Chapter 4 - Antigen Administrator

  • Article

 

Applies to: Microsoft Antigen

The Antigen Administrator is used by the administrator to configure and run Antigen for SMTP Gateways locally or remotely. For the Antigen Administrator to launch successfully, the AntigenService service must be running on the computer to which the Antigen Administrator is connecting. Because the Antigen Administrator is the front end of the Antigen for SMTP Gateways software, it can be launched and closed without affecting the back-end processes that are being performed by the Antigen services. The Antigen Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface.

Enabling the Antigen Administrator

Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use the Antigen Administrator on those operating systems, you must first enable the Antigen Administrator.

To enable the Antigen Administrator to run on Windows XP SP2

  1. Click Start, click Run, and type dcomcnfg.

  2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then click Properties.

  3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user.

  4. Add the AntigenClient application to the Windows Firewall Exceptions list, as follows:

    1. In Control Panel, click Windows Firewall.
    2. In the Windows Firewall dialog box, click the Exceptions tab.
    3. Click Add Program, select AntigenClient from the list, and then click OK. This adds the Antigen Administrator to the Programs and Services list.
    4. In the Programs and Services list, select AntigenClient.
    5. Click Add Port, type a name for the port, and type 135 for the port number.
    6. Select TCP as the protocol, and then click OK.

Note

If you are concerned about opening port 135 to all computers, you can opt for the port to open only for the servers running Antigen for SMTP Gateways. When adding port 135, click Change Scope and select Custom List. Enter the IP addresses of all the Antigen for SMTP Gateways servers that should be allowed access through port 135.

To enable the Antigen Administrator to run on Windows Server 2003 SP2

  1. Click Start, click Run, and enter dcomcnfg.

  2. In Component Services, at the console root, expand Component Services, expand Computers, right-click My Computer, click Properties, and then click the COM Security tab.

  3. Under Access Permissions, click Edit Limits.

  4. In the Access Permission dialog box, select the Add Anonymous logon account, and then select the Allow check box for Remote Access for the Anonymous Logon user.

Running the Antigen Administrator

To run the Antigen Administrator, on the Start menu, point to All Programs, point to Microsoft Antigen for SMTP, and then click Antigen Administrator. Or, you can launch it from a command prompt.

To launch the Antigen Administrator from a command prompt

  1. Open a Command Prompt window.

  2. Navigate to the Antigen installation directory. The default is:

    Program Files\Microsoft Antigen for SMTP

  3. Type antigenclient.exe and press ENTER.

Connecting to a server

The first time the Antigen Administrator is launched, it prompts you to connect to the SMTP server running on the local computer. You can use the server name or local alias to connect to the local server.

The Antigen Administrator can be connected to a remote server running Antigen for SMTP Gateways. This ability enables an administrator to use one installation of the Antigen Administrator to configure and control Antigen for SMTP Gateways throughout the network.

At the server prompt box, click the Browse button or enter the server name, IP address, or Domain Name System (DNS) name of the remote computer.

Note

Due to enhanced security settings in Windows Server 2003 SP1, DCOM settings may need to be updated when Antigen for SMTP Gateways is installed on a server running Windows Server 2003 SP1 to allow remote access. Remote administrators must have privileges enabled for both remote launch and remote activation.
Because the Antigen for SMTP Gateways installation includes the installation folder for both administrator-only installations and for the full product installation on the access control list (ACL), a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Antigen Administrator to the server, try using the PING command to test for server availability. If the server is available, make sure that no other instances of Antigen Administrator are currently connected to the server.

Connecting to a different server

To connect to a different server when already connected to Antigen for SMTP Gateways, select Open from the Antigen Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running Antigen for SMTP Gateways, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Antigen Administrator dialog box to quickly reconnect to a server.

Connecting to a computer that is not a member of the domain

When you install Antigen for SMTP Gateways on a computer that is acting as an SMTP virtual server, the computer acting as an SMTP virtual server is not a member of the domain. When attempting to access the Antigen Administrator by connecting this computer, you will receive an “Unable to connect to scan job” error message.

This behavior occurs because Antigen for SMTP Gateways depends on the Netlogon service to connect to scan jobs. Because the computer that is acting as the SMTP virtual server is not part of the domain, the Netlogon service account cannot be authenticated. To work around this behavior, you can remove the Netlogon dependency.

To remove the Netlogon dependency

  1. Use an account that has administrative permissions to log on to the computer that is acting as the SMTP gateway.

  2. Click Start, click Run, type regedit, and then click OK.

  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntigenService

  4. Double-click DependOnService.

  5. In the Edit Multi String dialog box, click Netlogon under Value data, press DELETE, and then click OK.

  6. Exit Registry Editor.

  7. Restart the computer for the changes to take effect.

Running in read-only mode

The Antigen Administrator may be run in a read-only mode. To do so, the administrator needs to modify the NTFS file system permissions on the Antigen Database directory to allow modify access only to those users with permission to change Antigen for SMTP Gateways settings. By default, the installation directory is:

Program Files\Microsoft Antigen for SMTP

To ensure proper configuration, first remove modify access for all users and then set modify access only for users that are allowed to change Antigen for SMTP Gateways settings. When a user without modify access opens the Antigen Administrator, ReadOnly appears at the top of the pane and no configuration changes are allowed.

Antigen Administrator overview

The Antigen Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right as shown in the following image.

be7dea6f-67df-4633-92e9-679209c8854c

The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:

Area Description

SETTINGS

The SETTINGS area enables you to configure scan jobs, antivirus settings, scanner updates, templates, General Options, and the Anti-Spam Job when the Antigen Spam Manager is enabled.

FILTERING

The FILTERING area enables you to configure content filtering, file filtering, mailhost filtering, keyword filtering, allowed senders lists, and filter lists.

OPERATE

The OPERATE area enables to control virus scanning, spam scanning, and filter options, schedule and run scan jobs, and perform quick scans.

REPORT

The REPORT area enables you to configure notifications, view and manage incidents, and view and manage quarantined files.

General Options

General Options settings, accessed from the SETTINGS shuttle, provide access to a variety of system-level settings for Antigen for SMTP Gateways. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Antigen Enabled and Internet Process Count require that the Antigen services be restarted for the change to take effect.

Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value), which is probably the correct setting for your enterprise. It is rare that any of these settings need to be changed. However, several of the settings were entered during installation, and you might need to change a setting occasionally.

To access the General Options pane, click General Options in the SETTINGS area of the Shuttle Navigator. The General Options pane opens.

The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, and Exchange 2003 UCE Settings.

Diagnostics section

The following table lists and describes the settings in the Diagnostics section of the General Options pane.

Setting Description

Additional Internet

Logs every file that is scanned by the Internet scanner.

Notify on Startup

When selected, Antigen for SMTP Gateways sends a notification to all the e-mail addresses listed in the Virus Administrators list whenever the Internet scanner starts.

Archive SMTP Mail

Enables administrators to archive inbound and outbound SMTP e-mail in two folders (named In and Out) that are located in the Antigen for SMTP Gateways installation folder. Each message is given a file name that consists of the year, day, month, time, and a three-digit number. For example: 20022009102005020.eml

Administrators have the following options for archiving:

  • No Archive—No mail is archived.
  • Archive Before Scan—Messages are archived prior to scanning.
  • Archive After Scan—Messages are archived after scanning.
  • Archive Before And After Scan—Messages are archived before and after scanning.

These options are provided to help administrators and Antigen for SMTP Gateways support engineers diagnose and isolate problems users may be experiencing.

Critical Notification Lists

Enter the e-mail addresses of administrators and others who should be notified in the event that the SMTP service starts and Antigen for SMTP Gateways is not connected, or if the Antigen store shuts down. Multiple e-mail addresses should be separated by semicolons, for example: admin@microsoft.com;admin2@microsoft.com

Logging section

The following table lists and describes the settings in the Logging section of the General Options pane.

Setting Description

Enable Event Log

Enables logging of Antigen for SMTP Gateways events to the event log.

Enable Antigen Program Log

Enables the Antigen for SMTP Gateways program log (ProgramLog.txt). The Antigen services must be restarted for a change to this value to take effect.

Enable Performance Monitor and Statistics

Enables logging of Antigen for SMTP Gateways performance statistics to Performance Monitor.

Enable Antigen Virus Log

Enables the Antigen Virus Log (VirusLog.txt).

Enable Incidents Logging – Internet

Enables or disables incident logging for the Internet Scan Job. You may select from the following options:

  • Enable all incident logging
  • Disable all incident logging
  • Disable Spam/RBL incident logging—Only spam and RBL logging are disabled. Other incidents are still logged.

Max Program Log Size

Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. The default is 25600 KB. A value of 0 indicates that there is no limit to the maximum size.

For more information about the log files and Performance Monitor, see Chapter 15 - Reporting and statistics overview.

Scanner Updates section

The following table lists and describes the settings in the Scanner Updates section of the General Options pane.

Setting Description

Redistribution Server

When this option is enabled, the two most recent engine update packages are saved in the engine package folder instead of the usual single engine package. Antigen for SMTP Gateways also downloads the full update package rather than performing an incremental update. The multiple engine packages allow the spoke servers to continue getting updates from the redistribution server while a new update is being downloaded.

Perform Updates at Startup

Configures Antigen for SMTP Gateways to automatically perform engine updates every time Antigen for SMTP Gateways is started.

Send Update Notification

Configures Antigen for SMTP Gateways to send a notification to the Virus Administrator each time a scan engine is updated.

Use Proxy Settings

Configures Antigen for SMTP Gateways to use proxy settings when retrieving antivirus scanner updates. The use of a proxy server to retrieve updates is optional.

Use UNC Credentials

Configures Antigen for SMTP Gateways to use Universal Naming Convention (UNC) credentials when retrieving scanner updates from a file share. The use of a UNC path to retrieve updates is optional. Note that credentials are not supported if you are using Antigen Enterprise Manager for redistribution. Make sure you clear this setting if you are using Antigen Enterprise Manager to manage antivirus engine updates.

Proxy Server Name/IP Address

Enter the name or IP address of the proxy server Antigen for SMTP Gateways should use when retrieving antivirus scanner updates. Required, if using proxy settings.

Proxy Port

Enter the port number for the proxy server.

Proxy Username

Enter the name of a user with access rights to the proxy server, if necessary (optional).

Proxy Password

Enter the password for the proxy user name, if necessary (optional).

UNC Username

Enter the name of a user with access rights to the UNC path, if necessary (optional).

UNC Password

Enter the password for the UNC user name, if necessary (optional).

For more information about updating the scan engines, see Chapter 16 - File scanner updating overview.

Scanning section

The following table lists and describes the settings in the Scanning section of the General Options pane.

Setting Description

Delete Corrupted Compressed Files

Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for Antigen for SMTP Gateways.

When a corrupted compressed file is detected, Antigen for SMTP Gateways reports it as a CorruptedCompressedFile virus. This option is enabled by default.

Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0.

Note: In addition to CorruptedCompressedFile viruses, this setting also handles these file types:

UnwritableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file.

UnReadableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.

Delete Corrupted Uuencode Files

Specifies whether corrupted Uuencoded files are deleted. Typically, a Uuencoded file that Antigen is unable to parse is considered corrupted. When a corrupted compressed file is detected, Antigen for SMTP Gateways reports it as a CorruptedCompressedUuencodeFile virus. This option is enabled by default.

Delete Encrypted Compressed Files

Specifies whether encrypted compressed files with at least one encrypted item within its contents are deleted. (Encrypted files cannot be scanned by antivirus scan engines.) When an encrypted compressed file is detected, Antigen for SMTP Gateways reports it as an EncryptedCompressedFile virus.

Treat high compression ZIP files as corrupted compressed

Specifies whether ZIP archives containing highly compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is always treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly compressed files are treated as corrupted compressed).

Treat multipart RAR archives as corrupted compressed

A file within an RAR archive can be compressed across multiple files or parts, thereby allowing large files to be divided into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.

Disabling this option allows you to receive such files. However, in this case, a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted.

Note

If you are using multipart RAR to compress files that exceed 100 MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Appendix B - Setting registry keys.

Treat concatenated gzips as corrupted compressed

Multiple Gnu zip (gzip) files can be concatenated into a single file. Although Antigen for SMTP Gateways recognizes concatenated gzip files, it may not recognize individual files split across concatenated gzip files. Therefore, Antigen for SMTP Gateways treats concatenated gzip files as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzip files from passing through, thereby preventing potential infections.

Disabling the treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzip files. However, in this case, a virus may escape detection.

Scan Doc Files as Containers – Internet

Specifies that the Internet Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Microsoft Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types overview. This option is disabled by default.

Skip Content Filtering for Allowed Mailhosts

Specifies that Antigen for SMTP Gateways skip content filtering for SMTP messages when every public mailhost in the Received MIME header field—up to the number specified in the General Options setting Maximum Allowed Mailhosts Lookups—is listed in an enabled Allowed Mailhost list. For more information, see Chapter 10 - Using mailhost filtering.

Case Sensitive Keyword Filtering

Specifies that all keyword filters are case sensitive. When this setting is cleared, all keyword filters are not case sensitive.

Fix Bare CR or LF in Mime Headers

Corrects a discrepancy between the MIME header parsing method used by Outlook and Outlook Express and the RFC 822 specification on how bare carriage return (CR) (0x0d) and bare line feed (LF) (0x0a) are handled in MIME headers. MIME messages can be formed that allow Outlook and Outlook Express to improperly detect attachments in the MIME headers that are not scanned.

When selected, Antigen for SMTP Gateways modifies any bare CR or bare LF found in the MIME headers to the CR/LF combination, which removes the discrepancy in parsing methods.

Add Disclaimers to Clear Signed Messages

When this option is selected, Antigen for SMTP Gateways adds disclaimers—if disclaimers are enabled—to Clear Signed Messages. If you do not want disclaimers appended to Clear Signed Messages, clear this option. A Clear Signed Message is a message that contains a digital signature and is in a readable state. If the message is modified by the addition of a disclaimer, however, the digital signature is invalid. When users receive the message, they are told that the digital signature is invalid. This option is enabled by default.

Purge Message if Message Body Deleted – Internet

Some messages carry viruses in the body of the message file. When all or part of the message body is deleted to remove a virus, Antigen for SMTP Gateways inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Antigen for SMTP Gateways and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected.

Enable Antigen

Enables administrators to enable or disable scanning. The default value is Enable. After changing this setting, the Antigen services must be recycled for the change to take effect. For more information about recycling the services, see "Recycling the Antigen services" in Chapter 3 - Antigen services.

Internet Process Count

This setting is used to change the number of Internet processes that are used by Antigen for SMTP Gateways. The default value is 2. You may create up to 10 Internet processes. After changing this setting, the Antigen services must be recycled. For more information about this setting, see Chapter 6 - Configuring SMTP Scan Jobs.

Engine Error Action

Sets the action that Antigen for SMTP Gateways should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: Detect Only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete.

Illegal MIME Header Action - Internet

If Antigen for SMTP Gateways encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are headers that have multiple Content-Type, Content-Transfer Encoding, or Content-Disposition headers containing conflicting data. Messages where the Content-Disposition or Content-Type header is longer than it is supposed to be, and messages that contain multiple subject lines, are also identified as illegal MIME headers. Identified messages will be quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.

Internet Scan Timeout Action

Indicates what to do in the event that the Internet Scan Job (SMTP Scan Job) times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and Program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and Internet Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Quarantine Messages

Antigen for SMTP Gateways performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled.

When Quarantine Messages is set to Quarantine as Single EML File), the quarantined message and all attachments are quarantined in an EML file format.

When Quarantine Messages is set to Quarantine Message Body and Attachments Separately, Antigen for SMTP Gateways quarantines messages as separate pieces (bodies and attachments).

For a complete description of this setting, see "About quarantine" in Chapter 15 - Reporting and statistics overview.

Note

These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

Deliver From Quarantine Security

This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode:

  • Secure Mode forces all messages and attachments delivered from quarantine to be scanned again for viruses and filter matches. This is the default setting.
  • Compatibility Mode allows messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen for SMTP Gateways identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.

For more information about this setting, see Chapter 15 - Reporting and statistics overview.

SMTP Sender Information

By default, Antigen uses the MIME FROM header sender address for the SMTP Scan Job. This General Options setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the SMTP Scan Job. When Use SMTP protocol MAIL FROM is selected, the address in that box is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, reporting in the Antigen Administrator, and multiple disclaimers. The options for this setting are:

  • Use MIME From: Header (the default).
  • Use SMTP protocol MAIL FROM.

Note

When Use MIME From: Header is selected and a MIME Sender header is also present, the MIME Sender header information is used.

Perform Reverse DNS Lookup

Provides the ability to disable reverse DNS lookups when validating an IP address or domain name against the Allowed Mailhost or Rejected Mailhost lists. If reverse DNS lookups are disabled, the domain name found in the MIME Received header field is used for comparisons with the Allowed Mailhost and Rejected Mailhost lists. The options for this setting are:

  • Enable All (the default)
  • Disable All
  • Only for Mailhost List Checking
  • Only for Inbound/Outbound Determination

For more information about this setting, see Chapter 10 - Using mailhost filtering.

Max Container File Infections

Specifies the maximum number of infections allowed in a compressed file. If this is exceeded, the entire file is deleted and Antigen for SMTP Gateways logs an incident stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case, the logged incident has the tag Container Removed appended to the filter match. The default value is 5 infections.

Max Container File Size

Specifies the maximum container file size (in bytes) that Antigen for SMTP Gateways attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Antigen for SMTP Gateways reports deleted files as a LargeInfectedContainerFile virus.

Max Nested Attachments

Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and Uuencoded documents. The limit includes the sum of the nestings of all of these types. If the maximum number is exceeded, Antigen for SMTP Gateways blocks or deletes the document and reports that an ExceedinglyInfected virus was found. The default value is 30.

Max Nested Compressed Files

Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and Antigen for SMTP Gateways sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default value is 5.

Max Container Scan Time (msecs) - Internet

Specifies the number of milliseconds that Antigen for SMTP Gateways scans a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).

Internal Address

Antigen for SMTP Gateways can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address box, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications.

When entering a domain name in the Internal Address box, be aware that subdomains are covered by the entry.

For example: domain.com will include subdomain.domain.com and subdomain2.domain.com.

Alternate domains such as domain.net or domain.org must be entered individually.

Values entered in the Internal Address box are used as a substring match of the end of an e-mail address. For example, "soft.com" would consider "someone@microsoft.com" and "someone@abcdef123soft.com" to be internal addresses.

If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address box blank). Enter all your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more information about this key, see Appendix B - Setting registry keys.

(For more information about internal addresses and notifications, see Chapter 14 - Using e-mail notifications.)

SMTP External Hosts

If you are using an SMTP gateway to route e-mail into your messaging environment, you may enter the IP address of the gateway server so that Antigen for SMTP Gateways treats all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your SMTP gateway, Antigen for SMTP Gateways uses its internal logic to determine if messages are inbound or internal. IP addresses should be entered as a semicolon delimited list with no spaces.

For example, enter: 123.45.6.78;8.76.54.32;1.0.0.0

Maximum RBL Lookups

Specifies the number of hops allowed while doing RBL tests. (Only public IP addresses received in the chain are counted.) Antigen for SMTP Gateways starts counting with the first public IP address and checks the IP address of each hop until the Maximum RBL Lookups is reached or a private IP address is encountered. The default value is 4.

Maximum Allowed Mailhost Lookups

Specifies how many addresses need to be checked and matched by the Allowed Mailhost filter for content filtering to be skipped. The default value is 4.

Exchange 2003 UCE Settings

These settings are visible in the General Options pane for all installations, but will not configure the Exchange settings unless the Antigen Spam Manager is enabled. The unsolicited commercial e-mail (UCE) settings are Exchange 2003 functions that help combat spam e-mail by tagging potential spam and diverting suspect messages into a Junk E-mail folder instead of a user's Inbox.

Setting Description

Enable SCL Rating

Specifies whether the user wants to use the Exchange 2003 features to specify the spam confidence level (SCL) ratings in a message. If this option is selected, Antigen for SMTP Gateways sets an SCL rating based on the results of filtering operations performed by the Spam Manager. Administrators must configure the action Identify: Tag Message to Set SCL property for ratings to be appended to messages. For more information, see Chapter 13 - Antigen Spam Manager overview.

Skip Content Filtering for Safe Connections

Specifies whether to use the Safe Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering is still performed even if this is enabled.

Skip Content Filtering for Authenticated Connections

Specifies whether to use the Authenticated Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering is still performed even if this is enabled.

Central Management

Central management of Antigen for SMTP Gateways is handled through the Antigen Enterprise Manager. The Antigen Enterprise Manager enables administrators to:

  • Install or uninstall Antigen for SMTP Gateways on local and remote servers.
  • Update all or individual scan engines on local and remote servers.
  • Run a manual scan on multiple servers simultaneously.
  • Check Antigen, scan engine, and virus definition versions on multiple servers.
  • Deploy Antigen for SMTP Gateways template files.
  • Retrieve virus logs from multiple servers.
  • Retrieve quarantined files.
  • Retrieve the ProgramLog.txt file from single or multiple servers.
  • Retrieve virus incident information.
  • Deploy General Options settings.
  • Deploy Filter List templates.
  • Generate HTML reports.
  • Send outbreak alerts.

For detailed instructions about using these features, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechCenter.

Chapter 3 - Antigen services

Chapter 5 - Implementing multiple scan engines and setting bias modes