|
Setting
|
Description
|
|---|
|
Delete Corrupted Compressed Files
|
Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for Antigen for SMTP Gateways.
When a corrupted compressed file is detected, Antigen for SMTP Gateways reports it as a CorruptedCompressedFile virus. This option is enabled by default.
Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0.
Note: In addition to CorruptedCompressedFile viruses, this setting also handles these file types:
UnwritableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file.
UnReadableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.
|
|
Delete Corrupted Uuencode Files
|
Specifies whether corrupted Uuencoded files are deleted. Typically, a Uuencoded file that Antigen is unable to parse is considered corrupted. When a corrupted compressed file is detected, Antigen for SMTP Gateways reports it as a CorruptedCompressedUuencodeFile virus. This option is enabled by default.
|
|
Delete Encrypted Compressed Files
|
Specifies whether encrypted compressed files with at least one encrypted item within its contents are deleted. (Encrypted files cannot be scanned by antivirus scan engines.) When an encrypted compressed file is detected, Antigen for SMTP Gateways reports it as an EncryptedCompressedFile virus.
|
|
Treat high compression ZIP files as corrupted compressed
|
Specifies whether ZIP archives containing highly compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is always treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly compressed files are treated as corrupted compressed).
|
|
Treat multipart RAR archives as corrupted compressed
|
A file within an RAR archive can be compressed across multiple files or parts, thereby allowing large files to be divided into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.
Disabling this option allows you to receive such files. However, in this case, a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.
If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted.
.gif) Note:
If you are using multipart RAR to compress files that exceed 100 MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Appendix B - Setting registry keys.
|
|
Treat concatenated gzips as corrupted compressed
|
Multiple Gnu zip (gzip) files can be concatenated into a single file. Although Antigen for SMTP Gateways recognizes concatenated gzip files, it may not recognize individual files split across concatenated gzip files. Therefore, Antigen for SMTP Gateways treats concatenated gzip files as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzip files from passing through, thereby preventing potential infections.
Disabling the treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzip files. However, in this case, a virus may escape detection.
|
|
Scan Doc Files as Containers – Internet
|
Specifies that the Internet Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Microsoft Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types overview. This option is disabled by default.
|
|
Skip Content Filtering for Allowed Mailhosts
|
Specifies that Antigen for SMTP Gateways skip content filtering for SMTP messages when every public mailhost in the Received MIME header field—up to the number specified in the General Options setting Maximum Allowed Mailhosts Lookups—is listed in an enabled Allowed Mailhost list. For more information, see Chapter 10 - Using mailhost filtering.
|
|
Case Sensitive Keyword Filtering
|
Specifies that all keyword filters are case sensitive. When this setting is cleared, all keyword filters are not case sensitive.
|
|
Fix Bare CR or LF in Mime Headers
|
Corrects a discrepancy between the MIME header parsing method used by Outlook and Outlook Express and the RFC 822 specification on how bare carriage return (CR) (0x0d) and bare line feed (LF) (0x0a) are handled in MIME headers. MIME messages can be formed that allow Outlook and Outlook Express to improperly detect attachments in the MIME headers that are not scanned.
When selected, Antigen for SMTP Gateways modifies any bare CR or bare LF found in the MIME headers to the CR/LF combination, which removes the discrepancy in parsing methods.
|
|
Add Disclaimers to Clear Signed Messages
|
When this option is selected, Antigen for SMTP Gateways adds disclaimers—if disclaimers are enabled—to Clear Signed Messages. If you do not want disclaimers appended to Clear Signed Messages, clear this option. A Clear Signed Message is a message that contains a digital signature and is in a readable state. If the message is modified by the addition of a disclaimer, however, the digital signature is invalid. When users receive the message, they are told that the digital signature is invalid. This option is enabled by default.
|
|
Purge Message if Message Body Deleted – Internet
|
Some messages carry viruses in the body of the message file. When all or part of the message body is deleted to remove a virus, Antigen for SMTP Gateways inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Antigen for SMTP Gateways and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected.
|
|
Enable Antigen
|
Enables administrators to enable or disable scanning. The default value is Enable. After changing this setting, the Antigen services must be recycled for the change to take effect. For more information about recycling the services, see "Recycling the Antigen services" in Chapter 3 - Antigen services.
|
|
Internet Process Count
|
This setting is used to change the number of Internet processes that are used by Antigen for SMTP Gateways. The default value is 2. You may create up to 10 Internet processes. After changing this setting, the Antigen services must be recycled. For more information about this setting, see Chapter 6 - Configuring SMTP Scan Jobs.
|
|
Engine Error Action
|
Sets the action that Antigen for SMTP Gateways should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: Detect Only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete.
|
|
Illegal MIME Header Action - Internet
|
If Antigen for SMTP Gateways encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are headers that have multiple Content-Type, Content-Transfer Encoding, or Content-Disposition headers containing conflicting data. Messages where the Content-Disposition or Content-Type header is longer than it is supposed to be, and messages that contain multiple subject lines, are also identified as illegal MIME headers. Identified messages will be quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.
|
|
Internet Scan Timeout Action
|
Indicates what to do in the event that the Internet Scan Job (SMTP Scan Job) times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and Program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and Internet Scan Timeout Action is set to either Skip or Delete. The default value is Delete.
|
|
Quarantine Messages
|
Antigen for SMTP Gateways performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled.
When Quarantine Messages is set to Quarantine as Single EML File), the quarantined message and all attachments are quarantined in an EML file format.
When Quarantine Messages is set to Quarantine Message Body and Attachments Separately, Antigen for SMTP Gateways quarantines messages as separate pieces (bodies and attachments).
For a complete description of this setting, see "About quarantine" in Chapter 15 - Reporting and statistics overview.
Note:
These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.
|
|
Deliver From Quarantine Security
|
This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode:
-
Secure Mode forces all messages and attachments delivered from quarantine to be scanned again for viruses and filter matches. This is the default setting.
-
Compatibility Mode allows messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen for SMTP Gateways identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.
For more information about this setting, see Chapter 15 - Reporting and statistics overview.
|
|
SMTP Sender Information
|
By default, Antigen uses the MIME FROM header sender address for the SMTP Scan Job. This General Options setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the SMTP Scan Job. When Use SMTP protocol MAIL FROM is selected, the address in that box is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, reporting in the Antigen Administrator, and multiple disclaimers. The options for this setting are:
-
Use MIME From: Header (the default).
-
Use SMTP protocol MAIL FROM.
Note:
When Use MIME From: Header is selected and a MIME Sender header is also present, the MIME Sender header information is used.
|
|
Perform Reverse DNS Lookup
|
Provides the ability to disable reverse DNS lookups when validating an IP address or domain name against the Allowed Mailhost or Rejected Mailhost lists. If reverse DNS lookups are disabled, the domain name found in the MIME Received header field is used for comparisons with the Allowed Mailhost and Rejected Mailhost lists. The options for this setting are:
-
Enable All (the default)
-
Disable All
-
Only for Mailhost List Checking
-
Only for Inbound/Outbound Determination
For more information about this setting, see Chapter 10 - Using mailhost filtering.
|
|
Max Container File Infections
|
Specifies the maximum number of infections allowed in a compressed file. If this is exceeded, the entire file is deleted and Antigen for SMTP Gateways logs an incident stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case, the logged incident has the tag Container Removed appended to the filter match. The default value is 5 infections.
|
|
Max Container File Size
|
Specifies the maximum container file size (in bytes) that Antigen for SMTP Gateways attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Antigen for SMTP Gateways reports deleted files as a LargeInfectedContainerFile virus.
|
|
Max Nested Attachments
|
Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and Uuencoded documents. The limit includes the sum of the nestings of all of these types. If the maximum number is exceeded, Antigen for SMTP Gateways blocks or deletes the document and reports that an ExceedinglyInfected virus was found. The default value is 30.
|
|
Max Nested Compressed Files
|
Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and Antigen for SMTP Gateways sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default value is 5.
|
|
Max Container Scan Time (msecs) - Internet
|
Specifies the number of milliseconds that Antigen for SMTP Gateways scans a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).
|
|
Internal Address
|
Antigen for SMTP Gateways can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address box, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications.
When entering a domain name in the Internal Address box, be aware that subdomains are covered by the entry.
For example: domain.com will include subdomain.domain.com and subdomain2.domain.com.
Alternate domains such as domain.net or domain.org must be entered individually.
Values entered in the Internal Address box are used as a substring match of the end of an e-mail address. For example, "soft.com" would consider "someone@microsoft.com" and "someone@abcdef123soft.com" to be internal addresses.
If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address box blank). Enter all your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more information about this key, see Appendix B - Setting registry keys.
(For more information about internal addresses and notifications, see Chapter 14 - Using e-mail notifications.)
|
|
SMTP External Hosts
|
If you are using an SMTP gateway to route e-mail into your messaging environment, you may enter the IP address of the gateway server so that Antigen for SMTP Gateways treats all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your SMTP gateway, Antigen for SMTP Gateways uses its internal logic to determine if messages are inbound or internal. IP addresses should be entered as a semicolon delimited list with no spaces.
For example, enter: 123.45.6.78;8.76.54.32;1.0.0.0
|
|
Maximum RBL Lookups
|
Specifies the number of hops allowed while doing RBL tests. (Only public IP addresses received in the chain are counted.) Antigen for SMTP Gateways starts counting with the first public IP address and checks the IP address of each hop until the Maximum RBL Lookups is reached or a private IP address is encountered. The default value is 4.
|
|
Maximum Allowed Mailhost Lookups
|
Specifies how many addresses need to be checked and matched by the Allowed Mailhost filter for content filtering to be skipped. The default value is 4.
|