Chapter 9 - Configuring MTA Scan Jobs

 

Applies to: Microsoft Antigen

Antigen provides the scanning of messages passing through the Exchange Message Transfer Agent (MTA) on Microsoft® Exchange 2000 Server and on Microsoft Exchange Server 2003. This job scans all MTA connectors, such as X.400, MSMail, and cc:Mail. Antigen MTA scanning is enabled by default and can be run on the upgraded bridgehead server to protect the MTA access point for the organization.

Note

When running Exchange Server 2000 pre-SP3, outgoing messages cannot be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.

Configuring the MTA Scan Job

When configuring the MTA Scan Job settings, select the MTA messages (Inbound or Outbound) and optionally specify Deletion Text.

To configure the MTA Scan Job

  1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right.

  2. Click MTA Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs.

  3. Select whether you would like to scan Inbound or Outbound messages.

    • Selecting the Inbound check box configures Antigen for Exchange to scan all e-mail messages that are handled by the Exchange MTA. Messages are designated as inbound if the message originated from, or was relayed through, an external server. If the Exchange servers within that site or organization are not running Antigen, this is an effective way to protect them from infected e-mail messages coming from the Internet.
    • Selecting the Outbound check box configures Antigen for Exchange to scan all outgoing messages that are passing through the Exchange MTA. Messages are designated as outbound if at least one recipient has an external address.
  4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

    Note

    Antigen for Exchange provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.

  5. Click Save.

Configuring the antivirus scanners and job action

After you configure the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.

To configure antivirus settings

  1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right.

  2. Select the MTA Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.

  3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to file filtering and content filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the MTA Scan Job.

  4. Select the bias to control how many engines should be used to provide an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines.

  5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:

    • Skip: detect only—Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
    • Clean: repair document—Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the deletion text.
    • Delete: remove infection—Delete the attachment without attempting to clean. The infected file is removed from the attachment and a text file is inserted in its place. The text file contains the following string: "Antigen for Exchange found a virus and deleted this file."
  6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default.

  7. Enable or disable the saving of attachments that are detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

  8. Click Save.

Scanning nested compressed files

Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial-of-service attack against antivirus products. To minimize the potential impact on server performance and guard against denial-of-service attacks, the Antigen registry key MaxNestedCompressedFile is set to 5 by default. This setting enables Antigen to search up to five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.

You can change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.

Note

By default, entries into the registry are hexadecimal values. This is not noticed until you enter a value that is greater then 9. If you are entering a value greater then 9, you must change the option from hexadecimal to decimal.

Controlling the MTA Scan Job

After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the MTA Scan Job.

To control the MTA Scan Job

  1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right.

    The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, and whether it is performing scanning or filtering operations.

  2. Select the MTA Scan Job.

  3. If the State for the scan job is not set to Enabled, click Enable to enable the scan job.

  4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, and Content Filtering. Any change to these settings is performed immediately, even if the scan job is currently running.

Checking results and status

The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log.

A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

Note

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.

Use the Export button to save the results in formatted text or delimited text format.

Chapter 8 - Configuring SMTP Scan Jobs

Chapter 10 - Performing background and on-access scans