerequisites. In most cases, Bloodhound
can determine in microseconds whether a message or attachment is likely to be infected.
If it determines that a file is not likely to be infected, it moves to the next file.
Container file Mail Security contains a decomposer that extracts container files so that they can be
decomposer scanned for risks. The decomposer attempts to extract container files until it reaches the
base file or until it reaches its extraction limit. If the decomposer reaches the set limit
before the base file is reached, the scanning process stops. Mail Security then logs the
violation to the specified logging destinations, and the file is handled according to the
Unscannable File Rule.
See “About protecting your server from risks” on page 87.

To configure threat detection, do the following:
Enable threat detection Mail Security detects viruses, worms, and Trojan horses in all major file
scanning types. Antivirus scanning must be enabled for Mail Security to detect threats.
Threat detection scanning applies to all types of scans.
Set the Bloodhound Mail Security uses Bloodhound technology to supplement the detection of
Detection level threats by signature.
You can customize your level of protection against new threats, from zero
protection to a high level of protection. A high level of protection increases
protection of your network; however, server performance might be affected.
At lower levels of protection, an unknown threat might escape detection, but
the trade-off with server performance decreases. In most cases, the default
(Medium) setting is appropriate.
See “How Mail Security detects risks” on page 88.

Enable mass-mailer Mail Security detects that an email message is a mass-mailer worm or virus
worm-infected message when this feature is enabled. If Mail Security detects that an email message
detection is a mass-mailer worm or virus, it deletes the infected email message and
any attachments. Mail Security does not send notifications after deleting a
mass-mailer worm or virus message and any attachments. When the
mass-mailer detection feature is not enabled, an infected mass-mailer email
message is treated the same as an infected message.
Enable advanced Mail Security provides a better antivirus protection if you enable the
heuristics detection Advanced heuristics detection check box.
Modify default threat Mail Security provides default antivirus rules, which are always enabled.
detection rules, as needed You can modify these rules.
To configure a threat detection

1 In the console on the primary navigation bar, click Policies.
2 In the sidebar under Antivirus, click Antivirus Settings.
3 In the content area under Antivirus Settings, check Enable virus scanning.
Virus scanning is enabled by default.
4 In the Bloodhound Detection list, select one of the following using the drop-down menu:
Off Disables the Bloodhound Detection.
Low Optimizes the server performance, but might not detect potential threats.
Medium Provides a balance between threat detection and server performance.

The default setting is Medium.
High Increases the detection of threats, but might affect server performance.
5 Check Delete mass-mailer worm-infected messages (no notifications) to automatically

delete mass-mailer messages.
This feature is enabled by default.
6 In the Rules table, select any of the following rules to view or modify them in the preview
pane:
Basic Virus Rule Applies to the messages or the attachments that contain repairable
threats.
This option is always enabled.
Unrepairable Virus Rule Applies to the messages or the attachments that contain the threats that
cannot be repaired.
This option is always enabled.
Security Risk Rule Applies to messages that contain security risks, such as adware or
spyware.
The settings for the rule that you select appear in the preview pane.
7 In the preview pane, in the Action to take list, select the action to take when a threat is
detected using the drop-down menu.
8 In the Replacement text box, type your customized message if you want to replace the
message or the attachment body with a text message.
The default text is: Symantec Mail Security replaced %attachment% with this text message.
The original file contained %violation% and was %action%.
You can use variables in your customized text.
9 Check one or more of the following to send email notifications about the detection:
■ Notify administrators.
Click the down arrow and type your customized text in the Subject line box and the
Message body box. The default Subject line and Message body text is as follows:
■ Default subject line text: Administrator Alert: Symantec Mail Security detected
%violation%
■ Default message body text: Location of the infected item: %location% Sender of
the infected item: %sender% Subject of the message: %subject% The attachment(s)
"%attachment%" was %action% for the following reasons: %information% This
was done due to the following Symantec Mail Security settings: Scan: %scan%
Rule: %rule%
■ Notify internal sender.

Configuring a security risk detection
■ Default subject line text: Symantec Mail Security detected %violation% in a message
that is sent from your address
■ Default message body text: %subject% Recipient of the message: %recipient%
■ Notify external sender.

■ Default message body text: Subject of the message: %subject% Recipient of the
message: %recipient%


Mail Security can detect security risks. Security risks are the programs that do any of the
following:
■ Provide unauthorized access to computer
■ Compromise data integrity, privacy, confidentiality, or security
■ Present some type of disruption or nuisance
These programs can put your employees and your organization at risk for the following:
■ Identity theft or fraud by logging keystrokes
■ Capture of email and instant messaging traffic
■ Theft of personal information such as passwords and logon identifications
Security risks can be introduced into your computer unknowingly. This risk can occur when
users visit a website, download shareware, or freeware software programs, click links or
attachments in email messages, or through instant messaging clients. A program can also be
installed after or as a by-product of accepting an End User License Agreement from another
software program that is related to the security risk.
Enable Security Risk Rule for Mail Security to detect security risks.
Table 6-2 lists the categories of security risks that Mail Security detects.
Table 6-2 Security risk categories
Category Description
Adware The standalone or appended programs that gather personal information

through the Internet and relay it back to a remote computer without the
user's knowledge.
Adware might monitor browsing habits for advertising purposes. It can

also deliver the advertising content.
Hack tools Programs that are used to gain unauthorized access to a user's computer.
For example, a keystroke logger tracks and records individual keystrokes

and sends this information to a remote computer. The remote user can
perform port scans or vulnerability scans. Hack tools might also be used
to create viruses.
Dialers Programs that use a computer, without the user's permission or

knowledge, to dial through the Internet to a 900 number or FTP site.
Dialers typically to accrue charges.
Joke programs Programs that alter or interrupt the operation of a computer in a way that
is intended to be humorous or bothersome.
For example, a joke program might move the Recycling Bin away from
the mouse when the user tries to click on it.
Remote access programs Programs that let a remote user gain access to a computer over the
Internet to gain information from, attack, or alter the host computer.
Spyware The standalone programs that can secretly monitor computer activity and
detect passwords and other confidential information. Spyware can then
relay the information back to a remote computer.
Trackware The standalone or appended applications that trace a user's path on the
Internet and relay the information to a remote computer.
To configure a security risk detection

2 In the sidebar under Antivirus, click Antivirus Settings.
3 In the content area, in the Rules table, on the Security Risk Rule row, click the box under
the Status column. Then select Enabled from the drop-down menu.
This rule is enabled by default.
4 In the preview pane, in the Action to take list, use the drop-down menu to select the
action to take when a security risk is detected.
■ Default subject line text: Administrator Alert: Symantec Mail Security detected
%violation%
■ Default message body text: Location of the infected item: %location% Sender of
the infected item: %sender% Subject of the message: %subject% The attachment(s)
"%attachment%" was %action% for the following reasons: %information% This
was done due to the following Symantec Mail Security settings: Scan: %scan%
Rule: %rule%

■ Default message body text: %subject% Recipient of the message: %recipient%


Configuring file scanning limits
Configuring file scanning limits

Mail Security imposes limits on file extraction. These limits protect against denial-of-service
attacks that are associated with the overly large or the complex container files that take a long
time to decompose. These limits also enhance scanning performance.
Mail Security contains a decomposer that extracts container files so that they can be scanned
for risks. The decomposer continues to extract container files until it reaches the base file.
When a container file reaches a set limit, the scanning process stops. The violation is logged
to the specified logging destinations, and the file is handled according to Unscannable File
Rule.
To configure file scanning limits
2 In the sidebar under General, click Scanning Limits.
3 In the content area, in the Maximum scan time (in seconds) box, type the maximum
time that Mail Security can spend extracting a single container file.
You can enter a value from 20 to 500000. The default value is 300.
4 In the Maximum archive scan depth (number of levels) box, type the maximum number
of nested levels of files that are decomposed within a container file.
5 In the Maximum size of one extracted file (in MB) box, type the maximum file size, in
megabytes, for individual files in a container file.
6 In the Maximum total size of all extracted files (in MB) box, type the maximum size,
in megabytes, of all extracted files.
7 In the Maximum number of files extracted box, type the maximum allowable number
of files to be extracted.
Configuring rules to address unscannable and encrypted files
Configuring rules to address unscannable and

encrypted files
A file that cannot be scanned can put your network at risk if it contains a threat. Mail Security
provides the following default rules to address unscannable and encrypted files:
UFR - Scanning Limits This rule gets triggered when any of the scanning limits are violated. You
(Unscannable File Rule for can set the scanning limits under the Policies > Scanning Limits
Scanning Limits) workspace.
The default action for the Unscannable File Rule for Scanning Limits is
Quarantine entire message and replace with text (By part for Store).
UFR - Malformed Files This rule gets triggered when Mail Security does not recognize the file
(Unscannable File Rule for format of a specific file and is unable to scan it. In such cases, the file is
Malformed Files) treated as Malformed.
The default action for the Unscannable File Rule for Malformed Files is
Quarantine entire message and replace with text (By part for Store).
Encrypted File Rule Infected files can be intentionally encrypted. Encrypted files cannot be
decrypted and scanned without the appropriate decryption tool. You can
configure how you want Mail Security to process encrypted container files
to protect your network from threats.
The default setting for the Encrypted File Rule is to log the violation only.
These rules are always enabled.

To configure rules to address unscannable and encrypted files
2 In the sidebar under General, click Exceptions.
3 In the Exceptions table, select one of the following rules that you want to view or modify:
■ UFR - Scanning Limits
■ UFR - Malformed Files
■ Encrypted File Rule
4 In the preview pane, in the Action to take list, use the drop-down menu to select the
action to take when a violation is detected.
Configuring rules to address unscannable and encrypted files
The original file was unscannable and was %action%.
6 Check the option Enable list of trusted domains or users if you want to enter a list of
domains or email addresses.
For each of the three rules, you can enter a list of trusted domains or users. You can set
different actions for these trusted domains or users.
7 From the Action to take drop-down menu, select an action that you want to take on the
list of trusted domains or users.
The original file was unscannable and was %action%.
Click the down arrow and then type your customized text in the Subject line box and
the Message body box. The default Subject line and Message body text is as follows:
■ Default subject line text: Administrator Alert: Symantec Mail Security detected a
message with an unscannable attachment or body
■ Default message body text: Location of the message: %location% Sender of the
message: %sender% Subject of the message %subject% The attachment(s)
"%attachment%" was %action%. This action was done due to the following
Symantec Mail Security settings: Scan: %scan% Rule: %rule%
■ Notify Trusted Domain: Send the email notification to administrator. When the
checkbox is cleared, the email notification is not sent. By default, this is enabled.

■ Default subject line text: Symantec Mail Security detected unscannable content in
a message that is sent from your address
message % recipient%
Remediation overview
■ Notify Trusted Domain: Send the email notification to sender. By default, this is
enabled.
When the checkbox is cleared, the email notification is not sent.

■ Default subject line text: Symantec Mail Security detected unscannable content in
a message that is sent from your address
message %recipient%
■ Notify Trusted Domain: Send the email notification to sender. By default, this is enabled.
When the checkbox is cleared, the email notification is not sent.

Registry keys can be used to bypass actions on unscannable malformed files. For more
information refer the Mail Security Knowledge Base.
Remediation overview
Symantec Mail Security for Microsoft Exchange has been enriched with a new fully-automated
remediation feature to protect exchange mailboxes against known email threats. This feature
lets you auto-remediate threats inside your mailboxes based on the email feeds. The email
feeds contain information about the location of the email threat and the action to be taken.
Mail Security enables Symantec or third-party products to automatically initiate remediation
over secure, email-based communication channel. On the Remediation settings page, you
can specify detailed configuration, such as the remediation mode – Sent items folder or Deep
discovery and clean-up.
Following are the remediation categories:
■ In Internal Remediation, the Mail security generates the email feeds.
■ In External Remediation, other Symantec products or third-party products generate the
email feeds.
Note: This feature is not supported on the Edge Transport role.
Once the remediation feature is configured and enabled, Mail Security handles the remediation
requests automatically for the whole organization.
How remediation works
Remediation aims to address the following issues by searching for threats in one or more
mailboxes of your organization and sanitize them.
■ Copies of email threats residing in the sent items folder.
■ Delayed detection and remediation of malware poses risk.
■ Day zero threats which can quickly proliferate making it difficult to remediate.
See “How remediation works” on page 99.
See “Configuring remediation options” on page 100.
See “Types of Remediation” on page 100.
How remediation works

Mail Security remediation requires a dedicated mailbox to be configured to receive remediation
email feeds (remediation requests). Mail security now hosts a new component that is called
the Remediation handler which continuously monitors the configured mailbox for the remediation
feeds. The email feeds for remediation can be issued by Mail Security, other Symantec products,
or third-party products. The email feeds are in well-defined format and can be Message ID
based or File Hash based. On receiving the email feed, the remediation handler validates the
feed settings and remediates the threats inside mailbox and quarantines the email or file
immediately.
Note: Remediation search scope does not include public folders in your mailbox.
See “Remediation overview” on page 98.

Configuring remediation options
Configuring remediation options

To configure remediation options
1 Go to Monitors > Remediation Settings.
2 Check Enable Remediation.
3 Select a feed validation setting. See “Remediation feed settings” on page 100.
4 Select the action to be taken after receiving a remediation request.
5 Press Deploy Changes.
See “Types of Remediation” on page 100.
Types of Remediation
You can remediate threats present in a single mailbox or all the mailboxes across organization
and clean all possible threat trails. Mail Security searches data in the mailbox for last 24 hours.
■ Sent Items Remediation Only
In this mode, only the Sent Items folder of the sender’s mailbox is searched for email
threats.
For example, If email with malicious attachment is sent, Mail Security scans and cleans
the email and forwards the email to the intended recipient. But, a copy of the sent email is
saved in the sent items folder containing the malicious attachment. The sent items are
never scanned and can pose a risk which can proliferate across other mailboxes. In this
scenario, you might want to use the sent items remediation to sanitize the sent items folder.
■ Deep discovery and Clean-up
The scope of Sent Item remediation is limited only to the sender’s mailbox. But, if you want
to remediate threats across the organization, this remediation type is useful. In deep
discovery and clean-up, the threat is searched with the attachment hash and all the emails
for which the hash matches are quarantined. The deep discovery and clean-up remediation
type generate multiple quarantine entries.
See “Viewing the contents of the local quarantine” on page 79.
See “Remediation feed settings” on page 100.
Remediation feed settings

■ Manually move feeds to mailbox folder
This option requires you to configure a separate folder at the root level which is parallel to
the Inbox folder in your mailbox. The email feeds arrives in the Inbox folder. The
Creating an email remediation feed
administrator has to select and move the email feeds from the Inbox folder to the newly
configured folder for remediation. Once the remediation feed arrives, the remediation
handler picks up the feed and starts processing it.
If you want to create your own remediation email feed, See “Creating an email remediation
feed” on page 101.
■ Certificate based auto validation (Symantec Recommended)
This option provides the highest level of security by verifying and authenticating the validity
of the sender. It requires you to install digital certificate on all the servers where Mail Security
is installed. You can also use self-signed certificate for validation purpose.
Once you have installed the certificate, you must specify the Certificate Subject (CN=)
and Certificate Serial Number in Remediation Setting > Feed Validation Settings >
Certificate based auto validation.
After certificate validation, the email feed is consumed for processing else the email feed
is ignored.
See “Managing certificates” on page 103.
■ Custom auto Validation (Default option)
Use this option to create a list of valid senders of the feeds. Any email that arrives apart
from the configured list of senders is discarded.
For an additional layer of secure connection, you can enable the auth key. Once you enable
the authentication key, both sender email ID and auth key is used for validation purpose.
To enable auth key, See “Enabling authentication key” on page 103.

You can create your own email remediation feed if you want to remediate a known threat.
■ Create an email in the plain-text format.
■ In the email body, create remediation feed entries in the following format:
For file hash-based remediation feed: <Parameters> = <File Hash Remediation Request>
For message ID-based remediation feed: <Parameters> = <Message ID Hash
Remediation Request>
Use the following table to refer to the parameters.
Parameters File Hash Remediation Message ID Remediation Description

Request values Request values
rem_requestype Mandatory Mandatory Supported request types are:

file_hash and message_id.
[value=file_hash] [value=message_id]
A remediation request can either
be file_hash or message_id based.
rem_key Mandatory Mandatory
[value=base64 encoded [value=Internet Message ID]

SHA2]
rem_scope_mailboxes Optional, Default All Mandatory To narrow down search, the scope
Mailboxes parameter is used. If you want to
[value=mailbox1;mailbox2]
search multiple mailboxes, you can
[value=mailbox1;mailbox2]
specify multiple mailboxes that are
separated by a semicolon.
For example,
rem_scope_mab
li oxes=user1@xyz.com;user2@xyz.com
rem_scope_last_n_hours Optional, Default last 24 hrs Optional, Default last 24 hrs Remediation search scope for the
emails that arrived in last N hours.
[value=N] [value=N]
For example,
rem_scope_last_n_hours=24
Sample file hash remediation request

rem_requestype=file_hash
rem_key=iz8ZGBmTHR8s73KJI5tfd8ALB5hHucJjblaFTR5e/3E=
Sample message ID remediation request
rem_requestype=message_id
rem_key=<1518536193415.4087@smsauto.lab >
rem_scope_mailboxes=user.test1@smsauto.lab;user.test2@smsauto.lab
Enabling authentication key
Enabling authentication key

You can enable the auth key to enable enhanced security for the Custom Validation feed
setting.
To enable auth key
1 If Console-Server SSL mode is not enabled, you must enable the default security key.
You can create your own passkey to modify the default security key that is used by Mail
Security.
To create your own passkey
Run the Passkey tool. Make sure that you run the passkey tool on all the servers where
Mail security is installed and specify the same passkey.
You can find the Passkey tool in the Mail Security installation directory:
■ For Server-based Installation: C:\Program
Files\Symantec\SMSMSE\7.9\Server\Config
■ For Console Only Installation :C:\Program

Files\Symantec\CMaF\7.9\bin\Products\SMSMSE\7.9
2 Enable Auth key.

3 Specify a new passkey. The new passkey overrides the default encryption key that is
used by the Mail security.
Managing certificates
For certificate-based validation feed setting, you must install a self-signed certificate or a
third-party certificate. The certificate must be installed in the local machine store and the current
user store.
You can create a self-signed certificate by using the Visual Studio tools command line.
For example, to create a 'emailsigning.pfx' certificate, use the following commands:
C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC>makecert -r -pe -n

"CN=emailsigning" -sky exchange "emailsigning.cer" -sv "emailsigning.pvk"
C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC>pvk2pfx -pvk

"emailsigning.pvk" -spc "emailsigning.cer" -pfx "emailsigning.pfx" -pi P@ssword123
About file reputation
To install certificate in the local machine store and current user store
1 Install certificate in the user personal store: Certificates- Current user > Personal >
Certificate.
2 Install certificate in local machine store: Certificates (Local Computer) > Personal >
Certificate. While installing the certificate, make sure to enable Mark this key as
exportable. Also, give full permissions to the Network Service in the certificate. To do
this, select the certificate, All Tasks > Manage Private keys....
3 Repeat steps 1 and 2 on all the servers where Mail Security is installed.
4 After installing the certificate, specify the certificate serial number and subject in the
Remediation Setting > Feed Settings > Certificate based validation.
You can configure additional validation for certificates where you want to assign certain
certificate for remediation feature. This may be required in case multiple certificates are installed
on different exchange servers. Instead of validating the certificate generically from certificate
store, you can add extra validation by providing certificate information. In this case, if certificate
is not found in the list, the validation fails.
If the list is configured and certificate is found in the list, the validation process validates the
certificate from the store. If the file RemediationTrustedCert.txt does not exist or empty,
the certificate validation happens from the certificate store.
To configure the certificate list
1 Go to the installation directory.
2 Create a text file RemediationTrustedCert.txt in the etc folder.
<InstallDir>\SMSMSE\7.9\Server\etc\RemediationTrustedCert.txt
3 Type issuer name that is followed by comma and the serial number. Type one entry per
line if you have multiple certificates.
For example, CN=Remediation, f00000087974e880405f414e8x4fxxx7
About file reputation

File reputation is a file-based detection technology that classifies files as good or bad by
examining properties, usage patterns, or users of a given file rather than scanning it.
Insight-based security puts files in context, using their age, frequency, location, and more to
expose threats otherwise missed.
File reputation provides reputation information for only Portable Executable (PE) files.
Chapter 7
Identifying spam
■ About spam detection
■ About reputation technology
■ Configuring whitelists
■ How to detect spam using Symantec Premium AntiSpam
About spam detection

Mail Security protects your servers from unwanted email messages, such as spam. Spam is
usually defined as junk or unsolicited email from a third party. The spam message sender has
no discernible relationship with all or some of the message recipients. Often, the message
headers are forged or altered to conceal the origination point of the sender. Spam is not only
an annoyance to users and administrators, it is also a serious security concern. Spam can be
used to deliver viruses, Trojan horses, and in phishing attempts. High volume of spam can
create denial-of-service conditions in which mail servers are so overloaded that legitimate
email and network traffic cannot get through. Mail Security can detect if an incoming email
message is spam with a high level of accuracy.
You can adjust antispam detection by specifying the domains that are automatically permitted
to bypass antispam scanning.
See “Configuring whitelists” on page 106.
Spam detection is only available on Mail Security when it is installed on Exchange server 2010
transport role, Exchange 2013 Mailbox role and above, and on Edge role of all Exchange
versions.
You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium
AntiSpam.
Identifying spam 106
About reputation technology
About reputation technology

Symantec monitors number of email sources to determine how much email is sent from these
addresses is legitimate and how much is spam. By evaluating the sender according to
dimensions such as mail volume, the percentage of spam sent, and a variety of vulnerabilities,
the Sender IP reputation service and DNS IP reputation service creates a reputation profile
for a given IP address. Email from these email sources can then be blocked or allowed based
on the reputation value of the source that Symantec determines.
Configuring whitelists
You can enable and populate the following whitelists to minimize false positives:
Allowed Senders Lets you list the sender domains that are permitted to bypass antispam scanning
Unfiltered Recipients Lets you list the email addresses to which inbound emails are permitted to bypass
antispam scanning
If the Allowed Senders and Unfiltered Recipients lists are both enabled, Mail Security processes
the Allowed Senders list first.
Email messages that are permitted to bypass antispam scanning are still scanned for risks
and file filtering violations.
To configure whitelists
2 In the sidebar under Antispam, click Whitelist.
3 In the content area, under Allowed Senders, check Bypass spam detection for
messages sent from the following.
4 In the Email and domain addresses box, type the domains and email addresses (one
per line) that are permitted to bypass spam detection.
Domain names must begin with either @ (at symbol) or an asterisk before the at symbol
(for example, @mail.com or *@mail.com).
You can use DOS wildcard characters.
See “About DOS wildcard style expressions” on page 160.
5 Under Unfiltered Recipients List, check Bypass spam detection for messages sent
to the following.
How to detect spam using Symantec Premium AntiSpam
6 In the Fully qualified email addresses box, type the fully qualified email addresses (one
per line) to which email messages are permitted to bypass spam detection.
You can list up to 50 email addresses.
How to detect spam using Symantec Premium

AntiSpam
Symantec Premium AntiSpam provides continuous updates to the premium antispam filters
to ensure that your Exchange server has the most current spam detection filters. Updates to
the premium antispam service are handled automatically through the Symantec Premium
AntiSpam service and not through LiveUpdate.
You must have an active Internet connection and permit outbound secure HTTP traffic through
your firewall (port 443). Manually register the service if your connection uses an HTTP proxy.
After Symantec Premium AntiSpam is registered and enabled, spam rules are continually
downloaded from Symantec. Mail Security checks for updates every minute and receives new
rule sets every 10 - 15 minutes.
See “About registering Symantec Premium AntiSpam through an ISA server” on page 107.
See “Configuring your proxy server to download spam definition updates” on page 108.
About registering Symantec Premium AntiSpam through an ISA

server
Symantec Premium AntiSpam requires the ability to communicate by HTTPS (Port 443). If
your connection uses an HTTP proxy, manually register the service so that spam rules can
be automatically downloaded from Symantec. To register Symantec Premium AntiSpam through
an ISA server that filters traffic for your Exchange server, do one of the following:
■ If the ISA server is installed on the same computer as the Exchange server, create a
Host-based protocol rule. This rule allows “Any Request” for the HTTPS protocol and
HTTPS server protocols.
■ If the ISA server is installed on a different computer from the Exchange server, create a
Host-based protocol rule. This rule specifically allows traffic for the IP address of the
Exchange server for the HTTPS protocol and HTTPS server protocols.
See “About spam detection” on page 105.
See “How to detect spam using Symantec Premium AntiSpam” on page 107.
Configuring your proxy server to download spam definition updates

Mail Security checks for updates to antispam filters every minute and receives new rule sets
every 10 - 15 minutes. You can configure your proxy server to permit updates.
To configure your proxy server to download spam definition updates
1 On the Start menu, click Programs > Accessories > Command Prompt to open
command prompt window.
2 At the command prompt, change directories to the Mail Security installation directory.
The default directory is: \Program Files\Symantec\SMSMSE\7.9\Server
3 Type the following:
register -c SpamPrevention\bmiconfig.xml -l SpamPrevention\SPAlicense.slf -p
<proxyserver:proxyport>
where <proxyserver:proxyport> is the IP address of your proxy server and the port.
Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder.
4 On the Start menu, click Run.
5 In the Run dialog box, type the following:
regedit
6 Click OK.
7 In the Registry Editor window, in the left pane, browse and locate the following folder:
HKEY-LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\<version>\Licensing\
If the file SPARunRegister In the right pane, right-click on any blank space, and select New
does not exist > DWORD Value. In the name box, type:
SPARunRegister
If the file SPARunRegister In the right pane, right-click on the file, and select Modify. In the
exists Edit DWORD Value dialog box, in the Value data box, change
the value to 0, and then click OK.
9 Save the file and close the Registry Editor window.
Configuring Symantec Premium AntiSpam to detect spam

Before you configure Symantec Premium AntiSpam, ensure that you have done the following:
■ If you have an ISA server, register Symantec Premium AntiSpam through the ISA server.
See “About registering Symantec Premium AntiSpam through an ISA server” on page 107.
■ Configure your proxy server to permit downloads for Symantec Premium AntiSpam.
See “Configuring your proxy server to download spam definition updates” on page 108.
■ Install the Symantec Premium AntiSpam license.
Configure the following settings to detect and handle spam:
Reputation service: Symantec monitors email sources to determine how much of the email
messages that are sent from those sources is legitimate. Email from those sources can then
be blocked or allowed based on the source's reputation value as determined by Symantec.
Enable Ruleset The Rule Based Reputation Service is the name for a set of downloadable IP address
based sender IP lists. You can use this list to block SMTP connections from known spam IP addresses
reputation or allow SMTP connections from known reputable IP addresses.
The Rule Based Reputation Service currently includes the following classification
lists of IP addresses, which are continuously compiled and updated:
■ Open proxy list:

Enables the open proxy list service.
The open proxy list contains the IP addresses that are open proxies, which
spammers and 'zombie' computers use.
■ Safe List:
Enables the safe list service.
The safe list contains IP addresses from which no outgoing email is spam.
Suspect List Contains the IP addresses from which all of the outgoing email is spam. This list is
always enabled.
Fast Pass The Fast Pass feature conserves resources by providing a temporary exemption
from spam scanning for senders with a demonstrated history of sending no spam
messages. Thus senders with the best local reputation are exempted from spam
scanning.
Marketing mail Emails that contain commercial or fund-raising messages, requested by the user.
When the policy detects these messages it takes the action that is configured under
Suspected Spam.
Newsletter Emails that include content on specific topics for a known period, often weekly, or
monthly. The user may have requested to receive these publications. When the
policy detects these messages it takes the action that is configured under Suspected
Spam.
Suspicious URL Suspicious URLs include free hosting sites, URL shortening services, and URL
redirecting the services that can potentially be abused to deliver spam or malware
payloads. SMSMSE can filter against the email messages that contain one or more
suspicious URLs. When the policy detects the messages it takes the action that is
configured under Suspected Spam.
DNS IP Reputation:
Note: DNS IP reputation feature is disabled by default during a fresh install.
Note: DNS IP reputation feature is disabled by default for all upgrade scenarios.
Enable DNS IP Reputation DNS-based IP (DNS IP) reputation allows the

delivery of the Symantec Global Bad Senders list,
which is the largest Symantec IP reputation list.
When an inbound email arrives in your organization
and the DNS IP reputation feature is enabled, the
IP address of this inbound email is sent to the
Symantec DNS reputation server. If this IP address
in the Symantec DNS reputation server is recorded
as bad, the verdict is provided back to the Symantec
Mail Security for Microsoft Exchange.
Note: We recommend either enable DNS-based
IP Reputation feature or Rule Based Reputation
feature. Enabling both of them at the same time
leads to heavy utilization of network resources.
Spam Scoring
Flag messages as suspected spam Flags the messages as suspected spam when their
scores reach the suspected spam threshold.
Lower spam threshold Indicates the minimum threshold for suspected

spam.
You can enter a value between 25 and 89. The

default value is 72.
You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium
AntiSpam.
To configure Symantec Premium AntiSpam to detect spam

2 In the sidebar under Antispam, click Premium AntiSpam Settings.
3 In the content area, under Symantec Premium AntiSpam Settings, check Enable
Symantec Premium AntiSpam.
4 Under Reputation Services, check Enable Ruleset based sender IP reputation and
then select any of the following that you want to use:
■ Open proxy list
■ Safe list
5 Check Suspect list which contains the emails sources that primarily send spam. This
option is selected by default and cannot be changed.
6 To bypass antispam filtering of email messages from verified senders check Fast Pass.
7 Under DNS IP reputation, check the Enable DNS IP Reputation option. This DNS-based
IP (DNS IP) reputation allows the delivery of the Symantec Global Bad Senders list, which
is the largest Symantec IP reputation list.
Note: Symantec recommends using either Enable Ruleset based sender IP or DNS IP
reputation services to avoid heavy network bandwidth consumption.
8 Under Spam Scoring, check Flag messages as suspected spam if you want the
messages that are flagged as suspected spam. In the Lower spam threshold box, type
the suspected spam threshold level if you choose to identify suspected spam.
Processing suspected spam messages

You can configure Mail Security to reject or accept suspected spam messages. You can log
all spam events to the specified logging destinations.
If you configure Mail Security to accept suspected spam messages, you can specify the
following message delivery options:
■ Prevent the message from being sent to the intended recipient.
■ Deliver the spam message to an alternate recipient.
■ Add your customized subject line text to the message.
■ Add one or more X-headers to the message.

■ Re-assign the SCL value of the message.
To reject suspected spam messages

2 In the sidebar under Antispam, click Premium AntiSpam Actions.
3 Under Suspected Spam from If message is Suspected Spam, select Reject the
message.
4 Check Log to log spam messages to the specified logging destinations.
To accept suspected spam messages
3 Under Suspected Spam from If message is Suspected Spam, select Accept the
message.
4 Check Prevent delivery to original recipient(s) to prevent the intended recipients from
receiving suspected spam messages.
5 Check Deliver to alternate recipient to send suspected spam messages to a different
recipient, and type the address to which suspected spam messages are delivered.
You can only specify one recipient.
6 Check Add to subject line to prepend the subject line of suspected spam messages,
and in the subject line box, type your customized text.
The default text is Spam.
7 Check Add X-header(s) to add one or more X-headers to messages that trigger the
violation, and then do any of the following:
Add an existing X-header Do the following:
■ Click Add X-header.

■ In the X-header name column, use the
drop-down menu to select the X-header that
you want to use.
You can modify the existing X-header by
clicking on the text and typing the new
content.
■ In the X-header value column, type the
X-header value.
You can type up to 127 characters. The
following characters are not supported in
X-header values:
~|
Create a new X-header Do the following:

■ In the X-header box, type the name of the
X-header.
You can type up to 127 characters. The name
must begin with "x-" or X-". The following
characters are not supported in X-header
names:
, . ; < > : ? / = ( )[ ] @ | ;~
■ In the X-header box, type the X-header value.
X-header values:
~|
Remove an existing X-header Do the following:
■ Select the X-header that you want to remove

by clicking to the left of the X-header name
column.
■ Click Delete X-header(s).
8 Check Assign SCL value to message to reassign the SCL value, and in the drop-down
list, select the threshold value.
You can choose a value from 1 to 9. The default value is 6.
9 Check Log to log suspected spam messages to the specified logging destinations.
Suspected spam messages are identified in the Windows Event Log as information or
events.
Processing the suspected spam messages that exceed an SCL

threshold
If you use a mail screening tool, you can configure Mail Security to reject or accept the
suspected spam messages that exceed an SCL threshold. Assign the SCL threshold for which
the suspected spam and SCL settings apply.
You can log all spam events to the specified logging destinations.
You can specify how you want Mail Security to process the messages that are identified as
suspected spam and exceed the SCL threshold that you specify.
If you configure Mail Security to accept the suspected spam messages that exceed the
threshold, you can configure the following message delivery options:
■ Re-assign the SCL value of the message.
To reject the suspected spam messages that exceed an SCL threshold
3 Under Suspected Spam and SCL from the If message is Suspected Spam and SCL
is list, select the SCL value threshold.
4 Check Reject the message.
To accept the suspected spam messages that exceed an SCL threshold
3 Under Suspected Spam and SCL from the If message is Suspected Spam and SCL
is list, select the SCL value threshold.
4 Check Accept the message.
receiving suspected spam messages.
6 Check Deliver to alternate recipient to send suspected spam messages to a different
recipient, and type the address to which suspected spam messages are delivered.
You can only specify one recipient.
7 Check Add to subject line to prepend the subject line of suspected spam messages,
and in the subject line box, type your customized text.

you want to use.
content.
X-header value.
X-header values:
~|

X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
X-header values:
~|

column.
9 Check Assign SCL value to message to assign an SCL value to suspected spam
messages, and in the drop-down list, select the threshold value.
The suspected spam messages that meet or exceed an SCL value are identified in the
Windows Event Log as information or events.
Processing spam messages

You can configure Mail Security to reject or accept spam messages. You can also configure
whether you want Mail Security to log spam events to the specified logging destinations.
If you configure Mail Security to accept spam messages, you can specify the following message
delivery options:

■ Assign an SCL value to the message.
To reject spam messages
3 In the content area, under Spam Messages, under If message is Spam, check Reject
the message.
To accept spam messages
3 In the content area, under Spam Messages, under If message is Spam, check Accept
the message.
receiving spam messages.
5 Check Deliver to alternate recipient to send spam messages to a different recipient,
and type the address to which spam messages are delivered.
You can enter only one address.
6 Check Add to subject line to prepend the subject line of spam messages, and in the
subject line box, type your customized text.

you want to use.
content.
X-header value.
X-header values:
~|

X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
X-header values:
~|

column.
8 Check Assign SCL value to message to assign an SCL value to spam messages, and
in the drop-down list, select the threshold value.

Spam messages are identified in the Windows Event Log as information or events.
About applying X-headers to messages for archiving

Mail Security lets you apply X-headers to the email messages that contain filtering rule violations
or are spam or suspected spam. Symantec Enterprise Vault uses the X-headers to search for
and retrieve the messages that are archived in the vault. Enterprise Vault is a data warehouse
that provides secure, centralized archiving and retrieval of information.
Note: X-headers can only be applied to SMTP transported email messages. X-headers cannot
be applied to messages that are scanned in the message store.
Mail Security provides default X-headers that Enterprise Vault uses. You can modify the default
X-headers, or you can create your own. You can apply up to 25 X-headers for a single violation.
When a message triggers one or more violations and the disposition for any of the violations
is to delete the message, no X-headers are applied. For example, a message is identified as
spam, and the disposition is to reject the message. No X-header is applied to the message.
Table 7-1 describes how Mail Security handles multiple filtering violations based on where the
violations occur within the message.
Table 7-1 How X-headers are applied for multiple violations
Scenario Which X-headers are applied Examples
Multiple violations in different Mail Security applies X-headers A single message violates a
parts of a message for each rule that is violated for filtering rule for message body
each message part. and a separate content filtering
rule for subject. Mail Security
Message parts include:
applies the X-headers that you
■ Message body specify for the message body rule
■ Subject and the X-headers that you
■ Sender specify for the subject rule.
■ Attachment name In this example, the message can
■ Attachment content have up to 50 X-headers applied
to it. You can apply up to 25
X-headers for the message body
violation and up to 25 X-headers
for the subject violation.
Multiple violations for the same When a message triggers multiple A message triggers violations for
message part violations for the same message two different attachment filtering
part, Mail Security applies only the rules. Mail Security only applies
X-headers that you specify for the the X-headers for the first rule that
first rule that is triggered. was violated.
Note: X-headers are applied to
the message even when the
disposition is to delete the
attachment but not the message
body.
See “Processing spam messages” on page 116.

See “About creating the filtering rules” on page 128.
Chapter 8
Filtering content
■ About content and file filtering
■ About creating the filtering rules
■ What you can do with the filtering rules
■ About enforcing email attachment policies
■ About match lists
■ About content filtering policy templates
About content and file filtering

Mail Security can filter messages and their attachments using the following features:
Content filtering Content filtering rules filter messages and their attachments for the specific content
rules that you specify (for example, offensive language or sensitive information).
Mail Security lets you create the content filtering rules that apply to SMTP inbound
and SMTP outbound mail and the Exchange Information Store.
Mail Security can scan for content within the following message parts: message
body, subject, sender, attachment name, and attachment content.
You can use the default content filtering rules that Mail Security provides or you can
create your own rules. You can individually enable and disable each rule. Mail
Security takes the action that you specify in the rule when it detects a violation.
See “About default content filtering rules” on page 126.

Filtering content 122
File name and file Mail Security lets you use file filtering rules to filter messages based on attached
type filtering rules file names or file types such as video or document files.
Mail Security uses file filtering rules to enforce email attachment policies.
Mail Security provides the following predefined file name filtering rule:
■ File Name Rule

Blocks the attachments based on the file name that you specify
You can customize the file name rule by associating it with a match list to block
attachments with specific names included in the match list.
Mail Security provides the following predefined file type filtering rules:
■ Compressed File Rule

■ Documents File Rule
■ Executable File Rule
■ Image File Rule
■ Multimedia File Rule
Mail Security handles filtering violations according to the action that you configure
for the rule. Mail Security can notify administrator and senders (internal and external)
of file filtering violations. You can customize the notification message.
See “About default file type filtering rules” on page 127.
See “About enforcing email attachment policies” on page 151.
Match lists Mail Security uses match lists to filter email messages and attachments for specific
words and phrases. To implement a match list, you must associate it with a content
or file filtering rule. When the rule is enabled, Mail Security scans for the criteria
that you specify in the rule. The criteria includes the words and phrases that are in
the associated match list.
Mail Security provides the match lists for use with the File Name Rule or with content
filtering rules. You can create new match lists and delete or edit words in an existing
match list. Match lists support literal strings, DOS wildcard-style expressions, or
regular expressions.
See “About match lists” on page 155.
See “About regular expressions” on page 161.
You can also use match lists to help manage outbreaks. You can configure Mail
Security to automatically add the names of outbreak-triggered attachments and
outbreak-triggered subject text to match lists. Mail Security uses these match lists
with content or file filtering rules to automatically block suspicious file attachments
or subjects.

You can specify the action that you want Mail Security to take when it detects a filtering rule
violation. You can also configure Mail Security to notify the administrator and senders (internal
and external) of a violation with a message that you can customize.
About file type filtering

You might want to prohibit users from receiving the email messages that contain certain type
of a file as an attachment. You can use the file type filtering feature of Mail security to filter the
message attachment based on its true type.
When you enable the file type filtering and the rules, Mail Security detects the supported file
types and takes the actions that you specify.
Mail Security can determine if a file is a true file by analyzing the file attributes, rather than
looking at the file name extension. Blocking file attachments not only helps your organization
enforce content policies, it also conserves scanning and file storage resources.
All the file types that Mail Security supports are categorized into the following:
■ Application & Executables
■ Documents
■ Images
■ Videos
■ Sounds
■ Compressed files
Table 8-1 lists the application and executable file types that Mail Security supports
Table 8-1 Supported application and executable file types
File type File extension
MS-DOS/Windows Executables .exe, .dll, .vxd, .com, .sys, .bin, .dat
Windows Installer Package .msi
MS-DOS/Windows Object Library .lib
MS-DOS Batch File .bat
ISO .iso
Table 8-2 lists the documents file types that Mail Security supports
Table 8-2 Supported documents file types
Adobe Portable Document Format .pdf
Compiled HTML Help .chm
Microsoft Access .mdb, .accdb
Microsoft Excel .xls, .xlt, .xla, .xlsx, .xltx
Microsoft Word .doc, .dot, .docx, .dotx
Microsoft PowerPoint .pps, .ppt, .pot, .pptx, .potx, .ppsx
Macro-Microsoft Excel 2007 and later .xslm, .xltm, .xslb, .xlam
Macro-Microsoft Word 2007 and later .docm, .dotm
Macro-Microsoft PowerPoint 2007 and later .pptm, .potm, .ppam, .ppsm
Microsoft Project .mpp
Microsoft Rich Text Format .rtf
Microsoft Help .hlp
Microsoft Outlook File .pst
Open Documents Formats .odg, .odt, .ods, .odp
Markup Language .htm
Table 8-3 lists the image file types that Mail Security supports
Table 8-3 Supported image file types
CompuServe GIF .gif
JPEG image .jpg, .jpeg, .jpe
Portable Network Graphics .png
Tagged image format .tiff
Windows/OS/2 Bitmap .bmp
RBG Bitmap .rgb

Table 8-3 Supported image file types (continued)
X Windows Pixmap .xpm
Icons on Windows .ico
Table 8-4 lists the video file types that Mail Security supports
Table 8-4 Supported video file types
Advanced Streaming Format .asf, .wmv
Macromedia Flash .wsf
Audio Video Interleave File .avi

Format
Movie Files .mpg, .mpeg, .mp3, .mov, .qt
RealMedia Streaming Media .rm, .ra
OGG Vorbis Codec Compressed .ogg

WAV File
Dolby Lab .ac3
Table 8-5 lists the sounds file types that Mail Security supports
Table 8-5 Supported sounds file types
Musical Instrument Digital .mid

Interface
MPEG Audio Layer 3 .mp3
Waveform Audio Format .wav
Amiga MOD .mod
Audio Interchange File .aiff, aifc, aif
Sun MicroSystems Audio Format .au
Apple m4a .m4a

Table 8-6 lists the compressed file types that Mail Security supports
Table 8-6 Supported compressed file types
Archive created by LHA .lzh, .lha
Java Archive, Pkzip .zip, .jar
Archive created by RAR .rar
Archive created by Tar .tar
BINHEX .hqx
GNU Zip .gz, .gzip
Microsoft Cabinet .cab
MIME .eml, .tnf, .tnef, .mht
Unix BZ2 Bzip compressed file .bz2, .tbz
UUEncode .uu
MacBinary .bin
UNIX Compress .z
7 Zip .7z

See “Creating a file type filtering rule” on page 129.
About default content filtering rules

Table 8-7 describes the preconfigured content filtering rules that Mail Security provides.
Table 8-7 Default content filtering rules
Rule Description
Blank Subject and Sender Detects and filters messages with blank subject line and blank
sender line
Quarantine Triggered Attachment Detects and filters the files whose attachment name matches
Names a list of outbreak-triggered attachment names

Table 8-7 Default content filtering rules (continued)
Rule Description
Quarantine Triggered Subjects Detects and filters the messages whose subject matches a list
of outbreak-triggered subjects
Sample Executable File Detects and filters executable files based on the Sample
Attachment Name match list
Enable the default content filtering rules that you want to use. You can modify the rules as
needed.
See “Configuring the conditions of a content filtering rule” on page 128.
About default file type filtering rules

Table 8-8 describes the preconfigured file type filtering rules that Mail Security provides.
Table 8-8 Default file type filtering rules
Rule Description
Compressed File Rule Detects and filters messages with an attachment of compressed
file based on its true file type.
Documents File Rule Detects and filters messages with an attachment of document file
based on its true file type.
Executable File Rule Detects and filters messages with an attachment of executable file
Image File Rule Detects and filters messages with an attachment of image file based
on its true file type.
Multimedia File Rule Detects and filters messages with an attachment of multimedia file
Enable the default file type filtering rules that you want to use. You can modify the rules as
needed.
About creating the filtering rules

Creating a content filtering rule involves the following process:
■ Configuring the conditions of a content filtering rule
■ Specifying the users and groups in a filtering rule
■ Specifying whom to notify if a filtering rule is violated
■ Configuring rule actions
Creating a file type filtering rule involves the following process:
■ Creating a file type filtering rule
■ Specifying the users and groups in a filtering rule
■ Specifying whom to notify if a filtering rule is violated
■ Configuring rule actions
Configuring the conditions of a content filtering rule

A content filtering rule consists of one or more conditions that you define. For example, a
condition might be that an email subject line contains one or more words from a subject line
match list. A rule can optionally contain one or more exceptions.
Mail Security uses OR (Match any term) and AND (Match all terms) conditions to create a
framework in which to evaluate email messages or email messages and their attachments.
By default, content filtering rules are set to Match any term for the entries in the Content list.
This means that the rule triggers a violation if any of the entries are present and all of the other
criteria that you configured are met. If you select Match all terms, then the rule only triggers
a violation if all the items in the Content list are present and all other rule criteria that you
configure are met. "Match any terms" is the only condition available for the entries in the Unless
list.
To configure the conditions of a content filtering rule
2 In the sidebar under Content Enforcement, click Content Filtering Rules.
Create a rule In the sidebar under Tasks, click New rule.
Modify an existing rule In the content area, double-click the rule that you want to edit.
4 On the Rule tab, define the conditions for the content filtering rule.
See “Elements of a content filtering rule” on page 142.
5 Do any of the following:
■ Configure the remaining components of the content filtering rule.
See “Specifying the users and groups in a filtering rule” on page 129.
See “Specifying whom to notify if a filtering rule is violated” on page 131.See “Configuring
rule actions” on page 133.
■ Click OK and then click Deploy Changes.
Creating a file type filtering rule

A file type filtering rule consist of the file types that you can configure to filter email messages
with those attachments. When you enable the file type filtering and the rules, Mail Security
detects the supported file and types and takes the actions that you specify.
To create a file type filtering rule
2 In the sidebar under Content Enforcement, click File Type Filtering Rules.
3 In the sidebar under Tasks, click New rule.
4 On the Rule tab, type the name and description for the file type filtering rule.
5 Under Rule Content, select the file types for the rule.
6 Click OK.
Specifying the users and groups in a filtering rule

Mail Security lets you specify the users and groups to which the rule applies. You can also
specify which users and groups are exceptions to the rule.
Note: This feature is not available for the Edge Server role.
You can select groups from Active Directory. You can also add users based on SMTP
addresses.
Table 8-9 shows the SMTP address formats that Mail Security supports.
Table 8-9 Supported SMTP address formats
Address Example
@<domain name> @symantecdomain.com
*@<domain name> *@symantecdomain.com
<name>@<domain name> joe@symantecdomain.com
<name>@<subdomain.domain name> joe@security.symantecdomain.com
Note: Using regular expressions for SMTP addresses is not supported.
When you use the address formats from the table above, sub-domains are automatically
supported. For example, when you use the address format <name>@<domain name>, Mail
Security will support joe@symantec.com, as well as joe@security.symantec.com.
If you do not specify users, the rule applies to all senders and recipients.
If you want to specify a user or group whose domain is not in the Exchange server domain,
specify the domain name in the Internal Domains list.
See “Specifying inbound SMTP domains ” on page 150.
Note: You can select any Active Directory group except the Users group. Adding the Users
group to Active Directory Groups list results in unintended behavior. For the filtering rules
based on Active Directory group, you must add SMSMSE service account user (RBAC user)
to the SMSMSE Admin's Active Directory group.
To specify the users and groups in a filtering rule

2 In the sidebar under Content Enforcement, click Content Filtering Rules or File Type
Filtering Rules.
4 Click the Users tab.

5 Under Sender/Recipient Selection, do one of the following:
To apply the rule based on Click Sender, and then select one of the following options from the
the sender drop-down list:
■ Apply if the sender of the message is in the list

■ Apply if the sender of the message is NOT in the list
To apply the rule based on Click Recipient, and then select one of the following options from the
the recipient drop-down list:
■ Apply if ANY of the recipients of the message are in the list

■ Apply if ANY of the recipients of the message are NOT in the list
■ Apply if ALL of the recipients of the message are in the list
■ Apply if ALL of the recipients of the message are NOT in the list
6 Under List of Users or Groups, in the SMTP addresses box, do one of the following:
■ Type the addresses of the users that you want to include or exclude.
Type one address per line.
■ To add a preconfigured match list that contains user addresses, click Add Match List
and select a match list.
You can only insert one match list. You can combine a match list with typed addresses.
7 Under the Active Directory groups list, to select groups from Active Directory, click Add.
8 In the Active Directory domains and groups window, under Available groups, select
the group that you want to add and click the >> command icon.
The group that you select appears in the Selected groups list. To deselect a group in
the Selected groups list, click on the group entry, and then click the << command icon.
■ Configure the remaining components of the content filtering rule.
See “Configuring rule actions” on page 133.
Specifying whom to notify if a filtering rule is violated

Mail Security lets you specify whom you want to notify when a rule is violated.
To specify whom to notify if a filtering rule is violated

2 In the sidebar under Content Enforcement, click Content Filtering Rules/File Type
Filtering Rule.
4 Click the Notifications tab.

5 Check any of the following:
■ Notify administrators
Click the down arrow, and then type your customized text in the Subject line box and
■ Default Subject line text: Administrator Alert: Symantec Mail Security detected a
message containing prohibited content
■ Default Message body text: Location of the message:%location%%n%Sender of
the message:%sender%%n%Subject of the message: %subject%n%%n%The
message was %action%%n%%n%This was done due to the following Symantec
Mail Security settings: %n%Scan: %scan%%n% Rule: %rule%%nViolating term(s):
%violatingterm%
■ Notify internal sender

the Message body box. The default Subject line and Message body texts are as follows:
■ Default Subject line text: Symantec Mail Security detected prohibited content in a
message sent from your address
■ Default Message body text: Subject of the message: %subject%%n%Recipient of
the message: %recipient%
■ Notify external sender

the Message body box. The default Subject line and Message body texts are as follows:
■ Default Subject line text: Symantec Mail Security detected prohibited content in a
message sent from your address
■ Default Message body text: Subject of the message: %subject%%n%Recipient of
the message: %recipient%
6 Click OK.
Configuring rule actions

You can specify the action that you want Mail Security to take when a violation occurs.
Mail Security provides the following options for processing the messages that trigger the filtering
rule violations:
■ Delete entire message
■ Delete attachment/message body and replace with text
You can customize the replacement text.
■ Quarantine entire message and replace with text
■ Quarantine attachment/message body and replace with text
■ Add tag to beginning of subject line
You can customize the text that you want to prepend the subject line. This rule action is
not available if you apply the rule to the internal messages (store).
■ Log only
You can also configure Mail Security to add one or more X-headers to messages that violate
the filtering rule. Mail Security provides five default X-headers from which you can choose.
Mail Security also lets you create your own X-headers. You can specify up to 25 X-headers
for each violation.
To configure rule actions to delete the message
Filtering Rules.
4 On the Actions tab, in the When a violation occurs box, use the drop-down menu to
select Delete entire message.
The default setting is: Quarantine entire message and replace with text.
■ Configure the remaining components of the content filtering or file type filtering rule.
To configure rule actions to delete the attachment and message body and replace with text
Filtering Rules.
select Delete attachment/message body and replace with text.
5 In the Replacement text box, type your customized text.
The original attachment content type was not allowed and was %action%.

you want to use.
content.
X-header value.
X-header values:
~|

■ In the X-header name box, type the name of
the X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
■ In the X-header value box, type the X-header
value.
X-header values:
~|

column.


To configure rule actions to quarantine entire message and replace with text
Filtering Rules.
Modify an existing rule In the content area, double-click the rule that you
want to edit.
4 On the Actions tab, in the When a violation occurs box, ensure that Quarantine entire
message and replace with text is selected.
This option is selected by default.

you want to use.
content.
X-header value.
X-header values:
~|

the X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
value.
X-header values:
~|

column.

To configure rule actions to quarantine the attachment and message and replace with text
Filtering Rules.
4 On the Actions tab, in the When a violation occurs box, select Quarantine
attachment/message body and replace with text.

you want to use.
content.
X-header value.
X-header values:
~|

the X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
value.
X-header values:
~|

column.

To configure rule actions to prepend the subject line

Filtering Rules.
select Add tag to beginning of subject line.
This rule action is not available if you apply the rule to the internal messages (store).
5 In the Subject line tag box, type the customized text that you want to prepend to the
subject line.
The default text is: Content Violation:

you want to use.
content.
X-header value.
X-header values:
~|

the X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
value.
X-header values:
~|

column.


To configure rule actions to only log the event

Filtering Rules.
select Log only.

you want to use.
content.
X-header value.
X-header values:
~|

the X-header.
names:
, . ; < > : ? / = ( )[ ] @ | ;~
value.
X-header values:
~|

column.

Elements of a content filtering rule

Table 8-10 describes the rule elements that you can configure on the content filtering rule tab.
Table 8-10 Elements of a content filtering rule
Rule condition Description
Name Lets you provide a unique name for the content filtering rule that you can
easily identify in the list of rules and in reports in the event log.
Table 8-10 Elements of a content filtering rule (continued)
Description Lets you provide a unique description for the content filtering rule. The
description should provide enough detail to remind you what the rule is
configured to detect.
Message part to scan Lets you specify the part of the email message that you want Mail Security
to scan for violations.
Use the Message part to scan drop-down list to choose from the following
message parts:
■ Message Body
■ Subject
■ Sender
■ Attachment Name
■ Attachment Content
■ Any Part
When the message part to scan is Attachment Name, Mail Security scans
the attachment name and all the file names inside the container. You can
bypass the scanning of the container files. Select the Bypass scanning
of container file(s) box, and Mail Security will not evaluate the file names
that are inside a container file. For example, the compressed files in a
.zip file.
See “What you can do with the filtering rules” on page 147.
Apply rule to Lets you specify the messages to which you want the rule to apply. You
can choose to apply the rule to any combination of inbound, outbound,
or internal messages. You must select at least one of these options.
The default setting is Internal messages.

Note: To allow content filtering of internal messages, you must select
Inbound messages option along with Internal messages.
The Apply rule to element only applies to Auto-Protect scanning. Manual

and scheduled scans automatically scan internal messages.
See “Specifying inbound SMTP domains ” on page 150.

Match type Lets you determine how words and phrases in the Content list and Unless
list are interpreted.
Note: The content filtering rule Match type element does not determine
how the match lists that you use in the Content list and Unless list are
interpreted. A match list can have a different match type than the content
filtering rule.
The Match Type options are as follows:
■ Literal string: Matches the exact text in the Content and Unless lists
■ Regular expression: Matches the patterns of text using symbols and
syntactic elements
■ Wild cards: Specifies the file names using wild card-style expressions
Options Lets you select from the following match options:
■ Whole term: Applies the rule only if the exact term in the Content list
and Unless list or match list is found.
■ Case: Applies the rule only if the exact term is in the same case as in
the Content list and Unless list or in the match list. For example, if
you type ACME in the Content list, a message that contains the word
Acme does not trigger a violation.
Content Pane
Contains Lets you specify the Contains condition for a content filtering rule.
The Contains conditions are as follows:
■ Contains: The message part to scan contains the terms in the Content
list.
■ Does not contain: The message part to scan does not contain the
terms in the Content list.
■ Equals: The message part to scan equals the terms in the Content
list.
■ Does not equal: The message part to scan does not equal the terms
in the Content list.
The Equals and Does not equal options only apply to the Subject, Sender,
and Attachment Name message parts.
Add match list Lets you specify a match list to use in your content filtering rule. You can
also create a new match list or edit an existing match list.
Using a match list in content filtering rule is optional.
Match any term Lets you evaluate the specified message part for any term that is contained
in the Content list.
For example, assume that the Content list contains the terms: free,
confidential, and money. If Mail Security detects any one of these terms
in the specified message part, it triggers a violation.
Match all terms Lets you evaluate the specified message part for all of the terms that are
contained in the Content list.
The Match all terms option is only available to use with the terms in the
Content list.
For example, assume that the Content list contains the terms: free,
confidential, and money. Mail Security must detect all of these terms in
the specified message part to trigger a violation.
The Match all terms option is not available when the message part to
scan is Any Part.
Template Lets you add a template to your content filtering rule. You can edit an
existing template but cannot create a new template or delete an existing
one. You can add a single template to a content filtering rule.
Using a template in a content filtering rule is optional.
See “About content filtering policy templates” on page 164.
Content list Lets you specify the words or phrases for which you want to evaluate the
specified message parts.
The format of the terms that you type in the Content list should mirror
that of the match type that you select. For example, if you select literal
string from the match type list, format your Content list entries as literal
strings.
Attachment size is Lets you specify Attachment size is as a condition of the content filtering
rule. The Attachment size is option can be applied to all message parts
to scan, except message body. You can also use Attachment size is by
itself if you want Mail Security to detect attachments of a certain size.
When you select the sender or subject message parts and the Match
any term or Match all terms conditions, the rule action is applied to the
message or the attachment based on the violation that is detected.
For example, assume that you have specified Sender, chosen the Match
any term condition, and specified the Attachment size is as = 2MB.
Since Mail Security scans messages in parts, if there is a Sender match,
dispositions are applied to the message body and the attachment. If the
attachment size is the only match, the disposition only applies to the
attachment.
Assume for the same example that you change the condition to Match
all terms. Mail Security applies a disposition to the attachment only if it
detects all of the terms in the Content list AND the specified attachment
size.
Unless Pane
Contains Lets you specify the Contains condition for a content filtering rule.
The Contains conditions are as follows:
■ Contains: The message part to scan contains the terms in the Unless
list.
■ Does not contain: The message part to scan does not contain the
terms in the Unless list.
■ Equals: The message part to scan equals the terms in the Unless list.
■ Does not equal: The message part to scan does not equal the terms
in the Unless list.
The Equals and Does not equal options apply only to the Subject,
Sender, and Attachment Name message parts.
Add match list Lets you specify a match list to use in your content filtering rule Unless
condition. You can also create a new match list or edit an existing match
list.
Using a match list is optional.

What you can do with the filtering rules
Unless list Lets you create exceptions to content filtering rules. You can add words
and phrases to the Unless list which Mail Security evaluates as exceptions
to the content filtering rule.
All entries in the Unless list are automatically designated with the Match
any term (OR condition) option.
The format of the terms that you type in the Unless list should mirror that
of the match type that you select. For example, if you select Literal string
from the Match Type menu, you should format your Unless list entries as
literal strings.
Or attachment size Lets you specify Attachment size is as a condition of the content filtering
rule. The Attachment size is option can be applied to all message parts
to scan, except message body. You can also use Attachment size is by
itself if you want Mail Security to detect attachments of a certain size.
When you select the sender or subject message parts, the rule action is
applied to the message or the attachment based on the violation that is
detected. (All Unless conditions are applied as OR conditions between
the message part and the attachment.) And the Match any term condition
always applies to all Unless conditions.
For example, assume that you have specified Sender and specified the
Attachment size is as = 2MB. Since Mail Security scans messages in
parts, if there is a Sender match, dispositions are applied to the message
body and the attachment because "Match any term" makes this rule an
OR condition. However, if the attachment size is the only match, the
disposition only applies to the attachment.

The following describes the tasks that you can perform with the filtering rules:
■ Enabling or disabling the filtering for Auto-Protect scanning
■ Prioritizing the filtering rules
■ Deleting a filtering rule
■ Specifying inbound SMTP domains
■ Refreshing the Active Directory group cache
Enabling or disabling the filtering for Auto-Protect scanning

You can enable or disable content filtering or file type filtering for Auto-Protect scanning. You
can enable or disable content filtering and file type filtering for manual and scheduled scans
when you configure those scans.
See “About scheduling a scan” on page 187.
To enable or disable content filtering for Auto-Protect scanning
3 In the content area under Content Filtering Rules, do one of the following:
■ Check Enable content filtering to enable content filtering for Auto-Protect scanning.
■ Uncheck Enable content filtering to disable content filtering for Auto-Protect scanning.

To enable or disable file type filtering for Auto-Protect scanning
2 In the sidebar under Content Enforcement, click File Type Filtering Rules.
3 In the content area under File Type Filtering Rules, do one of the following:
■ Check Enable file type filtering to enable file type filtering for Auto-Protect scanning.
■ Uncheck Enable file type filtering to disable file type filtering for Auto-Protect scanning.
■ On the toolbar, click Deploy changes to apply your changes.
Prioritizing the filtering rules

Mail Security evaluates messages using all of the filtering rules that you enable. By default,
Mail Security applies rules in the order in which you enable them. For example, if you enable
the Sample Executable File rule and then enable the Quarantined Triggered Subjects rule,
Mail Security priorities the Sample Executable File rule first. However, you can specify the
order in which you want Mail Security to apply the rules.
If a message violates more than one rule, Mail Security applies the most severe disposition
of the rules that were violated. This ensures that your environment maintains the highest level
of protection.
The severity levels, from most severe to least severe, are as follows:

■ Add tag to beginning of subject line
■ Log only
For example, assume that you have two filtering rules enabled: Rule A and Rule B. Rule A is
the higher priority, and the rule action is “Log only.” Rule B is the lower priority, and the rule
action is to “Delete entire message.” A message that violates both rules is deleted.
If the message violates more than one rule and all of the rules have the same disposition, Mail
Security uses the prioritization categorization to determine which rule action to apply.
For example, assume that you have two filtering rules enabled: Rule C and Rule D. Rule C is
the higher priority, the rule action is “Add tag to the beginning of subject line,” and your
customized text is "Spam." Rule D is the lower priority, the rule action is “Add tag to the
beginning of subject line,” and your customized text is "Prohibited content." A message that
violates both rules will have the subject line prepended with "Spam."
The rule order does not change in the Content filtering rules table. You can only view and
modify rule prioritization in the Rule prioritization window.
To prioritize the filtering rules
Filtering Rules.
3 In the sidebar under Tasks, click Prioritize rules.
More than one rule must be enabled to prioritize rules.
4 In the Rule prioritization window, click a rule to select it.
5 Click Move up or Move down until the rule is at the priority that you want.
Rules are prioritized from top to bottom, with the top being the highest priority.
6 Click OK.
Deleting a filtering rule

You can delete a content filtering or file type filtering rule when it is no longer needed.
To delete a filtering rule

Filtering Rules.
3 In the content area, select the rule that you want to delete.
4 In the sidebar under Tasks, click Delete rule.
Specifying inbound SMTP domains

By default, content filtering rules for inbound SMTP messages apply to messages that have
at least one recipient who has a mailbox in the Exchange organization. Rules for outbound
SMTP messages apply to messages that have at least one recipient that does not have a
mailbox in the Exchange organization.
You can modify these settings by specifying the domains that your organization considers
local. By adding a domain to the domain list, emails with recipients for that domain are
considered local, even if they do not have local mailboxes.
Note: A single message can be considered both inbound and outbound. In this case, both
inbound and outbound rules are applied to the message.
To specify inbound SMTP domains

2 In the sidebar under Views, click System Settings.
3 In the content area, under System Settings, check Enable list of internal domains.
4 In the List of internal domains box, type the domain or domains that define which email
message domains are inbound.
Type only one domain per line.
About enforcing email attachment policies
Refreshing the Active Directory group cache

Mail Security does not refresh the Active Directory group cache when you create or edit a
filtering rule. Mail Security automatically updates the cache upon startup and at 1:00 A.M. in
the time zone to which your computer clock is set. You should manually update the cache if
you modify the users in an Active Directory group that is used in a filtering rule. You should
also manually update the cache if you create a filtering rule that applies to the Active Directory
group Executives.
Note: This feature is not available for the Edge Server role.
For example, you create a filtering rule that applies to the Active Directory group Executives
and deploy your changes. Then you add a user to the Executives group. After you deploy your
changes, you must update the Active Directory group cache so that the rule applies to the user
that you added to the group.
You must have access to Active Directory or be logged onto a client in the Active Directory
domain to update the Active Directory group cache.
To refresh the Active Directory group cache
Filtering Rules.
3 In the sidebar under Tasks, click Update Active Directory groups cache now.

Mail Security contains the following default rule that enforces email attachment policies:
File Name Rule Lets you filter attachments by file name
See “Blocking attachments by file name” on page 151.
Blocking attachments by file name

You can filter attachments by file name to protect your network during an outbreak. For example,
in the case of a new email-borne threat, if you know the file name of the infected attachment,
you can use this information to block any infected email messages.
You can configure Mail Security to match words and phrases that are in a match list against
the names of files. Names of both non-container files (individual files without embedded files)
and container files (files with embedded files) are examined.
The prohibited file is blocked if Mail Security detects a match. The entire container file is blocked
if the prohibited file is within a container file.
For example, if an incoming .zip file named sample.zip contains three executable files (a.exe,
b.doc, and c.bat), sample.zip is blocked if any of the following occurs:
■ The match list contains one of the literal strings: sample.zip, a.exe, b.doc, or c.bat
■ The match list contains one of the DOS wildcard expressions: *.zip, *.exe, *.doc, or *.bat
■ The match list contains one of the regular expressions: sample\.\w{3}, a\.\w{3}, b\.\w{3}, or
c\.\w{3}
To block attachments by file name, do the following:
■ Enable the File Name Rule.
■ Select the match list that contains the file name attachments that you want detected. You
can create or modify match lists when you modify the File Name Rule.
You can only select one match list.
■ Specify the action to take if a violation is detected, who to notify of the violation, and the
notification message text.
To enable the File Name Rule
1 In the console, on the primary navigation bar, click Policies.
2 In the sidebar, under Content Enforcement, click File Filtering Rules.
3 In the content area, in the File Filtering Rules table, on the File Name Rule row, click the
box under the Status column, and then click Enabled from the drop-down menu.
This rule is disabled by default.
To bypass scanning of container files
2 In the sidebar, under Content Enforcement, click File Filtering Rules.
3 In the content area, in the File Name Rule, select the Bypass scanning of container
file(s) check box to bypass contents of container files without scanning. However, other
filtering rules and AV scanning are applicable to the contents of the container.
This option is not selected by default.
To select an existing match list that does not need to be modified

2 In the sidebar under Content Enforcement, click File Filtering Rules.
3 In the File Filtering Rules table, select the rule that you want to modify.
4 In the File Filtering Rules preview pane, beside Match list for prohibited file names, click
Select.
5 In the Select a match list window, in the Name table, select the match list, and then click
Select.
To create a match list or modify an existing match list
5 In the File Filtering Rules preview pane, beside Match list for prohibited file names, click
Select.
6 In the Select a match list window, do one of the following:
■ To modify an existing match list, select the match list, and on the toolbar, click Edit
match list.
■ To create a new match list, on the toolbar, click New match list.
7 Under Filter, type the file attachment names, one per line, that you want to add to the
match list.
8 Click OK.
9 In the Select a match list window, click Select to select the match list that you just created
or modified.
To specify the action to take if a file filtering rule violation is detected
4 In the File Filtering Rules preview pane, in the Action to take list, use the drop-down menu
to select one of the following:

■ Log only
5 In the Replacement text box, type your customized message if you are replacing the
message or attachment body with a text message.
■ Notify administrators
the Message body box.
The default Subject line and Message body text is as follows:
■ Default Subject line text: Administrator Alert: Symantec Mail Security detected a
message containing prohibited attachment
■ Default Message body text: Location of the message: %location%Sender of the
message: %sender%Subject of the message: %subject% The attachment(s)
"%attachment%" and/or the message was %action%. This was done due to the
following Symantec Mail Security settings: Scan: %scan% Rule: %rule%
■ Notify internal sender

■ Default Subject line text: Symantec Mail Security detected a prohibited attachment
in a message sent from your address
■ Default Message body text: Subject of the message: %subject% Recipient of the
■ Notify external sender

■ Default Subject line text: Symantec Mail Security detected a prohibited attachment
in a message sent from your address
■ Default Message body text: Subject of the message: %subject% Recipient of the
About match lists

About match lists

Mail Security uses match lists to filter email messages and attachments for specific words,
terms, and phrases. To implement a match list, you must associate it with a content filtering
rule or file filtering rule. When the rule is applied to scan messages, it also scans for the terms
in the match list.
Note: The preconfigured match lists are designed to be used with content filtering rules.
However, you can modify and use the preconfigured match lists with the File Name Rule file
filtering rule.
Table 8-11 lists the preconfigured match lists that Mail Security provides.
Table 8-11 Preconfigured match lists
Match list name Description
Outbreak Triggered When you enable outbreak management, Mail Security adds the names
Attachment Names of outbreak-triggered attachments to the Outbreak Triggered Attachment
Names match list.
You can use this match list with the Quarantine Triggered Attachment
Names content filtering rule. This rule lets you automatically quarantine
files with the attachment names that are found in the Outbreak Triggered
Attachment Names match list.
You can edit the rule description and the text in the Filter box. Leave the
match type as wild cards.
Note: The preconfigured match lists are designed to be used with content
filtering rules. However, you can modify and use the preconfigured match
lists with the File Name Rule file filtering rule.
See “Configuring outbreak triggers” on page 198.

About match lists
Table 8-11 Preconfigured match lists (continued)
Outbreak Triggered Subject When you enable outbreak management, Mail Security adds the names
Lines of outbreak-triggered subject lines to the Outbreak Triggered Subject
Lines match list.
You can use this match list with the Quarantine Triggered Subjects content
filtering rule. This rule lets you automatically quarantine files with the
subject line text that is found in the Outbreak Triggered Subject Lines
match list.
You can edit the rule description and the text in the Filter box. Leave the
match type as literal.
Note: The preconfigured match lists are designed to use with content
filtering rules. However, you can modify and use the preconfigured match
lists with the File Name Rule file filtering rule.
Sample Attachment Name This match list contains a list of attachment file names or extensions that
might contain malicious code.
You can edit the rule description and add or remove file extensions in the
Filter box. Leave the match type as wild cards.
Sample Executable File This list contains the file names or extensions that can potentially execute
Names malicious code.
Leave the match type as wild cards.
Sample Message Body This list contains keywords and phrases typically found in the bodies of
Words spam email messages.
You can edit the rule description, add, or remove keywords and phrases
in the Filter box, and modify the match type. The default match type is
literal.
Sample Multimedia File This list contains file names or extensions of multimedia files.
Names
Leave the match type as wild cards.
Sample Subject Line This list contains keywords and phrases typically found in spam email
message subject lines.
You can edit the rule description, add, or remove keywords and phrases
in the Filter box, and modify the match type. The default match type is
literal.
About match lists
Canadian Social Insurance This match list contains the keywords that indicate a Canadian social
Keywords insurance number.
The default match type is literal. You can add or remove keywords in the
Filter box.
Canadian Social Insurance This match list contains a pattern that indicates a Canadian social
Numbers insurance number. The default match type is regular expression.
Credit Card Number This match list contains the keywords that are associated with a credit
Keywords card number.
Filter box.
Credit Card Number Pattern This match list contains a pattern that indicates a credit card number. The
default match type is regular expression.
M and A Project Code Names This match list contains the keywords that can help you identify information
or communication about upcoming merger and acquisition activity. For
example, MergerProjectName.
Filter box.
Sensitive Project Code This match list contains sensitive project code names.
Names
Filter box.
SWIFT Code Keywords This match list contains the keywords that are associated with Society
for Worldwide Interbank Financial Telecommunication (SWIFT) codes.
Filter box.
SWIFT Code Regex This match list contains a pattern that indicates a SWIFT Code. The
default match type is regular expression.
UK Drivers License Numbers This match list contains a pattern that indicates a UK drivers license
Pattern1 number. The default match type is regular expression.
UK Drivers License Numbers This match list contains another pattern that indicates a UK drivers license
Pattern2 number. The default match type is regular expression.
About match lists
UK Electoral Roll Numbers This match list contains the keywords that indicate a UK electoral roll
Keywords number.
Filter box.
UK Electoral Roll Numbers This match list contains a pattern that indicates a UK electoral roll number.
Pattern The default match type is regular expression.
UK Keywords This match list contains the keywords that indicate UK-related information.
Filter box.
UK NIN Keywords This match list contains the keywords that indicate a UK national insurance
number.
The default match type is wild cards. You can add or remove keywords
in the Filter box.
UK NIN Pattern This match list contains a pattern that indicates a UK national insurance
number. The default match type is regular expression.
UK Passport Keywords This match list contains the keywords that indicate a UK passport number.
The default match type is wild cards. You can add or remove keywords
in the Filter box.
UK Passport Pattern (New) This match list contains a pattern that indicates a UK passport number.
The default match type is regular expression.
UK Passport Pattern (Old) This match list contains another pattern that indicates a UK passport
number. The default match type is regular expression.
UK Tax ID Number Keywords This match list contains the keywords that indicate a UK tax ID number.
Filter box.
UK Tax ID Number Pattern This match list contains another pattern that indicates a UK tax ID number.
The default match type is regular expression.
US ITIN Keywords This match list contains the keywords that indicate a US individual
taxpayer identification number (ITIN).
Filter box.
About match lists
US ITIN Pattern This match list contains a pattern that indicates a US individual taxpayer
identification number. The default match type is regular expression.
IP Address Pattern This match list contains a pattern that indicates an IP address. The default
match type is regular expression.
US SSN Keywords This match list contains the keywords that indicate a US individual social
security number (SSN).
Filter box.
US SSN Patterns This match list contains another pattern that indicates a US individual
social security number. The default match type is regular expression.
See “Creating or editing a match list” on page 159.

See “Deleting a match list” on page 160.
Creating or editing a match list

Mail Security provides some preconfigured match lists that you can use with content filtering
rules and the File Name Rule file filtering rule. You can also create your own match list or
modify an existing match list. Match lists support literal strings, DOS wildcard-style expressions,
or regular expressions.
To create or edit a match list
2 In the sidebar under Content Enforcement, click Match Lists.
Create a match list In the sidebar under Tasks, click New match list.
Edit an existing match list In the content area under Match Lists, select the list that you want to
edit, and then in the sidebar under Tasks, click Edit match list.
4 In the New Match List window, in the Title box, type a name for the match list.
You can only configure the title when you create a new match list.
5 In the Description box, type a description for the match list.
About match lists
6 In the Match Type box, select one of the following:

■ Literal string
■ Regular expression
■ Wild cards
The match type you select is specific for a match list. The match type that you choose
when you add or edit a rule does not affect a match list.
7 In the Filter box, type a literal string, regular expression, or DOS wildcard-style expression.
Enter one expression per line. You can link several regular expressions to form a larger
one to match certain content in email.
8 Click OK.
Deleting a match list

You can delete only those match lists that are not used in any content filtering or file filtering
rules or any content filtering policy templates.
To delete a match list
2 In the sidebar under Content Enforcement, click Match Lists.
3 In the content area, under Match Lists, select the match list that you want to delete.
4 In the sidebar under Tasks, click Delete match list.
About DOS wildcard style expressions

DOS wildcard style expressions (“*”, “.”, and “?”) provide a convenient way to specify file names,
similar to the way in which DOS wildcard characters are used. For example, match lists of
type DOS wildcard are typically used with the Attachment Name Attribute to specify file names
such as *.exe. In addition, a DOS wildcard expression lets you easily specify files without
extensions.
About match lists
Table 8-12 describes the DOS wildcard style expressions.
Table 8-12 DOS wildcard expressions
DOS wildcard expression Equivalent regular Description

expression
* .* Zero or more of any character
? [^\.] Any one character except the period

(.)
. \. Literal period character
*. [^\.]+\.? Does not contain a period, but can

end with one
About regular expressions

A regular expression is a set of symbols and syntactic elements that Mail Security uses to
match patterns of text. Mail Security matches regular expressions on a line-by-line basis. It
does not evaluate the line feed (newline) character at the end of each input expression phrase.
You can build regular expressions using a combination of normal alphanumeric characters
and metacharacters. For example, some email messages contain a trailing number at the end
of the subject line text. Trailing numbers often indicate that a message is spam. Consider the
following sample subject line:
Here's a hot stock pick!43234
To write a rule to match email subject lines that have trailing numbers, compare the subject
against the following regular expression:
^.+![0-9]+$
This regular expression contains the normal alphanumeric characters 0-9 and the following
metacharacters: circumflex (^), period (.), plus (+), and open and close brackets ([ , ]). By using
the subject attribute, the = operator, and the regular expression as the value, you can build a
content filtering rule to catch any email messages whose subject lines end with a trailing
number.
See “Regular expressions” on page 162.
About match lists
Regular expressions
You can combine alphanumeric characters and metacharacters to create match patterns for
rules that will block messages and attachments specifically designed to bypass file filtering
rules.
Table 8-13 lists examples of regular expressions that show how pattern matching is
accomplished with the use of metacharacters and alphanumeric characters.
Table 8-13 Regular expressions
Regular expression Description
abc Matches any line of text that contains the three letters abc in that order.
Your results may differ depending on the comparison that you use to
create the rule. For example, if you build a rule to match the word Free
and use the Contains condition, then the filtering engine detects all words
that contain the word Free instead of an exact match (for example,
Freedom). However, if you use the Equal condition, then the filtering
engine detects only exact matches of the word Free with no other
surrounding text. If you use the Contains condition with Whole words
only, then the filtering engine detects Free as a stand-alone word, even
if there are other words present in the text that is being searched.
a.c Matches any string that begins with the letter a, followed by any character,
followed by the letter c.
^.$ Matches any line that contains exactly one character. (The newline
character is not counted.)
a(b*|c*)d Matches any string beginning with the letter a, followed by either zero or
more instances of the letter b, or zero or more instances of the letter c,
followed by the letter d.
.+\....\.... Matches any file name that has two, three-letter extensions (for example,
Filename.gif.exe).
This regular expression is helpful in blocking email attachments with

double extensions. For example:
If Attachment Name + .+\....\....
[0-9a-zA-Z]+[0-0a-zA-Z]+ Matches an embedded comment in the middle of meaningful HTML text.

Embedding comments within HTML text is a trick that spam senders use
to bypass some pattern-matching software.
\s* Matches a white space character zero or more times.

About match lists
About metacharacters
Table 8-14 lists the metacharacters that you can use in regular expressions to build filtering
rules.
Some characters are not considered special unless you use them in combination with other
characters.
Note: You can use metacharacters in regular expressions to search for both single-byte and
multi-byte character patterns.
Table 8-14 Metacharacter descriptions
Metacharacter Description
. Period: Matches any single character of the input sequence.
^ Circumflex: Represents the beginning of the input line. For example, ^A

is a regular expression that matches the letter A at the beginning of a
line. The ^ character is only a special character at the beginning of a
regular expression, or after the [ or | characters.
$ Dollar sign: Represents the end of the input line. For example, A$ is a
regular expression that matches the letter A at the end of a line. The $
character is only special character at the end of a regular expression or
before the ) or | characters.
* Asterisk: Matches zero or more instances of the string to the immediate

left of the asterisk. For example, A* matches A, AA, AAA, and so on. It
also matches the null string (zero occurrences of A).
? Question mark: Matches zero or one instance of the string to the

immediate left of the question mark.
+ Plus sign: Matches one or more instances of the string to the immediate
left of the plus sign.
\ Escape: Turns on or off the special meaning of metacharacters. For

example, \. only matches a dot character. \$ matches a literal dollar sign
character. Note that \\ matches a literal \ character.
| Pipe: Matches either expression on either side of the pipe. For example,
exe|com|zip matches exe, com, or zip.
About content filtering policy templates
Table 8-14 Metacharacter descriptions (continued)
Metacharacter Description
[string] Brackets: Inside the brackets, matches a single character or collating

element, as in a list. Characters within brackets are not case-sensitive.
The string inside the brackets is evaluated literally, as if an escape

character (\) were placed before each character in the string.
If the initial character in the bracket is a circumflex (^), then the expression
matches any character or collating element except those inside the bracket
expression.
If the first character after any potential circumflex (^) is a dash (-) or a
closing bracket (]), then that character matches only a literal dash or
closing bracket.
(string) $string$ Parentheses: Groups parts of regular expressions, which gives the string
inside the parentheses precedence over the rest.
The order in which metacharacters are evaluated, from highest to lowest precedence, is as
follows:
Escape \
List []
Precedence override ( )
Single character *
Start with ^
Alternation |

Content filtering policy templates let you create an enhanced content filtering rules that help
prevent data leakage.
These templates are a combination of match lists. Each match list in a template is associated
with a frequency. The frequency specifies the number of matches from the match list.
You can edit an existing template but cannot create a new template or delete an existing one.
See “Editing a content filtering policy template” on page 168.
Table 8-15 lists the preconfigured templates that Mail Security provides.
Table 8-15 Preconfigured content filtering policy templates
Template name Description
Canadian Social Insurance Number You can use this template in a rule to detect the
patterns that indicate Canadian Social Insurance
Numbers that are at a risk of exposure.
This template is a combination of the following
match lists:
■ Canadian Social Insurance Numbers

■ Canadian Social Insurance Keywords
Credit Card Numbers You can use this template in a rule to detect the
patterns that indicate credit card numbers at a risk
of exposure.
match lists:
■ Credit Card Number Keywords

■ Credit Card Number Pattern
Individual Taxpayer Identification Number (ITIN) An Individual Taxpayer Identification Number (ITIN)
is a tax processing number issued by the US
Internal Revenue Service (IRS). The IRS issues
ITINs to track individuals who are not eligible to
obtain a social security number (SSN).
You can use this template in a rule to detect

individual taxpayer identification numbers.
match lists:
■ US ITIN Keywords
■ US ITIN Pattern
Mergers and Acquisitions Data You can use this template in a rule to detect
information and communication about upcoming
merger and acquisition activity.
Before you use this template in a rule, you must

specify company-specific code words in the M and
A Project Code Names match list to detect specific
deals.
Table 8-15 Preconfigured content filtering policy templates (continued)
Project Data You can use this template in a rule to identify the
sensitive project code names that are at a risk of
exposure.
Before you use this template in a rule, you must

specify sensitive project code name in the Sensitive
Project Code Names match list.
UK Tax ID Numbers You can use this template in a rule to detect UK

Tax ID numbers. This template helps you detect UK
Tax ID numbers by using the official specification
of the UK Government Standards of the UK Cabinet
Office.
match lists:
■ UK Tax ID Number Keywords

■ UK Tax ID Number Pattern
SWIFT Codes The Society for Worldwide Interbank Financial

Telecommunication (SWIFT) is a cooperative
organization under Belgian law and its member
financial institutions own it. The SWIFT code is also
known as a Bank Identifier Code (BIC) or ISO 9362.
The SWIFT code has a standard format to identify
a bank, location, and the branch involved. These
codes are used to transfer money between banks,
particularly across international borders.
You can use this template in a rule to detect valid

SWIFT codes.
match lists:
■ SWIFT Code Keywords

■ SWIFT Code Regex
UK Drivers License Numbers This policy template helps you detect UK drivers
license numbers by using the official specification
of the UK Government Standards of the UK Cabinet
Office.
match lists:
■ UK Keywords
■ UK Drivers License Numbers Pattern1
■ UK Drivers License Numbers Pattern2
UK Passport Numbers This policy template helps you detect valid UK

passports by using the official specification of the
UK Government Standards of the UK Cabinet
Office.
match lists:
■ UK Passport Keywords
■ UK Passport Pattern (New)
■ UK Passport Pattern (Old)
UK National Insurance Numbers UK Department for Work and Pensions and Inland
Revenue (DWP/IR) issues the national insurance
numbers to individuals to administer the national
insurance system.
You can use this template in a rule to identify valid

UK national insurance numbers.
match lists:
■ UK NIN Keywords
■ UK NIN Pattern
UK Electoral Roll Numbers You can use this template in a rule to detect UK
electoral roll numbers.
match lists:
■ UK Keywords
■ UK Electoral Roll Numbers Pattern
■ UK Electoral Roll Numbers Keywords
US SSN Numbers This policy template detects US SSN Numbers,

which is a personal identification number issued by
the Social Security Administration of the United
States government.
You can use this template in a rule to identify valid

US individual social security numbers.
match lists:
■ US SSN Keywords
■ US SSN Patterns
Editing a content filtering policy template

You can edit a content filtering policy template by using any of the following options:
■ Enable or disable the conditions that are used in a template.
■ Edit the frequency that is specified for match lists in a template.
■ Edit the match lists that are used in a template.
See “Creating or editing a match list” on page 159.
You can customize the default templates based on your requirements. For example, every
organization has sensitive information regarding to their projects. You can use the Sensitive
Project Code Names match list to feed project code names. The Project Data template uses
the Sensitive Project Code Names match list to identify the project code names that are at a
risk of exposure.
When you edit a template, the changes are reflected in all the content filtering rules that use
the template.
See “About content filtering policy templates” on page 164.
To edit a content filtering policy template
3 In the content area, double-click a rule.
4 On the Rule tab under Content pane, click Template.
5 In the Select a template window, select the template that you want to edit and click Edit
template.
Alternatively you can double-click the template that you want to edit.
6 Edit the description for the template.
7 Edit the frequency that is specified for match lists in the template.
8 Uncheck the box beside the match list name to disable it.
If you disable the parent condition, the child conditions are no longer applicable.
9 Click OK and then click Close.
10 Click OK.
Chapter 9
Scanning your Exchange
servers for threats and
violations
■ About the types of scanning that you can perform
■ How Mail Security scans messages
■ Configuring Auto-Protect scanning
■ Configuring background scanning for Exchange Server 2010 mailbox role
■ Configuring advanced scanning options for Auto-Protect and background (Exchange Server
2010 only) scanning
■ About manual scans
■ About scheduling a scan
■ Configuring notification settings for scan violations
About the types of scanning that you can perform

You can perform the following types of scans to detect risks, spam, and violations:
Scanning your Exchange servers for threats and violations 171
About the types of scanning that you can perform
Auto-Protect When Auto-Protect is enabled, it runs constantly and detects threats and violations
scans in real-time to everything that is on or passes through your Exchange server.
Auto-Protect scanning applies to all policies, except for antispam detection. Antispam
scanning occurs continuously, in real-time as email traffic flows through your Exchange
server.
See “Configuring Auto-Protect scanning” on page 176.
Manual scans Manual scans run on-demand and scan public folders and mailboxes. All policies
apply to manual scans, except antispam. Antispam scanning continuously occurs in
real-time as email traffic flows through your Exchange server.
You can specify which file folders and mailboxes to scan during a manual scan. You
can also specify the filtering rules that you want to enable for the manual scan.
Scheduled scans Scheduled scans run unattended, usually at off-peak periods. All policies apply to
scheduled scans, except antispam. Antispam scanning continuously occurs in real-time
as email traffic flows through your Exchange server.
You can specify which file folders and mailboxes to scan during a scheduled scan.
You can also specify the filtering rules that you want to enable for the scheduled scan.
Background Background scanning is a scan of the message store on Exchange Server 2010
scanning Mailbox role. You can perform scans of the message store during off-peak periods
to enhance performance.
See “Configuring background scanning for Exchange Server 2010 mailbox role”
on page 177.
When Mail Security detects a security risk or a violation during a scan, it takes the action that
you specify for that policy. For example, when a threat is detected, Mail Security takes the
action that you specify in the Antivirus Settings policy.
Mail Security does not support the Quarantine entire message and replace with text action
for Auto-Protect, Manual, Scheduled, or Background scanning. If a violation is detected during
these scans, Mail Security quarantines the message by parts although you specify the action
as Quarantine entire message and replace with text for a policy.
Excluding Journal database from On Access and Background

scanning
SMSMSE has an additional option to exclude Journal database from On Access and
Background scanning.
How Mail Security scans messages
To configure this option

1 Create a REG_DWORD registry named BypassVsapiDbScan at location
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\7.9\Server and set it to 1.
2 Create a file named vsapi.xmb at the location ...\Server\Config.
Enter the Journal database names that you want to exclude from scanning and save the
file.
Note: Ensure that each Journal database name is entered on a new line.
3 Set the registry ReloadNow to 1 and wait for this value to set back to 0 for changes to
take effect.
This registry is located at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeIS\VirusScan.
4 Whenever the file vsapi.xmb is updated further with new database entries or the database
entries are removed, perform step 3 for the changes to take effect.

When Auto-Protect scanning is enabled, Mail Security applies a stamp to messages it scans
at the Edge Transport or Hub Transport servers. The stamp indicates the version of definitions
that were used for the scan. Each time Mail Security scans the message, it also scans for file
filtering rule violations.
Mail Security searches for this stamp each time the message is routed through the mail flow
to another server. Mail Security determines if the message has been scanned and if the
message was scanned with the most current definitions. When the server in which the mail is
routed contains more current definitions than those indicated in the stamp, the message is
rescanned with the newer definitions
Note: Messages that have been stamped are not rescanned for file filtering and content filtering
rules.
The message is disposed of based on the settings that you configure when Mail Security
detects a violation. No stamp is applied to the message, even if the message is repaired. If
the message is routed to another server role, Mail Security detects that there is no stamp and
rescans the message.
Figure 9-1 shows how an incoming email message is scanned as it enters your Exchange
Server 2010 environment.
Figure 9-1 How incoming email messages are scanned
Internet
The message is scanned
Edge
Transport No virus or violation is detected A virus or violation is detected
server
The message is disposed of

The message is stamped
(no stamp is applied)
Quarantine
Repair
Delete entire
Delete attachment/
message
message body
Log only
Definitions in stamp are The message is rescanned

compared to Hub definitions
Hub
Transport Hub No virus or violation is A virus or violation is
definitions detected
server are the
Hub detected
definitions
same as or
are more The message is disposed of
older than The message is stamped
current (no stamp is applied)
those used
Quarantine
at the Edge
Repair Delete entire
Delete attachment/ message
message body
Log only
Definitions in stamp are The message is rescanned on access

compared to Mailbox
definitions
Mailbox
server No virus or violation is A virus or violation is
Mailbox Mailbox
detected detected
definitions definitions
are the are more
same as or current
The message is
older than delivered to the The message is disposed of
those used recipient’s mailbox
in stamp The message is Delete entire
delivered to the message
recipient’s mailbox
The message is
delivered to the
Figure 9-2 shows how an outgoing email message is scanned as it leaves your Exchange
Server 2010 environment.
Figure 9-2 How outgoing email messages are scanned
The outgoing message is routed to

Mailbox the Hub Transport server
server By default, the message is not
scanned nor stamped.
Hub No virus or violation is detected A virus or violation is detected

Transport
server
The message is stamped The message is disposed of
Quarantine
Repair
Delete entire
Delete attachment/
message
message body
Log only
Definitions in stamp are The message is rescanned

compared to Edge definitions
Edge Edge
No virus or violation is A virus or violation is
Edge
Transport detected detected
definitions definitions
are the are more
server same or current
older than
The message is disposed of
the Hub
Quarantine
definitions
Repair Delete entire
Delete attachment/ message
message body
Log only
Internet
Figure 9-3 shows how an internally routed email message is scanned.

Figure 9-3 How internal email messages are scanned
The internal message is

Mailbox routed to the Hub
Transport server
server
By default, the message
is not scanned nor
stamped.
Hub No virus or violation is detected A virus or violation is detected

Transport
server
The message is stamped The message is disposed of
Quarantine
Repair
Delete entire
Delete attachment/
message
message body
Log only
Definitions in stamp are The message is rescanned on access

compared to Mailbox
definitions
Mailbox
server No virus or
Mailbox Mailbox A virus or violation is
definitions definitions violation is detected
are the are more detected
same as or current
older than
those used The message is disposed of
in stamp
The message is
delivered to the The message is Delete entire
recipient’s mailbox delivered to the message
The message is recipient’s mailbox
delivered to the
How Mail Security offloads Mailbox server scanning for Exchange

Server 2010
Mail Security lets you offload Mailbox server scanning to enhance server performance. Most
of the scanning is performed on the Hub Transport and Edge Transport servers.
Configuring Auto-Protect scanning
Mail Security scans email messages at the Mailbox only when the following occurs:
■ An incoming email message does not have a stamp that indicates that it has already been
scanned.
■ The Mailbox server has more current definitions than those used to scan the message at
the Hub Transport or Edge Transport servers.
■ You schedule background scanning.
See “Configuring background scanning for Exchange Server 2010 mailbox role” on page 177.
■ You disable the "Exclude outbound scanning on mailbox server" setting.
See “Configuring advanced scanning options for Auto-Protect and background (Exchange
Server 2010 only) scanning” on page 180.
■ You send an Outlook Web Access message.
How Mail Security optimizes scanning performance for Exchange

Server 2010
Mail Security is integrated with Exchange Server 2010 to enhance scanning performance.
Scanning performance is enhanced by reducing the amount of scanning that takes place as
mail is routed through your Exchange environment across the various roles and by offloading
Mailbox server scanning.
See “How Mail Security offloads Mailbox server scanning for Exchange Server 2010”
on page 175.
Note: Install and configure Mail Security on all of the server roles in your Exchange environment
using the same parameters. This ensures optimum scanning performance and violation and
threat detection.
See “How Mail Security scans messages ” on page 172.
Configuring Auto-Protect scanning

Auto-Protect scanning provides continuous risk and violation detection. When you enable
Auto-Protect scanning, Mail Security scans email messages as they pass through the Exchange
server. Infected message bodies and attachments and rule violations are detected on a real-time
basis, based on the settings that you enable and configure.
You must enable Auto-Protect scanning to perform background scanning.
Configuring background scanning for Exchange Server 2010 mailbox role
To configure Auto-Protect scanning
1 In the console on the primary navigation bar, click Scans.
2 In the sidebar under Views, click Auto-Protect.
3 In the content area, under Auto-Protect Settings, check Enable Auto-protect.
Note: If the Auto-Protect status on the SMSMSE UI is seen as “Started (VSAPI is still
down)”, the transport scan functionality works seamlessly but the On Access scan and
Background scanning functionality may not function.
Configuring background scanning for Exchange Server

2010 mailbox role
When Mail Security is installed on a Microsoft Exchange Mailbox server and background
scanning is enabled, Microsoft Exchange creates a background thread for each message
database in the Exchange store. These threads run at a lower priority to minimize the impact
on other Exchange server actions. As each thread reads through the messages in the database,
it detects the messages that have not been scanned by the latest definitions and scans them.
This is useful if you have updated your definitions and need to re-scan the entire store with
new definitions.
You can also scan the email messages that have attachments and specify which messages
to scan based on the message date.
Note: Mail Security enables the Exchange VSAPI background scanning feature. Based on the
load and Microsoft Exchange's algorithms, Microsoft might interrupt the background scanning
process.
See “About enhancing performance when you update definitions on Exchange 2010 mailbox
server” on page 236.
To configure background scanning

3 In the content area, under Background Scanning Options, check Enable background
scanning.
You can select this option only when Enable Auto-Protect option is checked.
■ In the schedule matrix, click the boxes for the days and hours during which you want
background scanning to occur.
■ Under the schedule matrix, click the drop-down list and select the day that you want
background scanning to occur, the time that you want scanning to start, the time that
you want scanning to finish, and then click Select.
■ Click Select All to select all day and time ranges.
The boxes in the schedule matrix are blackened to indicate the time frames that background
scanning will occur.
Click Clear All to clear all of the options that you selected.
You must indicate a time range for background scanning to run.
5 Check Scan messages with attachments only to scan email messages and their
attachments that are in the mailbox store.
Mail Security only scans the messages that have attachments when you select this option.
6 Under Choose messages to scan, select one of the following options:
Scan all messages in the store Scans all messages in the store.
Scan all messages from the past number of days Scans all messages from the past number of
days.
Type the number of days.
The default setting is 2 days.

Scan all messages from the past number of hours Scans all messages from the past number of
hours.
Type the number of hours.
The time is measured from the time at which the

scan starts. For example, at 12:05 PM a user
schedules a background scan to start at 8:00
P.M. The user enables the "Scan all messages
from the past number of hours” and selects a
value of 10. The time frame for the messages to
be scanned would be 10 hours before 8:00 PM
Scan all messages from the start date If you select this option, do the following:
■ Click the drop-down arrow and specify the

start date.
■ Select one of the following options:
■ To the date of the scan
Performs the scan as of the start date that
you specify to the current date
■ To the following date
you specify to the date that you specify in
the drop-down list

Background scan log status for Exchange Server 2010 mailbox role
Mail Security version 6.5.5 provides improved logs with status of the background scan. An
event is generated when background scan is either halted or is completed. This event also
provides the count of the number of items that were scanned so far during the background
scan. Another event is generated when background scan is completed. This event provides
the total time that is taken for completing the scan. See “Configuring background scanning for
Exchange Server 2010 mailbox role” on page 177.
Stopping background scanning on Exchange Server 2010 mailbox

role
You can stop Mail Security from running a background scan at any time.
Configuring advanced scanning options for Auto-Protect and background (Exchange Server 2010 only) scanning
To stop a background scan

3 In the content area, under Background Scanning Options, uncheck Enable background
scanning.
4 On the toolbar, click Deploy changes.
Configuring advanced scanning options for

Auto-Protect and background (Exchange Server 2010
only) scanning
You can configure the additional scanning options that apply to Auto-Protect and background
scanning for Exchange Server 2010 mailbox role.
To configure advanced scanning options for Auto-Protect and background scanning
About manual scans
3 Under Advanced Scanning Options, check any of the following:
Scan message bodies (applies to AV only) Detects the risks in message bodies.
The option is disabled by default.
Exclude outbound scanning on mailbox server Prevents the scanning of outbound messages
so that they can be scanned at the Hub
Transport.
On virus definition update, force rescan before Performs a scan each time definitions are
allowing access to Information Store updated and a user attempts to access a
message.
Microsoft Exchange does not allow access to any

messages in the store until Mail Security re-scans
the message with the latest definitions when a
user attempts to access a file.
As the definitions are delivered frequently, the

scan might not complete before new definitions
are available. This can affect overall mail
throughput.
This option is disabled by default.

Note: If this option is selected, background
scanning of the store restarts after every virus
definition update. Ensure that you do not select
this option if you want to complete background
scanning of the entire store.
See “About keeping your server protected”

on page 231.
4 Under Advanced Scanning Options, check Scan message bodies (applies to AV

only).
About manual scans

You can perform manual scans when you want to scan messages for specific purposes. For
example, you can create a content filtering rule to detect a particular category of subject-line
violations that are associated with a new threat, and then run the scan immediately.
About manual scans
To perform a manual scan, do the following:

■ Configure the manual scan parameters.
You can configure basic scanning options and specify the mailboxes, archive mailboxes,
and public folders that you want to scan. You can also enable filtering and enable the
filtering rules that you want to apply to the scan.
Note: Ensure that the public folders that you want to scan have owners assigned to them.
Mail Security does not perform a manual scan on the public folders that do not have owners
assigned to them.
See “Configuring the manual scan parameters” on page 182.

■ Run the manual scan.
Note: Before you run the manual scan, ensure that you create a custom throttling policy
and assign it to the Symantec Mail Security for Microsoft Exchange service account user.
See “Creating and assigning a custom throttling policy to the Mail Security service account
user” on page 73.
See “Performing a manual scan” on page 186.
■ View the manual scan results.
See “Viewing manual scan results” on page 186.
You can stop running a manual scan at any time.
Configuring the manual scan parameters

Before you run a manual scan, configure the parameters for the scan. After you deploy your
changes, the parameters remain the same until you change them.
Mail Security lets you specify the following parameters for a manual scan:
About manual scans
Scan Options You can choose from the following basic scanning options:
■ Stop scanning after ___ minutes. Next scan will restart where it stopped
Select this option if you want to specify a duration for the scan. Type the number
of minutes you want the scan to run in the box next to the option.
■ Scan only the items modified since last rescan
Select this option to scan only the items that have been modified since the last
scan. Scanning only the items that have been modified decreases overall scanning
time.
■ Scan message bodies (Applies to AV only)
Select this option to scan only the message bodies. Scanning message bodies
increases the overall scanning time.
Scan location You can specify the mailboxes, archive mailboxes, and public folders that you want
included or excluded from the scan.
You can select one of the following options:
■ Exclude archive: You can specify to exclude archive mailbox scanning, and scan
mailboxes only.
■ Archive with mailboxes: You can specify this option to scan both mailboxes and its
associated archive mailbox.
■ Archive Only: You can specify to scan only archive mailboxes as per selection of
mailboxes in the list.
Note: When you select All mailboxes or Specific Mailboxes, the associated archive
mailbox is selected or excluded based on the options selected: Exclude archive, Archive
with mailboxes, Archive only.
The Scan location option is available if you are in a server view only.
Content filtering You can enable or disable content filtering scanning. If content filtering is enabled,
rules enable the rules that you want to apply to the scan.
Content filtering is enabled by default.
File type filtering You can enable or disable file type filtering. If file type filtering is enabled, enable the
rules rules that you want to apply to the scan.
To configure basic scanning options

2 In the sidebar under Views, click Manual Scan.
3 Under Tasks, click Edit manual scan.
4 In the Manual Scan Wizard, under Scan Options, check one or more of the following:
■ Stop scanning after __ minutes
If you select this option, type the number of minutes you want the scan to run.
About manual scans

■ Only scan the items modified since last scan
■ Scan message bodies (applies to AV only)
Scan all messages in the store This is the default setting.
Scan all messages from the past number of days Scans all messages from the past number of
days.
Type the number of days in the box to the right.
Scan all messages from the past number of hours Scans all messages from the past number of
hours.
Type the number of hours in the box to the right.
Scan all messages from the start date If you select this option, do the following:
■ Use the drop-down menu to specify the start

date.
the drop-down list
6 Click Next.
About manual scans
To configure the scan location

1 Under Scan Location, to specify mailboxes to scan, select one of the following:
All mailboxes Scans all mailboxes.
Exclude mailboxes Scans no mailboxes.
Specific mailboxes Scans only the mailboxes that you specify in the list box.
This option is available in the single-server view only.
2 To specify public folders to scan, select one of the following:
All public folders Scans all public folders.
Exclude public folders Scans no public folders.
Specific public folders Scans only the public folders that you specify in the list box.
3 Click Next.
To disable content and file type filtering
1 Uncheck Enable content filtering/Enable file type filtering.
2 Click Finish.
To enable content and file type filtering
1 Check Enable content filtering/Enable file type filtering.
■ To add a new filtering rule, on the toolbar, click Add new.
■ To modify an existing filtering rule, on the toolbar, click Edit rule.
■ To delete an existing filtering rule, click Delete rule.
About manual scans
3 Click the box under the Enable column and select Enable to enable the rules that you
want to apply to the scan.
4 Click Finish.
Performing a manual scan

After you configure the manual scan parameters, you can perform the manual scan.
See “Viewing manual scan results” on page 186.
To perform a manual scan
3 Under Tasks, click Run now.
To stop the scan before it finishes, in sidebar under Tasks, click Stop.
Stopping a manual scan

You can stop Mail Security from finishing a manual scan at any time.
To stop a manual scan
3 Under Tasks, click Stop.
See “Performing a manual scan” on page 186.
Viewing manual scan results

The Manual Scan page shows the results of the most recent manual scan.
To view manual scan results
2 In the sidebar under Views, select Manual Scan.
3 Press F5 to refresh the page.
This process might take several minutes for large server groups.
About scheduling a scan

In addition to Auto-Protect scanning and manual scanning, you can schedule scans to look
for different types of policy violations.
See “Creating a scheduled scan” on page 187.
See “Editing a scheduled scan” on page 187.
See “Configuring scheduled scan options” on page 188.
See “Enabling a scheduled scan” on page 192.
See “Deleting a scheduled scan” on page 192.
Note: From the Mail Security console, you cannot stop scheduled scans once they are started.
Creating a scheduled scan

You can create as many scheduled scans as you need. When you create a scheduled scan,
it is disabled by default. Enable the scan so that it runs according to the schedule.
To create a scheduled scan
2 In the sidebar under Views, select Scheduled Scans.
3 Under Tasks, click New scan.
4 Configure the schedule scan options.
Editing a scheduled scan

You can modify an existing scheduled scan as needed. Enable the scan so that it runs according
to the schedule that you specify.
To edit a scheduled scan
3 In the content pane, do one of the following:

■ Select the scheduled scan that you want to modify, and in the sidebar under Tasks,
click Edit scan.
■ Under the Name column, double-click the scheduled scan that you want to modify.
4 Modify the schedule scan options as needed.

Configuring scheduled scan options

Mail Security provides a wizard that guides you through the process of configuring a scheduled
scan.
After you configure the scheduled scan options, enable the scan so that it runs according to
the schedule.
You can configure the following scheduled scan options:
■ Name of the scan and the basic scan options
■ Mailboxes and the public folders that you want to scan
■ Filtering rules that you want to apply to the scan
■ Scan schedule
To configure basic scanning options
Create a new scan In the sidebar under Tasks, click New scan.
Modify an existing scan In the content area, under the Name column, double-click the scan that
you want to modify.
4 In the Scan name box, type the name for the scan.
Mail Security lets you enter a maximum of 128 SBCS (single-byte character set) characters
(64 double-byte character set characters) in the Scan name box.
This option is available only when you create a new scheduled scan.
5 Under Scan Options, check Stop after scanning ___ minutes to limit the amount of
time for the scan, and then type the maximum scanning time in minutes.
The default value is 120 minutes.
If Mail Security reaches this limit, it stops scanning. The next scheduled scan starts where
the previous scan stopped.
6 Check Only scan items modified since last scan to exclude the items that have not
changed since the last scan.
7 Check Scan message bodies to scan message bodies.
Scan all messages in the store. Scans all messages in the store.
This is the default setting.
Scan all messages from the past number of days. Scans all messages from the past number of
days.
Type the number of days in the box to the right.
Scan all messages from the past number of Scans all messages from the past number of
hours. hours.
Type the number of hours.
Scan all messages from the start date. If you select this option, do the following:
■ Click the drop-down arrow and specify the

start date.
the drop-down list
9 Click Next.
To select what to scan
1 In second panel of the schedule scan wizard, under Scan Location, to specify mailboxes
to scan, select one of the following:
All mailboxes Scans all mailboxes.
Exclude mailboxes Scans no mailboxes.
Specific mailboxes Scans only the mailboxes that you specify in the list box.
You can select one of the following options:
■ Exclude archive: You can specify to exclude archive mailbox scanning,

and scan mailboxes only.
■ Archive with mailboxes: You can specify this option to scan both mailboxes
and its associated archive mailbox.
■ Archive Only: You can specify to scan only archive mailboxes as per
selection of mailboxes in the list.
Note: When you select All mailboxes or Specific Mailboxes, the associated
archive mailbox is selected or excluded based on the options selected: Exclude
archive, Archive with mailboxes, Archive only.
2 To specify public folders to scan, select one of the following:
All public folders Scans all public folders.
Exclude public folders Scans no public folders.
Specific public folders Scans only the public folders that you specify in the list box.
3 Click Next.
To scan for the filtering rules
1 In the third panel of the scheduled scan wizard, click Enable content filtering to enable
content filtering rule scanning for the scheduled scan.
2 In the next pane, click Enable file type filtering rules to enable file type filtering rule
scanning for the scheduled scan.
■ To add a new filtering rule, on the toolbar, click New rule.
■ To modify an existing filtering rule, on the toolbar, click Edit rule.
■ To delete an existing filtering rule, click Delete rule.
4 Click the box under the Enable column and select Enable to enable the rules that you
want to apply to the scan.
5 Click Next.
To specify the scanning schedule
1 In the final panel of the scheduled scan wizard, in the Time of day to run box, select the
time of day that you want Mail Security to perform the scan (in 24-hour format).
2 Under Days to run on, check the days of the week that you want the scan to run.
3 Under Dates of the month to run on, select any of the following:
1st The scan runs on the first day of each month.
15th The scan runs on the 15th day of each month.
End of the month The scan runs on the 28th day of each month.
4 Check Run scan at service start to perform a scan when the service starts.
5 Check Run scan when virus definitions change to perform a scan when new definitions
are received.
Enabling Run scan when virus definitions change in conjunction with Rapid release
definitions can significantly affect performance. Leave this feature disabled if you update
definitions at frequent intervals. If this option is enabled, the scheduled scan runs each
time definitions are updated. Because definitions are delivered frequently, the scan might
not complete before new definitions are available. This can affect overall scanning
performance.
See “Scheduling definition updates” on page 235.
6 Click Finish.
Stopping scheduled scans

You can stop Mail Security from running a scheduled scan at any time using registry settings.
To stop a scheduled scan
1 Close the Mail Security console.
2 On the Windows menu, click Start > Run.
3 In the Run box, type the following command

regedit
4 Click OK.
5 In the registry editor window, in the left pane, browse and locate the following folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\7.x\Server\ScanJobs\<name
of scheduled scan>
6 In the right pane, double-click ProgressStateDword.
7 In the Value data box, type the binary value0, and then click Ok.
8 Close the registry editor window.
9 On the Windows menu, click Start > Programs > Administrative Tools > Services.
10 Restart the Symantec Mail Security for Exchange service.
Enabling a scheduled scan

You must enable a scan so that it runs according to the schedule that you specify. Scheduled
scans are disabled by default.
To enable a scheduled scan
3 In the content pane, select the scheduled scan that you want to enable.
4 Click the box under the Status column, and then click Enabled from the options in the
drop-down menu.
Deleting a scheduled scan

You can delete a scheduled scan when it is no longer needed.
To delete a scheduled scan
2 In the sidebar under Views, click Scheduled Scans.
3 Select the scan that you want to delete.
Configuring notification settings for scan violations
4 In the sidebar under Tasks, click Delete scan.

Configuring notification settings for scan violations

You can specify the administrators, users, or computers that should receive email notifications
about scan violations. Restrict the issuing of alerts to a small list of interested administrators
to avoid unnecessary interruptions.
Email notifications can be issued when a Mail Security scan detects a policy violation or an
outbreak. An alert can also be sent to notify an administrator when a server experiences a
critical service failure.
You can also customize the subject line and message text for each type of notification message
when you configure policies and rules.
Note: Email notifications are sent only to the names and addresses that can be resolved against
Active Directory. If you install Mail Security on the Edge server role, type a fully qualified email
address (for example, user@mycompany.com).
To configure notification settings for scan violations

2 In the sidebar under Views, click Notification Settings.
3 In the content area, in the Address of sender to use in email notification box, type the
email address of the sender that you want to use for email notifications.
4 In the Administrators or others to notify box, type the email addresses of administrators
and users to notify.
Separate each entry by commas. If you include an email address that is not within your
domain, type the fully qualified email address (for example, user@mycompany.com).
Chapter 10
Managing outbreaks
■ About outbreak management
■ Enabling outbreak management
■ Configuring outbreak triggers
■ Configuring outbreak notifications
■ Clearing outbreak notifications
About outbreak management

An outbreak situation occurs when an excessive number of threats or events that exhibit
virus-like behavior occur on a network. When an outbreak occurs, prompt identification of the
situation and notification of administrative staff is critical.
Outbreak management lets you configure Mail Security to send alerts. Alerts are sent when
a certain threshold of duplicate messages, which are sent within a period of time, is reached.
In some instances, a large number of duplicate messages can indicate an active virus outbreak
or a problem within your Exchange server. You can monitor different type of conditions and
receive timely alerts as they occur. An outbreak condition does not necessarily indicate that
there is a problem. Sometimes the duplicate messages threshold meets the normal email flow.
This threshold depends on your settings and the amount of email flow passing through the
Exchange server.
When you configure outbreak settings, it is recommended that you consider the following:
■ Threat potential of the event category that is monitored
■ Amount of the email that is typically processed
■ Size of your mail system
■ Stringency with which you want to define an outbreak
Managing outbreaks 195
As your outbreak triggers are tested, you can fine-tune the values that you use.
Mail Security lets you manage outbreaks with the following options:
■ Enable Outbreak Management.
See “Enabling outbreak management” on page 198.
■ Specify the criteria for an outbreak.
The criteria consist of the number of times that an event must occur during a specified time
interval.
See “About the criteria that defines an outbreak” on page 195.
See “About outbreak triggers” on page 197.
■ Define the email notifications to send to the administrator when an outbreak is detected.
See “Configuring outbreak notifications” on page 200.
■ End the outbreak event after the situation is managed.
See “Clearing outbreak notifications” on page 203.
About the criteria that defines an outbreak

You can specify the number of occurrences of an event that must occur within a specified time
frame to define an outbreak. Although there are no standard numbers to use when specifying
frequencies, take into consideration the following:
■ Threat potential of the event category that is monitored
■ Size of your mail system
■ Amount of the email that is typically processed
■ Stringency with which you want to define an outbreak
Mail Security monitors your server at regular intervals to detect outbreaks (the default setting
is every 2 minutes). When Mail Security checks your server for outbreaks, it checks the events
that occurred within the specified period of time. The default setting is 20 minutes. Mail Security
issues an outbreak notification when it detects an outbreak.
For example, if you enable outbreak management, configure Mail Security to monitor for
outbreaks every 2 minutes, and enable the “Same virus” outbreak trigger using the default
configuration.
Figure 10-1 provides an explanation of the events. For example, Mail Security detects 50
messages that contain the EICAR virus at 1:05 P.M. and 50 messages that contain the EICAR
virus at 1:19 P.M.
Figure 10-1 Example of an outbreak event
1:00 P.M.
At 1:20, checks the prior
20 minutes and detects an
1:45 1:15
outbreak. An outbreak
notification is sent.
1:30 P.M.
1:00 P.M.
1:45 1:15
outbreak still exists. A
subsequent notification is
sent. 1:30 P.M.
1:00 P.M.
outbreak still exists. A 1:45 1:15
subsequent notification is
sent. 1:30 P.M.
1:00 P.M.
20 minutes. Does not
1:45 1:15
detect outbreak
conditions. No notification
is sent. 1:30 P.M.
Time at which 50 messages with ‘Free

Offer’ subject line are received

See “About outbreak triggers” on page 197.
About outbreak triggers

The set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger
only monitors one type of event and defines an outbreak as the frequency of the specified
event within a given time period.
For example, one outbreak trigger can be defined as the occurrence of 50 or more unscannable
files within 1 hour. Another outbreak trigger can be defined as 30 or more filtering rule violations
within 15 minutes.
If you enable multiple outbreak triggers and a message is received that violates more than
one, Mail Security goes into outbreak mode. Mail Security stops looking for additional outbreaks.
Only one outbreak rule is triggered.
Message bodies typically do not contain threats or security risks. To conserve processing
resources, Mail Security installs with the default settings that do not scan message bodies.
(Message attachments are always scanned.)You can modify the settings to scan message
bodies.
If Mail Security does not scan the message body (which includes the subject line), the Same
subject outbreak cannot be triggered. Outbreak is triggered when the message contains an
attachment.
To activate the Same subject outbreak trigger for the messages that do not contain attachments,
you can do any of the following:
■ Enable message body scanning.
■ Enable at least one content filtering rule.
Content filtering rules require message body scanning, regardless of whether the message
contains an attachment. The content filtering rule can be any of the default rules or a rule
that you create.
Outbreak triggers apply to Auto-Protect scans only.
Best practices for managing outbreak conditions on Exchange 2010

mailbox server
Do the following to improve security during an outbreak:
■ Run Rapid Release to update virus definitions.
See “Updating definitions on demand” on page 235.
Enabling outbreak management
■ Enable the On virus definition update, force rescan before allowing access to
information store option on the Auto-Protect page.
■ Start or schedule a background scan. Configure the "Scan all messages from the past
number of days" option to cover the period of the outbreak.
You can return to your pre-outbreak configuration when the outbreak has been managed.
Enabling outbreak management

Outbreak management is enabled by default. You can specify the interval during which you
want Mail Security to check for outbreaks. By default, the interval is set to every two minutes.
At least one outbreak trigger must be enabled for outbreak management to work.
To enable outbreak management

2 In the sidebar under General, click Outbreak.
3 In the content area under Outbreak, check Enable Outbreak Management.
4 In the Check for Outbreaks every ___ minutes box, type the interval in minutes that
you want Mail Security to monitor your server for outbreaks.
The default value is 2 minutes.
Configuring outbreak triggers

Mail Security provides the following outbreak triggers:
■ Same attachment name
■ Same subject
■ Same virus
Configuring outbreak triggers
■ Unrepairable viruses
■ Unscannable files
■ Filtering violations
■ Total viruses
You can enable or disable the triggers. You can also modify the number of occurrences for a
violation and the span of time in which the events must occur to constitute an outbreak. You
can specify whether to notify an administrator when an outbreak occurs.
When you enable outbreak management, you can also configure Mail Security to automatically
add the names of attachments that triggered an outbreak. The names of the attachments are
added to the Outbreak Triggered Attachment Names match list and outbreak triggered
subject text to the Outbreak Triggered Subject Lines match list. Mail Security uses these
match lists for the preconfigured content filtering rules that automatically block suspicious file
attachments or subjects. You can also use these match lists to create your own content filtering
rules.
To configure outbreak triggers
3 In the content area, in the table, select the trigger that you want to modify.
The trigger that you select is highlighted in blue.
4 In the Status column, use the drop-down menu to select Enabled or Disabled.
5 In the Occurrences column, type the number of instances that must occur to constitute
an outbreak.
6 In the Time column, type the span of time in which the instances must occur to constitute
an outbreak.
7 In the Units column, click the drop-down menu, and select one of the following:
■ Minutes
This setting is the default setting.
■ Hours
■ Days
Configuring outbreak notifications
8 In the Notify Administrator column, check the box if you want to notify an administrator
of the outbreak.
9 In the Update Match List column, check the box if you want to automatically add the
attachment name or subject to the Outbreak Triggered Names match list or Outbreak
Triggered Subjects match list. The trigger must be activated.
10 In the Rule column, click View Rule to view or modify the associated content filtering rule.
This option is available only for the Same attachment name and Same subject triggers.
Note that Mail Security disables content filtering on the server if you uncheck Enable
content filtering in the Content Enforcement Rule window.

When you configure outbreak management settings, you can customize the notification subject
line and message text that is sent to the administrator. You can use variables to customize
your text.
See “About the criteria that defines an outbreak” on page 195.
To configure outbreak notifications
3 In the content area, in the preview pane, under Initial Notification, in the Subject Line
box, type your customized subject line text.
The default text is as follows:
Initial notification
Rules Initial notification
Same attachment name Symantec Mail Security has started noticing possible email outbreak
conditions. The “%outbreak_rule%” rule was violated %outbreak_count%
times.
Same subject Symantec Mail Security has started noticing possible email outbreak
times.
Filtering violations Symantec Mail Security has started noticing possible email outbreak
times.
Same virus Symantec Mail Security has started noticing possible conditions of outbreak
of emails with viruses. The “%outbreak_rule%” rule was violated
%outbreak_count% times.
Unrepairable viruses Symantec Mail Security has started noticing possible conditions of outbreak
Total viruses Symantec Mail Security has started noticing possible conditions of outbreak
Unscannable files Symantec Mail Security has started noticing possible conditions of outbreak
of emails with unscanable files. The “%outbreak_rule%” rule was violated
4 In the Message Body box, type your customized message body text.
Outbreak Trigger Information: %trigger%
Threshold is set at: %threshold%
Current count for configured time period: %count%
Server name: %server%
Outbreak triggers at: %outbreak_count% times
5 Under Subsequent Notifications, in the Subject Line box, type your customized subject
line text.
Subsequent notification
Rules Subsequent notification
Same attachment Symantec Mail Security continues to observe possible email outbreak
name conditions. The rule “%outbreak_rule%” was violated %outbreak_count%
times.
Same subject Symantec Mail Security continues to observe possible email outbreak
conditions. The rule “%outbreak_rule%” was violated %outbreak_count%
times.
Filtering violations Symantec Mail Security continues to observe possible email outbreak
conditions. The rule “%outbreak_rule%” was violated %outbreak_count%
times.
Same virus Symantec Mail Security continues to observe possible conditions of

outbreak of emails with viruses. The rule “%outbreak_rule%” was violated
Unrepairable viruses Symantec Mail Security continues to observe possible conditions of

Total viruses Symantec Mail Security continues to observe possible conditions of

Unscannable files Symantec Mail Security continues to observe possible conditions of

outbreak of emails with unscanable files. The rule “%outbreak_rule%”
was violated %outbreak_count% times.
Clearing outbreak notifications
6 In the Message Body box, type your customized message body text.
Outbreak Trigger Information: %trigger%
Threshold is set at: %threshold%
Current count for configured time period: %count%
Server name: %server%
Outbreak triggers at: %outbreak_count% times
Clearing outbreak notifications

During an outbreak, subsequent notifications are sent based on the Time and Units interval
that you specify until the outbreak is no longer in effect. You can end subsequent outbreak
notifications by clearing the current outbreak.
To clear outbreak notifications
3 Under Tasks, click Clear current outbreak.
Chapter 11
Logging events and
generating reports
■ About logging events
■ About generating reports
■ About report templates
■ Managing reports
About logging events

Mail Security logs performance counters and events to the following locations:
Windows Server events and policy violations are reported in the Windows Application
Application Event Event Log. The Mail Security console provides an event log page. This page
Log lets you view Windows Application event log entries in chronological order with
the most current event at the top. The event log page displays information,
warning, and error events.
See “Viewing the Mail Security Event log” on page 205.

Logging events and generating reports 205
Mail Security Reports Mail Security logs extensive report data on threats, security risks, violations,
database spam, and server information to a reports database. You can use this data to
generate summary or detailed reports based on different subsets of the data.
When you define a report, you specify a criteria. For example, the time span of
the collected data, whether to show specific violations or all violations, and the
output format of the report.
See “About report templates” on page 210.
You can specify how long Mail Security maintains data in the Reports database.
You can also purge the database at any time.
See “Specifying the duration for storing data in the Reports database”
on page 207.
See “Purging the Reports database” on page 208.
Microsoft Management The MMC Performance console shows system performance. You can add Mail
Console (MMC) Security performance counters to the MMC view.
Performance console
See “About logging performance counters to the MMC Performance console”
on page 208.
Viewing the Mail Security Event log

Mail Security reports server events and policy violations (such as threat detections and filtering
violations) to the Windows Application event log. You can access the Windows Application
Event Log on the computer on which Mail Security is installed. For more information about
how to access and use the Windows Application Event Log, see the documentation for
your Exchange server.
The Mail Security event log lets you view and then sort the event data that Mail Security
generates and writes to the Windows Application event log. You can view the Mail Security
event log from the console. You can filter event data by categories. You can also select a start
date from which to begin displaying event data. When you select an event in the event log
table, detail about the event appear in the preview pane.
The Mail Security event log displays the 5000 most recent Mail Security events from the
Windows Application event log, per server. For example, if your group contains five servers,
the event log can display up to 25,000 events.
The event log displays the following information:
Server Name of the server on which the event occurred
Timestamp Date and time the event occurred

Severity Severity categories are as follows:
■ Warning
■ Information
■ Error
Category Categories are as follows:
■ Auto-Protect
■ Content Filtering Engine
■ Content Filtering Rules
■ Encrypted
■ Error
■ Licensing
■ LiveUpdate/Rapid Release
■ Manual and Scheduled Scanning
■ Outbreak Management
■ Quarantine
■ Scanning
■ Service
■ Premium AntiSpam
■ Threat/Security Risk
■ Unscannable
■ VSAPI (for Exchange Server 2010)
Message Description of the event
Manually refresh the page if it is blank or to refresh the page to view the most recent events.
In a large group, refreshing the page might take several minutes.
To view the Mail Security event log
2 In the sidebar under Views, click Event Log.
3 Click the column headers to sort the list data by different criteria.
To populate and refresh the Mail Security event log
◆ Press F5.
To filter the Mail Security event log

1 Under the event log table, in the Number of items per page list, select a number of items
that you want to view per page using the drop-down menu.
2 In the List box, select a category on which to filter the event data using the drop-down
menu.
3 In the entries since list, select a start date from which to begin displaying event data using
the drop-down menu.
Specifying the duration for storing data in the Reports database

Mail Security stores data on threat detection, definitions, spam, policy violations, scanning,
and server events in a Reports database. You can use this data to generate the reports that
include subsets of this data.
See “Software component locations” on page 23.
You can configure Mail Security to retain this data for the period of time that you specify. Once
the data is removed, it cannot be used in reports. For example, assume that you configure
Mail Security to retain data for 6 months. If you generate a report for the past year, only the
data for most recent 6 months appears in the report.
Mail Security provides a separate option to include spam data in reports. Selecting this option
increases the time that is required to generate reports, which can affect performance. Consider
using this option short term (for example, a few weeks) to evaluate spam-related issues.
See “Resetting statistics” on page 229.
To specify the duration for storing data in the Reports database
1 In the console on the primary navigation bar, click Reports.
2 In the sidebar under Views, click Report Settings.
3 In the content area, select one of the following:
Store all data Keeps all data indefinitely.
Store no data No violation data is retained.
If you select this option, it means that there is no data available to generate
reports. The products still reports the total scans and the items that
Auto-Protect scans.
Store data for __ The data is cleared after the specified time period.
months
If you select this option, type the number of months of data to store. Only
summary spam data is stored unless you check the "Include spam data"
option.
4 Check Include spam data to include all spam-related events.

This option is disabled by default.
Purging the Reports database

In addition to configuring the period of time that you want Mail Security to store data in the
Reports database, you can purge the Reports database at any time. When you purge the
Reports database, all data is removed.
To purge the Reports database
3 Under Tasks, click Reset database statistics.
4 In the Operation Status window, click Close.
About logging performance counters to the MMC Performance

console
Add the Mail Security 7.9 performance object to the Microsoft System Monitor to view Mail
Security performance data in the MMC Performance console. You can view all of the Mail
Security counters or select specific counters.
The Mail Security for Microsoft Exchange Management Pack is located in the installation
package at the following location:
About generating reports
ADMTOOLS\MOM
See the MMC documentation for more information about how to add the Mail Security
performance object.
Table 11-1 lists the Mail Security counters that are available.
Table 11-1 Performance counters
Performance counter Description
Bytes Scanned Number of bytes scanned
Bytes Scanned/Sec Number of bytes scanned per second
Total Scans Number of the scans that are performed

on messages and attachments
Total Scans/Sec Number of the scans that are performed

on messages and attachments per second
Threats and Risks Found Number of software threats detected
Threats and Risks Found/Sec Number of the software threats detected

per second
Content Filtering Found Number of the content violations detected
Content Filtering Found /Sec Number of the content violations detected

per second
Spam Violations Found Number of spam violations detected
Spam Violations Found/Sec Number of spam the violations detected

per second
Note: Mail Security lets you configure performance counters for logging. By default, this counter
is enabled. To improve a scanning performance, these performance counters for logging can
be turned off by adding the following registry key and setting its value to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\7.9\Server\TurnOffPerfCounters.
Restart the Mail Security service after setting this registry key.
About generating reports

Mail Security collects and saves scan data on your Exchange servers. You can create reports
from the data, which gives you a history of risk detection activity and filtering violations. You
About report templates
can create a report for an individual server. You can also create a single Summary report that
consolidates data for all the servers in a server group.
See “Configuring the initial setup of the report consolidation feature” on page 220.
Report templates let you define a subset of the raw report data that Mail Security collects for
a single server. Report templates can include different categories or combinations of
security-related statistics.
You can create different report templates to describe different subsets of the raw report data.
After you create a report template, you use it to generate reports.
Mail Security provides two preconfigured report templates that you can modify. You can also
create your own report templates. When you create or modify a report template, Mail Security
provides a wizard to guide you through the configuration process.
The types of report templates that you can create are as follows:
■ Summary
■ Detailed

Report templates let you define a subset of the raw report data that Mail Security collects for
a single server. The goal of creating a template is to describe a set of data that summarizes
threats, security risks, filtering violations, spam, and server information. The information, which
can be saved and used to generate on-demand or scheduled reports. Report templates can
include different categories or combinations of security-related statistics.
You can create different report templates to describe different subsets of the raw report data.
After you create a report template, you can use it to generate reports.
Note: Reports cannot be generated with a new or an updated report template until you deploy
your changes.
Mail Security provides two preconfigured report templates that you can modify. You can also
create your own report templates. When you create or modify a report template, Mail Security
provides a wizard to guide you through the configuration process.
The types of report templates that you can create are as follows:
■ Summary
■ Detailed
About report output formats

The format options that are available for a Summary report are HTML and PDF. You can
configure Mail Security to send copies of the report to the people that you specify. The recipients'
email client must support and permit HTML-based or PDF-based attachments.
If you use Outlook Express and you intend to use the HTML format, you need to modify the
following settings in Outlook Express:
■ On the Security tab, deselect the option “Do not allow attachments to be saved or opened
that can potentially be a virus.”
■ On the Read tab, deselect the option “Read all messages in plain text.”
When you generate a Detailed report, Mail Security can save the report in HTML format, PDF
format, or comma-separated value (.csv) format.
Generating a report in .csv format lets you do the following:
■ You can view or print the complete report data in an application, such as Microsoft Excel.
If you have Microsoft Excel on your computer, a .csv file opens automatically as an Excel
spreadsheet.
■ You can import the data into a third-party reporting application to generate custom charts
and reports.
See “Accessing a report” on page 225.
Creating or modifying a Summary report template

You can customize the Summary report template to contain the information that you want to
include in a report. You can generate a Summary report for an individual server or for an entire
server group.
The Summary report template that you create appears in the Report Templates table. You
can modify the template at any time.
If you configure the template to create reports on demand, you can generate the report from
the Reports > Report Templates page. If you configure the template to generate a scheduled
report, Mail Security automatically generates the report based on the schedule that you specify.
See “Generating a report on demand” on page 225.
Note: Mail Security supports emailing the reports that are 5 MB or smaller only. You can view
the reports that are larger than 5 MB on the Reports page. Mail Security logs the generation
of reports that are larger than 5 MB to the Windows Application event log
Mail Security provides a wizard that helps you configure your report template.
To identify the report to be created or modified
1 Select the server or server group for which you want to generate a report.
3 In the sidebar under Views, click Report Templates.
Create a new executive summary report In the sidebar under Tasks, click New template.
template
Modify an existing report template. In the content pane, in the Report Templates table,
double-click the template that you want to modify.
To configure the report template options

1 Under Report Template Options, in the Template name box, type a name for the report
template.
This option is available only when you create a new report template.
2 In the Description box, type a description for the template.
3 Under Report type, click Executive summary.
This option is checked by default.
4 Under Report format, select the format in which you want Mail Security to generate the
report.
The default setting is PDF.
See “About report output formats” on page 211.
5 Check Email report to the following recipients and type one or more addresses to
which the report should be delivered.
Separate entries with semicolons.
6 Click Next.
To configure on-demand report generation
1 Under Report Generation Option, click On demand.
2 Click Next.
To specify the report time range
1 Click the drop-down arrow in the Time Range box and select one of the following:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
2 If you select the Customized time range, in the customize time range boxes, click the
drop-down arrows and select the start and the end dates for the data that you want included
in your report.
To configure scheduled report generation
1 Under Report Generation Option, click Scheduled.
2 In the Generate report at list, select the time of day to generate the report.
3 Click Daily, Weekly, or Monthly.
If you select Weekly, check the day(s) of the week to generate the report.
If you select Monthly, use the drop-down menu to select the day of the month to generate
the report.
If you select Monthly, also ensure that you select a day that exists in each month.
Otherwise, a report is not generated for that month. If you select the 31st day of every
month, reports are not generated for any month that has 30 days or less. For example,
February, April, June, September, and November.
4 Click Next.
To configure the report chart options
1 Under Report Chart Options, select any of the following:
■ Total violations chart
■ Threats and security risks chart
Also select the chart granularity using the drop-down menu.
The default setting is Week.
■ Content violation chart
Also select the chart granularity using the drop-down menu.
The default setting is Week.
■ Spam pie chart
2 Click Next.
To configure report content

1 Under Executive Summary Template Options, select the options that you want to appear
in the Summary report.
Data selections are as follows:
■ Show scan summary
Total items scanned Total number of the files that were processed
during the reporting period
Items that are scanned by Auto-Protect Total number of the files that were scanned
with Auto-Protect scanning during the reporting
period
Items that are scanned by background scan Total number of the files that were scanned
(applicable to Exchange 2010 mailbox server with background scanning during the reporting
only) period
Items that are scanned by Manual scan Total number of the files that were scanned
with manual scanning during the reporting
period
Items that are scanned by scheduled scan(s) Total number of the files that were scanned
with a scheduled scan during the reporting
period
Items that are scanned by antispam scan Total number of the files that were scanned
with a spam scan during the reporting period
■ Show violation summary
Total violations Total number of the violations that were

detected during the reporting period
Virus violations Total number of virus violations
Content violations Total number of filtering violations
Antispam violations Total number of antispam violations
■ Show threats and security risks
Total threats Total number of the threats that were detected

Top threats table Table of the top threats that were detected
No. of items to include Number of threats to include in the Top Threats

Table
Unrepairable threats Total number of the unrepairable threats that

were detected during the reporting period
Total security risks Number of the security risks that were detected
Mass-mailer threats Number of messages in which mass-mailer

threats were detected during the reporting
period
■ Infection disposition
Threats repaired Number of the threats that were repaired during

the reporting period
Threats deleted Number of the threats that were deleted during

Threats quarantined Number of the threats that were quarantined

2 Click Next.
3 Under Executive Summary Template Options, select the data that you want to appear
in the executive summary report.
Data selections are as follows:
■ Show content violations
Total content violations Total number of the content violations that were
Table of top content violations Table of the top content violations that were
No. of items to include Number of items to include in the Table of Top

Content Violations
Total attachments blocked Total number of the attachments that were

blocked during the reporting period
Total file type violations Total number of the file type violations that were
detected during the reporting period.
Total encrypted attachments blocked Total number of the encrypted attachments that
were blocked during the current reporting
period
Table of top attachments blocked Table of the top attachments that were blocked
No. of items to include Number of items to include in the Table of Top

Attachments Blocked
Unscannable items Total number of the unscannable items that

were blocked during the reporting period
■ Spam options
Spam by category The total number of spam messages in each

spam category that the product identifies during
You must check the "Include spam data" box on the Reports Settings page to view data
about spam in the Summary report.
See “Specifying the duration for storing data in the Reports database” on page 207.
4 Click Next.
5 Under Executive Summary Template Options, check Show server information.
6 Select the data that you do want to appear in the executive summary report.
7 Click Finish.
Creating or modifying a Detailed report template

The Detailed report templates that you create appear in the Report Templates table. You can
modify the template at any time.
If you configure the template to create reports on demand, you can generate the report from
the Reports > Report Templates page. If you configure the template to generate a scheduled
report, Mail Security automatically generates the report based on the schedule that you specify.
See “Generating a report on demand” on page 225.
Note: Consider limiting the date range to less than 30 days. Generating a detailed report over
30 days might consume large amounts of computer memory. This report depends on the
number of violations that are in the report database.
Note: Mail Security supports emailing the reports that are 5 MB or smaller only. You can view
the reports that are larger than 5 MB on the Reports page. Mail Security logs the generation
of reports that are larger than 5 MB to the Windows Application event log.
Mail Security provides a wizard that helps you configure your report template.
To identify the report to be created or modified
1 Select the server or server group for which you want to generate a report.
Create a new Detailed report template. In the sidebar under Tasks, click New template.
Modify an existing report template. In the content pane, in the Report Templates table,
double-click the template that you want to modify.
To configure the report template options

1 In the Report Template Options panel, in the Template name box, type a name for the
report template.
This option is available only when you are create a new template.
2 In the Description box, type a description for the template.
3 Under Report type, click Detailed.
4 Under Report format, select the format in which you want Mail Security to generate the
report.
The default setting is PDF.
5 Check Email report to the following recipients and type one or more addresses to
which the report should be delivered.
Separate entries with semicolons.
6 Click Next.
To specify the report time range
1 Click the drop-down arrow in the Time Range box and select one of the following:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
2 If you select the Customized time range, in the customize time range boxes, click the
drop-down arrows. Select the start and the end dates for the data that you want included
in your report.
To configure on-demand report generation
1 Under Report Generation Option, click On demand.
2 Click Next.
To configure scheduled report generation
1 Under Report Generation Option, click Scheduled.
2 In the Generate report at list, select the time of day to generate the report.
3 Click Daily, Weekly, or Monthly.
If you select Weekly, check the day(s) of the week to generate the report.
If you select Monthly, use the drop-down menu to select the day of the month to generate
the report.
If you select Monthly, also ensure that you select a day that exists in each month.
Otherwise, a report is not generated for that month. If you select the 31st day of every
month, reports are not generated for any month that has 30 days or less. For example,
February, April, June, September, and November.
4 Click Next.
To configure report content

1 Under Detailed Template Options, in the Type of violation list, use the drop-down menu
to select the type of violation that you want to appear in the report.
2 In the Sender filter box, type an identifying characteristic of the sender whose messages
appear in the report.
This entry can be the domain name or address of the sender, or a name or word, or a
wildcard expression.
If the sender is a member of your Active Directory group, use the user name instead of
the full email ID. For example, you would use John_Doe instead of
John_Doe.symantecsecurity.com.
3 In the Violation filter list, do one of the following:
To select a predefined violation filter Click the drop-down menu and select a
predefined violation filter.
The list consists of the default rules (for example,

Basic Virus Rule) that are provided when you
install the product. Filter selections vary based
on the type of violation that you choose.
To select a user-defined content filtering rule Click the drop-down menu and select User
Defined Rule.
(This option is only available if you select the
violation types “All” or “Content Enforcement.”) Click the drop-down menu in the Rule name box
and select one of the content filtering rules that
you created.
4 Select the columns that you want to appear in the detailed report.
5 Click Finish.
Deleting a report template

You can delete a report template when it is no longer needed.
To delete a report template
3 In the content area, select the template that you want to delete.
Managing reports
4 In the sidebar under Tasks, click Delete template.

Managing reports
The following lists the tasks that you can do to reports:
■ Configuring the initial setup of the report consolidation feature
■ Generating a consolidated report
■ Scheduling a consolidated report
■ Generating a report on demand
■ Accessing a report
■ Printing a report
■ Saving report data
■ Deleting a report
Configuring the initial setup of the report consolidation feature

Mail Security supports generating a consolidated summary report and detailed report for all
the servers in a server group. Mail Security stores report information on each server in the
location that you specify. When you generate a consolidated report, Mail Security pulls the
report information for each of the servers to create the consolidated report.
To use the report consolation feature, perform the following initial setup tasks:
Specify the shared location to store reports Mail Security lets you specify where you want each
server to store the reports for consolidation. The
location must be the same for each server in the
group.
You must ensure that the full directory path exists

on each server. For example, if you specify a
directory path of \Program Files\Symantec\7.9.\My
Reports, ensure that each server contains this full
directory path. You must also ensure that the path
location has permission to allow read and write
access.
Managing reports
Grant access for the Symantec Mail Security Utility The Symantec Mail Security Utility service must be
service to access the shared storage location able to access the shared storage location.
Configure the service to run in an account that is a
member of the local system administrators and
domain users groups. The account must also have
access to the shared storage location.
To specify the shared location to store reports

1 Select the server or server group that you want to modify.
4 Under Report Consolidation, type the name of a valid UNC path. For example:
\\<serverip>\<location>
The path must be fewer than 256 characters. The following characters are not supported
in the path name:
~'!@#%^&*( )+=|?;:"[]{}
To grant access for the Symantec Mail Security Utility service to access the shared storage
location
1 In the Services MMC snap-in, select the Symantec Mail Security Utility service.
2 Right-click and select Properties.
3 Click on the Log On tab.
4 Under Log on as, select This account.
5 Type the user name and password (and confirm the password) of a valid account that is
configured to be a member of the local system administrators and domain users groups.
The account must have access to the shared storage location.
6 Click OK.
7 Right-click and select Restart to restart the Symantec Mail Security Utility service.
Generating a consolidated report

When you are in a group view, you can generate a consolidated report of all of the servers in
the group. You must do an initial set-up for the report consolidation settings before you generate
a consolidated report. Consolidated reports can be generated for on-demand reports and
Managing reports
scheduled reports. For on-demand reports, a single consolidated report is generated. But if a
consolidated report is scheduled, then separate reports for each and every server in the group
are generated.
To generate a consolidated report
3 In the Report Templates table, select the report that you want to generate.
4 In the sidebar under Tasks, click Generate consolidated report.
You must be in a group view to generate a consolidated report.
Scheduling a consolidated report

When you are in a group view, you can schedule the generation of consolidated reports on a
daily, weekly, or monthly basis. You must do an initial setting of the parameters that are required
to schedule a consolidated report generation.
Before you schedule a consolidated report, under Server/group, click Change and select a
global group or sub group, if not already selected. Reports can be scheduled only on global
groups or sub groups of exchange servers.
Managing reports
To ensure that scheduling consolidated report works in a multi-domain environment

1 Launch the Server Manager from the Administrative Tools and browse to Roles >
Active Directory Domain Services > Active Directory Users and Computers >
<server_name> > Users.
2 Double-click SMSMSE Admins properties panel and make the SMSMSE Admins group
as a Universal security group, as illustrated.
3 Save the setting and let the Active Directory replication complete.
4 Under the Members tab of the SMSMSE Admins Properties panel, add the domain user
to the SMSMSE Admins group.
The user who schedules the consolidated report is the domain user.
Note: Repeat steps 1 through 4 for every domain where SMSMSE is installed in the forest.
SMSMSE Admins group from each domain must be changed to Universal security Group. The
user account that is used for generating the reports must be added to SMSMSE Admins group.
Managing reports
The user account or the group (SMSMSE Admins) that is used for generating reports must
have the Log on as a batch job permission on the SMSMSE console computer. To perform
this action, go to Start > Run and type secpol.msc to launch the Local Security Policy
console. Browse to Local Policies > User Rights Assignment > Log on as a batch job
properties panel, as illustrated and add the user or the group SMSMSE Admins.
To schedule a consolidated report

1 In the Mail Security console, go to Reports > Tasks > Schedule consolidated report.
2 In the Schedule consolidated report panel, select Enable Scheduling.
The default option select is Disable Scheduling.
3 Select a time in hh-mm format under the Generate report at box.
4 Select either Daily, Weekly, or Monthly option to schedule a consolidated report.
■ Daily - A report is generated daily, at the time that you set in step 3
■ Weekly - Select one or more day(s) of a week to schedule a consolidated report.
Managing reports
■ Monthly - Select the day of the month from the Day drop-down list on which you want
to schedule generation of a consolidated a report.
5 Enter a password in the Please Enter Logged-in User Password input box.
You must provide the logged on user password to schedule the task in Task Scheduler
with the property Run whether user is logged on or not.
6 Click Ok to save the settings.
The SMSMSE report consolidation process needs to wait till the request gets routed to each
server in the group. The default wait time can be changed. For more information refer the Mail
Security Knowledge Base.
Generating a report on demand

After you create a report template, you can use it to generate reports of policy violation
information. Mail Security automatically appends the current date and time to the name of your
report template when it names the report. This mechanism lets you run the same report on
different dates and compare the data.
To generate a report on demand
3 In the Report Templates table, select the report that you want to generate.
4 In the sidebar under Tasks, click Generate report if you are in a server view or Generate
consolidated report if you are in a group view.
Accessing a report
You can view a report from the console or from the Mail Security Reports folder. If you view
a report from the console, you must be in a server view.
The Reports page in the console displays the following information:
Name Indicates the name of the report
Type Indicates the type of report (Detailed or Summary)
Date Created Indicates the date and time that the report was generated
Managing reports
Format Indicates the output format (PDF, HTML, or CSV)
Template Name Indicates the template from which the report was generated
Status Indicates the current status of the report generation

The report statuses are as follows:
■ Ready: The report is generated and can be viewed.

■ Generating: The report generation is in progress.
■ Failed: The report generation has failed. The event is logged to the Windows
Application event log.
A report can only be viewed when its status is Ready.
A generated report (scheduled or on demand) is also automatically saved in its own folder in
the Mail Security Reports folder. You can browse to the folder location and view the report file.
The file is automatically deleted from the Mail Security Reports folder when you delete a report
in the console.
See “Deleting a report” on page 228.
To access a report from the console
2 In the sidebar under Views, click Reports.
3 In the content pane in the Reports table, do one of the following:
■ Select the report that you want to view, and in the sidebar under Tasks, click View
report if you are in a server view. Click View consolidated report if you are in a group
view.
■ Double-click the report.
See “Printing a report” on page 227.

See “Saving report data” on page 228.
To access a report from the Mail Security Reports folder
1 Right-click on the Start menu and select Explore.
2 Browse to the Mail Security Reports folder.
The default location is as follows:
\Program Files\Symantec\SMSMSE\7.9\Server\Reports
Managing reports
3 Double-click the report folder that contains the report that you want to view.
For a report in .html format Double-click the file to view it. The report appears the same as if it
were accessed from the console.
For a report in .pdf format Double-click the file to view it.
You must have Adobe Acrobat Reader installed to view reports

generated in .pdf format.
For a report in .csv format Open the .csv file in a program such as Microsoft Excel to view it.
Files that are created in .csv format contain raw data and must be
viewed in a program that can interpret the data.
Printing a report
You can print a report if your printer is properly configured. Mail Security provides the features
that let you configure the page set-up and preview the report. Print reports in landscape mode
to prevent the data from being cut off at the right margin.
To print a report
report if you are in a server view. Click View consolidated report if you are in a group
view.
4 On the toolbar, do any of the following:
Configure printer options Click Page Setup.
Preview the report Click Print Preview.
You can print the report from the Print Preview window.
Print the report Click Print.
5 Click OK.
Managing reports
Saving report data

You can save reports to the destination of your choice. This action lets you manage and
maintain your reports. It also lets you email reports or lets users access the reports that they
want to view.
To save report data
report if you are in a server view. Click View consolidated reportif you are in a group
view.
4 On the toolbar, click Save.

5 In the Save window, do the following:
■ In the File name box, type the name of the file.
■ In the Save as type box, select the file type.
■ In the Encoding box, select the encoding that you want to use.
The default value is Unicode.
This option only appears if you save the file in .htm or .html format.
6 Click Save.
Deleting a report
You can delete a report when it is no longer needed or after you have saved the report to a
file location. This action lets you manage the volume of reports on the Reports page.
See “Saving report data” on page 228.
When you delete a report in the console, the file is automatically deleted from the Mail Security
Reports folder.
To delete a report
Managing reports
3 In the content pane in the Reports table, select the report that you want to delete.
4 In the sidebar under Tasks, click Delete report if you are in a server view or Delete
consolidated report if you are in a group view.
Resetting statistics
You can reset statistics for reporting purposes. Resetting statistics also resets the Activity
Summary information on the Home page.
To reset statistics
3 Under Tasks, select one of the following:
■ Reset database statistics
Purges all data from the Reports database.
See “Purging the Reports database” on page 208.
■ Reset Home page statistics
Resets the Home page statistics for Recent Activity, Total Violations, and Activity
Summary data.
■ Reset all statistics
Resets the Home page statistics and database statistics
4 In the Operation Status window, click Close.

Chapter 12
Keeping your product up to
date
■ Monitoring your version support status
■ About keeping your server protected
■ Updating definitions
■ About enhancing performance when you update definitions on Exchange 2010 mailbox
server
■ About alert notifications for out-of-date virus definitions
Monitoring your version support status

Mail Security provides version support status information so that you know the support life
cycle for the version of Mail Security that you are use. It also keeps you informed when a newer
version of the product is available.
The version support status information is updated through LiveUpdate. You obtain updated
version support status information automatically when you run a manual or scheduled
LiveUpdate on a computer. The computer must have the product and the console installed.
(You might have to refresh the console to see the updated version support status information
after a manual or scheduled LiveUpdate runs.)
You can also manually update the version support information from the Home page. Manually
update your version support information from the Home page if you are on a computer that
only has the Mail Security console installed. You must also manually update your version if
Keeping your product up to date 231
About keeping your server protected
you update definitions through Symantec Endpoint Protection or Symantec AntiVirus Corporate
Edition.
The version support status information is stored, and the console applies the information to
all the servers that the console manages. You only need to update the version support status
in any view. The version support information is automatically updated for all of the servers that
are managed in the server group. The version support information appears on the console for
all of the servers in the group. The information does not appear on the console for the individual
server
To monitor your version support status in a server view
◆ In the console on the primary navigation bar, click Home.
The version status information appears in the Status pane.
To monitor your version support status in a group view
1 In the console on the primary navigation bar, click Home.
2 In the Status pane, in the Server list, select the server for which you want to view version
status information.
The version status information appears below the server list.
To manually update the version status information
2 In the Status pane, click Refresh Version Details...
3 In the LiveUpdate dialog box, click Next.
This LiveUpdate session only searches for updates to your product. It does not search
for or download updates to your definitions.
4 In the LiveUpdate dialog box, click Finish when LiveUpdate is complete.
To refresh the version status information on the Home page
2 Press F5.

Mail Security relies on up-to-date information to detect and eliminate risks. One of the most
common reasons that problems occur is that definition files are not up-to-date. Symantec
regularly supplies the updated definition files that contain the necessary information about all
newly discovered risks. Regular updates of that information maximize security and guard your
organization's Exchange mail server against infections and the downtime that is associated
with an outbreak.
Mail Security lets you update your protection from threats and security risks using the following
tools:
LiveUpdate LiveUpdate downloads and installs available definitions from the Symantec LiveUpdate
server. LiveUpdate certified definitions undergo stringent testing and are updated daily.
LiveUpdate is enabled by default with a recommended daily schedule. However, you can
modify the schedule.
Rapid Rapid Release definitions provide the fastest response to emerging threats and are updated
Release approximately every hour. HTTP delivers the Rapid Release definitions and provides reliable
first-line protection.
Rapid Release definitions are created when a new threat is discovered. Rapid Release
definitions undergo quality assurance testing by Symantec Security Response. Rapid
Release definitions do not undergo the intense testing that is required for a LiveUpdate
release. Symantec updates Rapid Release definitions as needed to respond to high-level
outbreaks and might be made available before the LiveUpdate definitions quality assurance
process is complete. Rapid Release definitions provide a quick response to new threats
and security risks and can be augmented later on by more robust detection capabilities in
certified definitions.
Rapid Release definitions can be retrieved manually on demand.
Both methods let you update definitions on demand and automatically, based on the schedule
that you specify. You can run Rapid Release definition updates instead of or in addition to
LiveUpdate updates. For example, you can schedule daily LiveUpdate and then manually run
Rapid Release when a new threat emerges.
Note: Mail Security relies on the definition update process to keep the version support
information current. Configure Mail Security to perform definition updates if you have multiple
Symantec AntiVirus products on the same computer.
You must have a valid content license to update definition files. A content license is a grant
by Symantec Corporation for you to update Symantec corporate software with the latest
associated content, such as new definitions. When you do not have a content license or your
license expires, your product does not receive the most current definitions. This results in
servers vulnerable to risks.
About setting up your own LiveUpdate server

The LiveUpdate Administration Utility lets you set up an intranet HTTP server. This mechanism
lets you handle LiveUpdate operations for your network.
The LiveUpdate Administration Utility is available at the following location:
If you set up your own LiveUpdate server, you must edit the LiveUpdate configuration for Mail
Security to point to the local LiveUpdate server.
To set up your own LiveUdpate server
1 Navigate to the installation directory and run PassKeyTool.exe.
<InstallDir>\SMSMSE\7.9\Server\Config\PassKeyTool.exe
2 Type the passkey and click Submit.
3 Open proxy configuration tool.
<InstallDir>\SMSMSE\7.9\Server\Config\ConfigureProxy.exe
4 In the Configure Live Update Settings dialog box, specify the protocol as HTTP.
5 In the Server box, type the IP address of LiveUpdate server.
6 In the Port box, type the port number.
Port number is 7070 by default.
7 Specify the path that is configured on Distribution Center page of the LiveUdpate
Administrator.
Default path is clu-prod.
8 Type the user name and password if it is configured in the Distribution Center.
9 Click Submit.
For more information, contact Symantec service and support.
Note: : If you use LiveUpdate Administrator to push definitions to Mail Security Servers, include
the product Symantec Mail Security for Microsoft Exchange 7.9. to your product list in the
LiveUpdate Administrator.
Configuring a proxy server to permit LiveUpdate definitions

Some organizations use proxy servers to control connections to the Internet. To use LiveUpdate,
you might need to specify the address and port of the proxy server as well as a user name
and password. You can modify the proxy server configuration settings through LiveUpdate.
To configure HTTP settings for LiveUpdate

3 Open proxy configuration tool.
4 In the Configure Live Update Settings dialog box, specify the protocol as HTTP.
5 In the Server box, type liveupdate.symantec.com.
6 In the Port box, type the port number.
Typically, the port number for HTTP is 80.
7 Select Enable Proxy Settings.
8 In the URL box, type the IP address of the HTTP proxy server.
9 In the Port box, type the port number of proxy server.
10 If user authentication is enabled for proxy server, provide user name and password.
11 Click Submit.
Configuring a proxy server to permit rapid release definitions

To configure a server to permit rapid release definitions
3 Navigate to the installation directory and open proxy configuration tool.
4 Select Enable Proxy Settings.
5 In the URL box, type the IP address of the HTTP proxy server.
6 In the Port box, type the port number of proxy server.
7 If user authentication is enabled for proxy server, provide user name and password.
8 Click Submit.
Updating definitions
Updating definitions
You can update definitions using any of the following methods:
■ Perform updates on demand.
■ Schedule automatic updates.
Updating definitions on demand

If you are in a single-server view, you can use LiveUpdate or Rapid Release to download the
most current definitions on demand.
If you are in a group view, you can use LiveUpdate to download the most current definitions.
After you update the definitions, distribute the updated definitions to the servers in your group.
To update definitions on demand for a single server
2 In the sidebar under Views, click LiveUpdate/Rapid Release Status.
3 Under Tasks, select one of the following:
■ Run LiveUpdate Certified Definitions
■ Run Rapid Release Definitions (by HTTP)
Scheduling definition updates

You can schedule Mail Security to perform definition updates automatically. If you have multiple
servers that you want to perform their own updates using the same settings, you can configure
the settings in the Global Group view or a user-defined group view. When you deploy your
changes, the settings are deployed to all of the servers in the group. If you configure LiveUpdate
to run on a schedule and deploy the changes to a group, it runs at the specified time in the
local time zone of each server.
See “About enhancing performance when you update definitions on Exchange 2010 mailbox
server” on page 236.
To schedule definition updates
2 In the sidebar under Views, click LiveUpdate/Rapid Release Schedule.
About enhancing performance when you update definitions on Exchange 2010 mailbox server
3 In the content pane, under LiveUpdate/Rapid Release Schedule, check Enable automatic
virus definitions updates.
4 Select one of the following:
■ Use Rapid Release definitions
■ Use Certified LiveUpdate definitions
5 Under Schedule, select one of the following:

■ Run every [ ], and then use drop-down menu, select the interval in hours that you
want to run LiveUpdate or Rapid Release.
The default value is 1 hour.
■ Run at a specific time, and then type the time of day (in 24-hour format). Check the
day or days of the week that you want LiveUpdate to run.
The default setting for LiveUpdate is to run at 10:56 A.M. every day of the week.
This option is not available for Rapid Release.

About enhancing performance when you update

definitions on Exchange 2010 mailbox server
If Auto-Protect scanning is enabled and you update definitions at hourly intervals or less (using
Rapid Release or LiveUpdate), disable at least one of the following Auto-Protect features on
the servers that have a message store:
■ Scans > Auto-Protect: Enable Background Scanning
■ Scans > Auto-Protect: On virus definitions update, force rescan before allowing access to
the Information Store
When both of these options are enabled, the message store is rescanned each time definitions
are updated. Overall mail throughput is affected if you update definitions at hourly intervals or
less.
About alert notifications for out-of-date virus definitions
About alert notifications for out-of-date virus

definitions
Mail Security provides the following methods for notifying administrators when virus definitions
are older than the configured number of days.
■ An alert notification email is sent to the administrator.
■ An event is logged on the system’s event log with event ID 404.
Mail Security checks at least once a day whether the current virus definitions are latest or out
of date. If virus definitions are found outdated, then Mail Security sends an email notification
to the administrator. Mail Security continues to send periodic notifications until it gets a new
definition set.
Administrator can specify the frequency of sending notifications when an old definition is found.
By default, an email notification is sent to the administrator after every 6 hours. Administrator
can set the frequency of sending notifications at an hour-level granularity.
Administrator can configure the number of days an outdated virus definition can remain on
the system after which an alert notification is sent. This configuration is done by specifying
values for the registry keys DefsMonitorDaysThreshold and DefsMonitorResendIntervalInHr
The path for these registry keys for 64-bit platform is:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\ 7.9\Server\
Components\LiveupdateConfig
Table 12-1 lists the registry keys for this feature, their data types, and possible values.
Table 12-1 Registry key settings
Registry key Data type Purpose
DefsMonitorDaysThreshold REG_DWORD Specifies the number of days after

which a definition is considered
as old and a notification is sent to
the administrator.
The default value of this registry

key is 2 days. If the value of the
registry key is set to zero, then
administrator is not notified about
the old virus definitions. The
minimum value of this registry key
is two.
About alert notifications for out-of-date virus definitions
Table 12-1 Registry key settings (continued)
Registry key Data type Purpose
DefsMonitorResend REG_DWORD Specifies the interval (in hours) at

IntervalInHr which a notification is sent to the
administrator.
The default value of this registry

key is 6 hours. The minimum
value of this registry key is one.
Note: With this feature, Mail Security has discontinued using the older mechanism of sending
alerts on LiveUpdate failure.
Appendix A
Using variables to
customize alerts and
notifications
This appendix includes the following topics:
■ Alert and notification variables
Alert and notification variables

Mail Security lets you customize notification and alert messages by using variables.
Note: The percent (%) sign is used to surround variables in the replacement text and email
notification boxes. However, when a single percent sign (%) is placed in the text, it is filtered
out and does not appear in the email notifications.
Table A-1 lists the replacement variables that you can use in any violation notification.
Table A-1 Replacement variables for multiple types of violations
Variable Description
%n% Starts a new line in the notification message
%server% Autofills with the name of the server on which a violation was discovered
Table A-2 lists the replacement variables that you can use in rule violation notifications.
Using variables to customize alerts and notifications 240
Alert and notification variables
Table A-2 Replacement variables for rule violation notifications
%action% Autofills with the action description that is taken in response to a rule
violation
%attachment% Autofills with the name of the attachment in which a rule violation has
been found
%datetime% Autofills with the date and time of a violation
%details% Autofills the details of the violation
This variable is only available for the quarantine threshold notification
%information% Autofills with any general information available about the violation
%location% Autofills with the name of the location at which a violation was discovered.
For example, inbox, outbox, public folder
%recipient% Autofills with the name of the intended recipient of a message in which
a violation was discovered
%scan% Autofills with the scan name that discovered a violation
%sender% Autofills with the name of the sender of a message in which a violation
was discovered
%subject% Autofills with the contents of the subject line
%violation% Autofills with the name of the violation detected
%ViolatingTerm% Autofills with the list of violating terms that triggered content filtering policy
Table A-3 lists the variables that you can use in outbreak notifications.
Table A-3 Replacement variables for outbreak notifications
%count% Autofills with the number of messages that violate the outbreak trigger
%threshold% Autofills with the threshold level of an identified outbreak trigger
%trigger% Autofills with the outbreak trigger name that detected an outbreak
%outbreak_rule% Autofills with the outbreak rule name that triggers an outbreak
%outbreak_count% Autofills with the number of times that an outbreak triggers

Appendix B
Troubleshooting
This appendix includes the following topics:
■ Why a file triggers the Unscannable File Rule
■ Reducing the incidence of malformed MIME false positives
■ Common error messages
■ Resolving installation issues
■ Resolving consolidated report issues
■ About the Symantec Help utility
■ LiveUpdate fails to update the definitions
■ Troubleshooting the missing performance counters in SCOM
Why a file triggers the Unscannable File Rule

A file can trigger the Unscannable File Rule when Mail Security is unable to scan the file.
Some examples of when a file might trigger the Unscannable File Rule are as follows:
Troubleshooting 242
Why a file triggers the Unscannable File Rule
Mail Security cannot access the file. Mail Security cannot access the file to scan it.
This scenario can occur when another thread or

process accesses the file. For example, two
separate antivirus software programs (a file
system-based program and an email-based
program) attempt to scan the same file
simultaneously.
Configure your other antivirus programs to exclude

certain folders from scanning. If another antivirus
program scans the Exchange directory structure or
the Mail Security processing folder, it can cause:
■ False-positive threat detection

■ Unexpected behavior on the Exchange server
■ Damage to the Exchange databases
See “About using Mail Security with other antivirus

products” on page 48.
For information about how to prevent Symantec

AntiVirus products from scanning the Exchange
directory, go to the following Symantec Knowledge
Base article:
http://service1.symantec.com/SUPPORT/
ent-gate.nsf/docid/
2000110108382454?Open&src=w
The file is corrupt. Mail Security correctly identifies the file, but the file
is corrupt.
The file is incorrectly identified. Mail Security misidentifies the file based on the
message header. The actions that the program
performs on the file are incorrect and invalid for the
file type.
This scenario can also occur in a file that contains

invalid characters or values in the header.
The scanner or decomposer times out. The antivirus scanner or decomposer times out
when it attempts to scan the file.
This scenario can occur when a file meets or

exceeds the scanning limits that you specify.

Troubleshooting 243
Reducing the incidence of malformed MIME false positives
The temporary working directory is missing, or the This scenario could occur if the temporary working
path to the directory is incorrect. directory is deleted or moved. Check to see if the
\Temp directory exists. If it has been deleted, create
it in the following location:
C:\Program Files\Symantec\SMSMSE\7.9\Server \
Temp
The file contains a large compressed attachment. A file that contains a large attachment might trigger
the Unscannable File Rule. For example, a 100-MB
attachment that is compressed into a 4-MB zip file.
See “Configuring rules to address unscannable and

encrypted files” on page 96.
A Symantec AntiVirus product attempts to scan files You must configure the Symantec AntiVirus product
in Mail Security folders. to exclude Mail Security folders from being scanned.
See “About using Mail Security with other antivirus

products” on page 48.
Note: If the Encrypted File Rule is enabled, encrypted files trigger the Encrypted File Rule
instead of the Unscannable File Rule.
Reducing the incidence of malformed MIME false

positives
A message body or attachment might trigger the Unscannable File Rule and appear in the
event log as Event ID 218. However, the MIME container in the email appears to be correct.
You can either reduce the sensitivity for malformed MIME identification or disable detection
of malformed MIME containers. This action reduces the incidence of malformed MIME false
positives.
To reduce malformed MIME identification sensitivity
◆ Create or modify the following DWORD registry value:
HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\7.9\Server\
DecMIMEIdentificationStrength
The value can be a decimal between 1 and 5. The higher the number, the sensitivity
lowers and reduces the incidence of false positives.
Troubleshooting 244
Common error messages
To disable malformed MIME container detection

◆ Create or modify the following DWORD registry value to decimal 0.
HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\
7.9\Server\BlockMalformedContainers

Table B-1 lists some common error messages that might occur.
Table B-1 Common error messages
Error message Description
The Mail Security service is stuck in a starting state The following are the most common reasons
that the Mail Security service gets stuck in a
starting state:
■ Timing conflicts occur with the operating

system.
A solution is to make the Mail Security
service dependent upon another service,
such as the Microsoft Exchange Information
Store service (MSExchangeIS).
For more information, see the Microsoft
knowledge base. On the Internet, go the
following URL:
http://support.microsoft.com/
default.aspx?scid=kb;en-us;193888
■ The Temp and Quarantine folders are not
excluded from scanning by other antivirus
products.
The Temp and Quarantine folders are
located in the following directories:
■ \Program Files\Symantec\SMSMSE\
7.9\Server\Temp
The exclusion of the Temp folder is
critical to the operation of the product.
The product uses the Temp folder as a
processing folder.
■ \Program
Files\Symantec\SMSMSE\7.9\Server\
Quarantine
Troubleshooting 245
Table B-1 Common error messages (continued)
Spam data is not collected by default If spam-related data does not appear in reports,
ensure that the "Include spam data" check box
is enabled on the Report Settings page.
See “Specifying the duration for storing data in

the Reports database” on page 207.
Cannot connect to server One possible cause for this error is if the
domain controller is running on the same server
as Microsoft Exchange. Microsoft
acknowledges this scenario as a defect and
has provided a manual workaround for this
issue.
For more information, refer to the Microsoft

knowledge base. On the Internet, go to the
following URL:
http://support.microsoft.com/?id=824308
This article references ASP.NET 1.1, but the

article also applies to ASP.NET 2.0.
Unique identifier (UID) errors might occur in Outlook or Outlook This error can occur when the mail client is
Express when you use IMAP open on the desktop at the same time a
violation is detected on the server. These
warnings can be ignored. Refresh the mailbox.
Outlook, Exchange, and Mail Security continues
to function normally.
OWA message: The action cannot be completed because of a conflict A message sender who uses Outlook web
with the original item access might get the following error message
if Mail Security detects a violation:
The action cannot be completed because of a

conflict with the original item. The conflict may
have occurred when an existing item was
updated on another computer or device. Open
the item again and try making your changes. If
the problem continues, contact technical
support for your organization.
This issue is a defect in Exchange 2010.

Currently, there is no workaround. For more
information, see the Microsoft website.
This error only occurs on Outlook web access

2010.
Troubleshooting 246
Resolving installation issues
Table B-1 Common error messages (continued)
Error in assigning Application Impersonation right to user. Please Please check whether the SMSMSE_RBAC
check whether the SMSMSE_RBAC right is already there or change right is already there or change user name
user name.
User does not have mailbox or Error in checking mailbox. Check whether user has a mailbox. If not,
create a mailbox for the user, or give some
other user who has mailbox.
User is not member of Administrators group. Please add user to User must be a member of the following
Administrators group. groups: Administrators and Exchange
Organization Management
Existing RBAC user is different from the given user name. Already there is a user with RBAC rights.
During silent install, different user is provided.
The scan <ScanName> cannot be completed as Microsoft Exchange's This error occurs if the status of manual scan
Client Access server is not reachable. on the UI is FAILED. This error also occurs if
there is an error in the event log with event ID
396. The possible cause is that Mail Security
is unable to determine or connect to the Client
Access server (CAS) of the mailbox databases.
To resolve this issue, ensure that CAS server
is up and running and can be accessed from
the mailbox server.
Following are some error messages that might occur when a user's password expires.

You may encounter installation and post-installation issues. Web links can assist you to resolve
these issues. They provide information about product installation and configuration details and
are available for both 32-bit and 64-bit installers.
You are recommended to access web links to resolve any issues you may encounter during
installation and post-installation.
To access web links during wizard based installation
◆ During wizard based installation, you can access the web links from the wizard.
From the MSI installer user interface, click the link for which you need information.
To access web links during silent installation
◆ During silent installation, you can access the web links from the installer log file.
Troubleshooting 247
The log file locations are:

■ For 32-bit installer, C:\Documents and Settings\Administrator\Local
Settings\Temp\ SMSMSE70_setup.log
■ For 64-bit installer, C:\Users\Administrator\AppData\Local\Temp\

SMSMSE70_setup.log
To access web links during remote installation

◆ During remote installation, you can access the web links from the installer log file on the
remote machine.
The log file locations are:
■ For 32-bit installer, C:\Documents and Settings\Administrator\Local
Settings\Temp\ SMSMSE70_setup.log
■ For 64-bit installer, C:\Users\Administrator\AppData\Local\Temp\

SMSMSE70_setup.log
Note: Each installation error and warning in the log file has a URL. You can copy and paste
the URL from the log file on to the browser to view the instructions.
Table B-2 lists the errors you might encounter during remote installation and how to resolve
them.
Table B-2 Remote installation issues
Problem Possible solution
If the user name that you provide while logging on Ensure that the user is a member of the Local
to Windows is not a member of the Local Administrators group and retry the remote
Administrators group on the remote server, then installation process.
the following message appears:
"Access to the network resource was denied."

Troubleshooting 248
Resolving consolidated report issues
Table B-2 Remote installation issues (continued)
The following error occurs due to any of the Ensure that the user is a member of Organization
following causes: Management and that the Active Directory objects
are replicated correctly. Start the remote installation
■ The user name that you provide while logging
process again.
on to Windows is not a member of Organization
Management, one of the Exchange security
groups.
■ The Active Directory is not in sync maybe
because of the Active Directory replication
latency.
"Error in assigning Application Impersonation right

to user. Please check whether SMSMSE_RBAC
right is already there or change user name."
During the installation of Mail Security on remote Ensure that you provide the user name and
mailbox role, if you provide logon credentials of a password of a user who is a member of the
user who is not a member of the Organization Organization Management group.
Management group, then the Mail Security service
does not start.
Sometimes it takes a long time during the launch of Mail Security console when .NET
Framework 2.0 is installed on your system. If you are running .NET Framework 2.0, then it is
recommended that you install SP1 of .NET Framework 2.0. However, you do not experience
delay in launching Mail Security console on systems with higher versions of .NET Framework
installed.
To reduce time during the launch of Mail Security console
1 Start Internet Explorer.
2 On the Tools menu, click Internet Options.
3 Click the Advanced tab, and then locate the Security section.
4 Uncheck Check for publisher’s certificate revocation and then click OK.
5 After the installation is complete, check Check for publisher’s certificate revocation.
Note: The Check for publisher's certificate revocation option is set on a per-account basis.
Resolving consolidated report issues

Table B-3 lists the issues that you might encounter when working with consolidated reports.
Troubleshooting 249
About the Symantec Help utility
Table B-3 Consolidated report related issues
Export/import of scheduled consolidated reports is Recreate the scheduled consolidated reports after
not supported. you import settings.
Multiple users performing a Reset to factory If user A has created some consolidated report
defaults task schedules and user B tries to perform the Reset to
factory defaults task, then only the schedules that
user B creates get deleted. Schedules that user A
creates are retained.
SMSMSE ensures that, the schedules that remain

in the Task Scheduler after you perform the Reset
to factory defaults task are not triggered.
About the Symantec Help utility

The Symantec Help (SymHelp) utility is a cross-product diagnostic utility that identifies the
common issues that you may encounter when you use Mail Security. This utility helps you to
diagnose and resolve these issues.
The SymHelp utility is a collection of script files. These script files are copied to a temporary
directory on your local computer and are deleted when you exit the utility. The utility gathers
information about the problem on your computer and helps you to diagnose it. You can also
use the utility to ensure that your computer meets the minimum requirements to install any
supported Symantec products.
To download the SymHelp utility from the Mail Security console, click Help > Download
Support Tool.
Alternatively, you can go to the following Symantec Knowledge Base article to access
information about how to download the SymHelp utility:
For information about how to use the utility, go to the following Symantec Knowledge Base
article:
When you run the utility, a series of diagnostic reports are generated. For information about
the Mail Security diagnostic reports, go to the following Symantec Knowledge Base article:
See “Common error messages” on page 244.
Troubleshooting 250
LiveUpdate fails to update the definitions
LiveUpdate fails to update the definitions

In a rare case, LiveUpdate fails to update the definitions. When you run the LiveUpdate, it
reports that definitions are up-to-date; which is not the case. You may get one of the following
messages:
■ Unable to run LiveUpdate.
■ LiveUpdate has determined that no update is necessary. You already have the most recent
virus definitions.
To resolve this issue
1 Ensure that Symantec Update Manager service is running.
2 Delete csapi_defs and rep_revoc folders from the following path:
C:\ProgramData\Symantec\Definitions\SymcData
3 Run LiveUpdate again.
Troubleshooting the missing performance counters

in SCOM
Sometimes, SMSMSE performance counters are not captured in Windows performance monitor;
as a result, they are not available in SCOM. Follow the steps below to enable the performance
counters.
To enable the performance counters in SMSMSE
1 On the Start menu, click Programs > Accessories > Command Prompt to open command
prompt window.
2 At the command prompt, type the following command to change the directory.
cd c:\windows\system32
3 Run the following command to enable the performance counters.

lodctr /R
4 Restart the Performance Logs and Alerts service.

5 Restart the Windows Management Instrumentation service.
Index
A automated installation 39
Active Directory 129, 151
Active Summary 229 B
adware. See security risks background scanning 170
alert notifications 15, 237, 239 configure 177
Allowed Senders list 106 stop 177
antispam filtering background scans 180
about 105 logging 179
configuring Symantec Premium AntiSpam 108 stopping 179
configuring whitelists 106 Basic Virus Rule 89
licensing requirements 52 Bloodhound heuristics technology 88
processing spam 116
processing suspect spam that exceeds a SCL
threshold 114
C
processing suspected spam 111 certificate revocation list 27
antivirus configure
Basic Virus Rule 89 content filtering 128
detecting mass-mailer viruses 89 file type filtering 128
enabling detection 89 console
how Mail Security detects viruses 88 about 46
logging detections 204 accessing 45
modifying virus policies 89 Home page 47
quarantining viruses 76 installing 36
setting Bloodhound detection level 89 primary navigation bar 47
Unrepairable Virus Rule 89 system requirements 29
updating protection against 231 version support 230
antivirus definitions. See definitions consolidated report 220–221
antivirus products, other 48 container files
attachments configuring limits 95
Allow-Only Attachment Rule 126 decomposing 88
blocking by attachment name 151 denial-of-service attacks 95
enforcing email attachment policies 151 encrypted 87, 96
filtering 121 unscannable 87, 96
Outbreak Triggered Attachment Names match content area 46
list 155 content filtering policy templates 13
Quarantined Triggered Attachment Names about 164
Rule 126 editing 168
Sample Attachment Name match list 155 preconfigured 164
Sample Executable File Names match list 155 content filtering rules
Sample Multimedia File Names match list 155 about 121
auto-protect scans 148, 176, 180 configuring conditions 128
configuring violation notification 131
Index 252
content filtering rules (continued) Event Log (continued)

creating match lists 159 contents 205
deleting 149 filtering contents 205
editing match lists 159 viewing 205
elements of 142 executable files, detecting 155
enabling for auto-protect scanning 148 Executive Summary report. See templates
enforcing attachment policies 151 expressions
literal string 142 regular 161
managing 147 wildcard 160
managing match lists 159–160
metacharacters 163 F
multiple violations 121
features
pre-configured rules 126
new and enhanced 13
prioritizing 148
protecting and managing your server 15
refreshing Active Directory groups 151
file filtering 121
regular expressions 161
file filtering rules
specifying local domains 150
about 151
specifying users to whom rules apply 129
blocking attachments by name 151
specifying violation actions 133
file true type filtering 129
supported SMTP address formats 129
file type categories
wildcards 142
supported file types 123
content license 52
file type filtering 127
continuous protection scheduled scan 13
about 123
.csv (comma-separated value) report format 211
file true type 123
file type filtering rule
D create 129
definitions file type filtering rules
about 88 configuring violation notification 131
licensing requirements 52, 231 deleting 149
LiveUpdate Administration Utility, about 233 enabling for auto-protect scanning 148
out-of-date 237 managing 147
updating 231, 235 pre-configured rules 127
denial-of-service attacks 87, 95 prioritizing 148
deploy all settings 60 refreshing Active Directory groups 151
deploy changes 60 specifying local domains 150
Detailed report. See templates specifying users to whom rules apply 129
dialers. See security risks specifying violation actions 133
DirectX 28 supported SMTP address formats 129
discard changes 60 file types 123, 129
domains, specifying local 150 filtering. See content filtering rules
DOS wildcard expressions 160 formats, report output 211
FTP proxy server, LiveUpdate connection 233
E
encrypted files 96 G
Enterprise Vault 119 Global Group 58
error messages 244
Event Log H
about 204
hack tools. See security risks
Index 253
help 20 list pane 46

heuristics 88 literal string 142
Home page 47, 229 LiveUpdate
HTML about 231
encoding 121 enhancing performance 236
report output format 211 licensing requirements 52
HTTP proxy server, LiveUpdate connection 233 updating definitions
hyper-threaded processor 50 on demand 235
scheduled 235
I using proxy servers 235
LiveUpdate Administration Utility 13, 233
IIS (Internet Information Services) 28–29
local domains, specifying 150
impersonation 28
local quarantine 76
inbound/outbound settings 150
See also Quarantine Server
installation
about 76
before you install 21
establishing thresholds 78
customizing remote server installation 39
forwarding items to the Quarantine Server 77
installing on a local server 32
purging 85
installing on a remote server 38, 41
releasing messages
installing the console only 36
by mail 83
post-installation tasks 43
to a file 84
security and access permissions 26
threshold notifications 78
system requirements 28
viewing 79
types of 31
logs 210
uninstalling 51
See also reports
uninstalling before reinstalling 32
Event Log
using an automated installation tool 42
about 204
Intel Xeon processors 50
contents 205
ISA server, registering 107
filtering contents 205
ISP proxy server, LiveUpdate connection 233
logging destinations 204
MMC Performance console 204, 208
J Reports database
joke programs. See security risks about 204
purging 208
L storing data 207
license Windows Application Event Log 204
activating 53
content license 52 M
expiration 52 Mail Security for Microsoft Exchange
installing 55 about 12
locating the serial number 54 accessing the console 45
obtaining a license file 54 features 13, 15
obtaining a serial number 54 getting more information 20
renewing 56 Mail Security for Microsoft Exchange Management
requirements 52 Pack 13, 208
software updates 52 Mail Security Reports folder 225
Symantec Premium AntiSpam 52 manual scans
upgrading 52 about 170, 181
license certificate 53–54 configuring 182
Index 254
manual scans (continued) performance improvement

running 186 content filtering 13
stopping while in progress 186 manual scan 13
viewing results 186 scheduled scan 13
mass-mailer worms 87 performance, enhancing 236
match lists permissions 26
about 155 policies 87
creating 159 port requirements 30
deleting 160 post-installation tasks 43
editing 159 pre-installation requirements 21
preconfigured 155 premium antispam service. See Symantec Premium
MCC (Microsoft Management Console) 204 AntiSpam
MDAC 28 preview pane 46
menu bar 46 primary navigation bar 46–47
message archiving 119 processing limits 95
messages, common errors 244 protection, server 231
metacharacters 163 proxy server
Microsoft Certificate Services 2.0 43 configuring for Symantec Premium AntiSpam 108
Microsoft Excel 211 LiveUpdate 235
MIME, malformed 243
MMC (Microsoft Management Console) 208 Q
MSXML 32
quarantine entire message 13
Quarantine Server 76
N See also local quarantine
.NET Framework 28–29 about 76
notification settings 193 forwarding items to 77
notification, variables 239 location on product installation package 13
notifications 15, 237 quarantine thresholds
specifying actions 81
O
Open Proxy list 108 R
Operation Status 60 Rapid Release
outbreak. See outbreak management about 231
Outbreak management enhancing performance 236
best practices 197 licensing requirements 52
outbreak management 15 updating definitions
about 194 on demand 235
adding outbreak items to pre-configured match scheduled 235
lists 198 regular expressions 161
clearing notifications 203 remote access programs. See security risks
configuring notifications 200 replacement variables 239
configuring triggers 198 reports 210
defining an outbreak 195 See also templates
enabling 198 accessing 225
triggers, about 197 consolidated 220–221
creating or modifying 211, 216
P deleting 228
email notification limitations 211, 216
Performance counters 208
Index 255
reports (continued) scheduled scans (continued)

generating on demand 225 editing 187
managing 220 enabling 192
printing 227 stopping 191
Reports page display information 225 scheduling consolidated report 222
resetting statistics 229 screen resolution, recommended 21
saving data 228 security and access permissions 26
scheduling 222 security risks
viewing with third-party tools 211 about 87
Reports database categories of 92
about 204 configuring detection 92
purging 208 serial numbers, licensing 54
storing data 207 server groups 58
reputation service 108 See also servers
risks 87 adding servers 68
See also security risks creating 67
See also threats deleting 71
Bloodhound heuristics technology 88 deploying all settings 60
categories of 87 deploying changes 60
configuring security risk detection 92 Global Group 58
configuring threat detection 89 managing, about 61
decomposing container files 88 moving servers from/to 69
how risks are detected 88 pushing out settings to servers 70
setting container file limits 95 restoring default settings 70
roles, Microsoft Exchange Server 2007/Server server settings file location 58
2010 21 user-defined 58
RTF encoding 121 viewing settings 66
server protection 231
S servers 58
See also server groups
Safe list 108
adding to groups 68
scan processes 50
deploying changes 60
scanning limits 95
importing and exporting settings 72
scanning threads 50
managing, about 61
scans
modifying communication properties 73
advanced scanning options 180
moving to another group 69
auto-protect 176
removing from group management 71
background 177
restoring default settings 70
How messages are scanned 172
synchronizing settings 70
manual 181
viewing settings 66
notifying of violations 193
viewing status 67
offloading mailbox server scanning 175
settings, importing and exporting 72
optimizing scanning performance 176
sidebar 46
scheduling 187
SMSMSE Admins 26
types of scans 170
SMSMSE Viewers 26
scheduled scans
software components 23
about 170, 187
SPA. See Symantec Premium AntiSpam
configuring 188
spam. See antispam filtering
creating 187
spyware. See security risks
deleting 192
Index 256
SSL (Secure Socket Layer) communications 43, 73 transport agents

statistics, resetting 229 configuring 48
string, literal 142 priorities 48
Suspect list 108 Trojan horses 87
Symantec AntiVirus Corporate Edition 21, 48, 231
Symantec Central Quarantine 13 U
Symantec Endpoint Protection 21, 48
UNC (Universal Naming Convention) path 55
Symantec Enterprise Vault 119
Unfiltered Recipients list 106
Symantec Help 249
uninstallation 32
Symantec Mail Security for Microsoft Exchange. See
Unrepairable Virus Rule 89
Mail Security for Microsoft Exchange
unscannable files 96, 241
Symantec Premium AntiSpam 105
updates. See definitions
See also antispam filtering
upgrade voucher 53–54
about 107
user credentials 32
configuring 108
configuring your proxy server 108
identifying languages 108 V
processing spam 116 variables, replacement 239
processing suspect spam that exceeds a SCL version support 230
threshold 114 virus 87
processing suspected spam 111 See also risks
registering through an ISA server 107 Basic Virus Rule 89
reputation service 108 configuring detection 89
scoring suspected spam 108 detecting mass-mailer viruses 89
SymHelp utility 249 enabling detection 89
system requirements 28 how Mail Security detects 88
logging detections 204
modifying virus policies 89
T quarantining 76
TCP (Transmission Control Protocol) port,
setting Bloodhound detection level 89
changing 73
Unrepairable Virus Rule 89
templates
updating protection against 231
about 210
virus definitions. See definitions
creating or modifying 211, 216
outdated 237
deleting 219
Detailed 210
output formats 211 W
Summary 210 whitelists 106
threats 87 wildcard expressions, DOS 160
See also risks Windows Application Event Log
Bloodhound technology 89 about 204
configuring detection 89 viewing contents of in Mail Security 205
detecting mass-mailer infected messages 89 worms 87
types detected 87
throttling policy X
assigning 73 x-headers 119
creating 73
toolbar 46
trackware. See security risks Z
.zip files. See container files

SMSMSE Implementation Guide

Uploaded by

Copyright:

Available Formats

SMSMSE Implementation Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SMSMSE Implementation Guide

Uploaded by

Copyright:

Available Formats

Symantec™ Mail Security for

Microsoft® Exchange 7.9.1

Knowledge Base Articles and Symantec Connect

Technical Support and Enterprise Customer Support

Symantec Support .............................................................................................. 4

Chapter 2 Installing Symantec Mail Security for Microsoft

Chapter 3 Activating licenses .............................................................. 52

Chapter 4 Managing your Exchange servers .................................... 58

Chapter 5 Quarantining messages and attachments ..................... 76

About releasing messages from the local quarantine ........................... 82

Chapter 6 Protecting your server from risks .................................... 86

Chapter 7 Identifying spam ................................................................ 105

Chapter 8 Filtering content ................................................................ 121

Chapter 9 Scanning your Exchange servers for threats and

Background scan log status for Exchange Server 2010 mailbox

Chapter 10 Managing outbreaks ......................................................... 194

Chapter 11 Logging events and generating reports ........................ 204

Creating or modifying a Detailed report template ......................... 216

Chapter 12 Keeping your product up to date ................................... 230

Appendix A Using variables to customize alerts and

Appendix B Troubleshooting ................................................................. 241

Index ................................................................................................................... 251

■ About Symantec Mail Security for Microsoft Exchange

■ What's new in Mail Security 7.9.1

■ Components of Mail Security

■ How Mail Security works

■ What you can do with Mail Security

■ Where to get more information about Mail Security

About Symantec Mail Security for Microsoft Exchange

■ Unsolicited email messages (spam)

What's new in Mail Security 7.9.1

Table 1-1 New or enhanced features in 7.9.1

See “About transport submission queue monitor” on page 74.

Components of Mail Security

LiveUpdate™ Administration Utility

How Mail Security works

Security risks include adware, spyware, and malware

What you can do with Mail Security

Table 1-2 What you can do with Mail Security

See “About Mail Security policies” on page 87.

Table 1-2 What you can do with Mail Security (continued)

See “About keeping your server protected” on page 231.

Mail Security also uses Symantec Bloodhound heuristics technology to

See “Configuring a threat detection” on page 89.

Using LiveUpdate, Mail Security connects to a Symantec server over the

See “About keeping your server protected” on page 231.

See “About licensing” on page 52.

Table 1-2 What you can do with Mail Security (continued)

Symantec Premium AntiSpam provides continuous updates to the premium

See “Configuring whitelists” on page 106.

You must have a valid Symantec Premium AntiSpam license to enable

See “About licensing” on page 52.

See “About content and file filtering” on page 121.

See “About applying X-headers to messages for archiving” on page 119.

Table 1-2 What you can do with Mail Security (continued)

■ Delete the entire message.

See “About outbreak management” on page 194.

The quarantined items that contain threats can be forwarded to the

You can quarantine the entire message or by parts.

See “About the quarantine” on page 76.