Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures (part 2) - Configuring Antivirus Features

5/28/2011 11:28:58 AM

2. Configuring Antivirus Features

Spam can be a considerable nuisance, and an email system clogged with excessive spam can be virtually useless. However, virus attacks are arguably a greater and more sinister threat. Spam mail can be malicious—for example, it can include attachments that install a virus, it can induce the unwary to access a phishing site, or it can initiate some other scam that persuades a victim to reveal passwords or banking details. However, the vast majority of spammers want to sell their goods and services, not put you out of business. A virus can destroy an entire system or can lurk silently in the background, stealing your users’ confidential details.

You can combat viruses such as worms, Trojan horses, and other malware by the application of attachment filtering and the use of edge transport rules. You can also use Microsoft Forefront Protection 2010 for Exchange Server and file-level antivirus scanning software.

2.1. Attachment Filtering

Attachment filtering applies filters at the server level to control the attachments your users receive. Remember that attachment filters can be configured only on a per-server basis. If your organization has multiple Edge Transport servers, you need to add the same attachment filter to all Edge Transport servers.

Many attachments can potentially contain viruses or other inappropriate material that could cause significant damage. You can use the following types of attachment filtering to control attachments that enter or leave your organization:

  • File name or file name extension filtering You can specify the exact file name or file name extension to be filtered. An exact file name filter could be, for example, TrojanHorse.exe. A file name extension filter could be, for example, *.exe.

  • File MIME content type filtering You can filter attachments by specifying the MIME content type to be filtered. MIME content types indicate, for example, whether the attachment is a JPEG image, an executable file, a Microsoft Word file, or some other file type.

The following EMS command lists all the file name extensions and content types that attachment filtering can filter:

Get-AttachmentFilterEntry | FL

If an attachment matches your filter criteria, you can specify that one of the following actions is performed on the attachment:

  • Strip attachment but allow message through This is the default setting. The attachment is removed, but the email message and any other attachments that do not match the filter are allowed through. If an attachment is removed, it is replaced with a text file that explains why it was removed.

  • Block whole message and attachment The attachment, together with its whole email message, is blocked from entering the messaging system. The sender receives a delivery status notification (DSN) message that indicates that the message contains an unacceptable attachment file name.

  • Silently delete message and attachment The attachment, together with its whole email message, is blocked from entering the messaging system. Neither the sender nor the recipient receives notification.

It is not a good idea to remove attachments from digitally signed, encrypted, or rights-protected email messages. If you remove attachments from such messages, you invalidate the digitally signed messages and make encrypted and rights-protected messages unreadable. If such a message includes a suspect attachment, you need to block or silently delete the message and attachment.

By default, the Attachment Filter agent is enabled on an Edge Transport server. The following EMS command disables the Attachment Filter agent on the Edge Transport server on which it is entered:

Disable-TransportAgent -Identity "Attachment Filter agent"

The following EMS command enables the Attachment Filter agent if it has previously been disabled:

Enable-TransportAgent -Identity "Attachment Filter agent"

You can configure an attachment filter entry to filter attachments by attachment content type or by attachment file name. In Exchange Server 2010, you can configure multiple attachment filters on an Edge Transport server. The following EMS command filters all JPEG images on the Edge Transport server on which it is entered:

Add-AttachmentFilterEntry -Name image/jpeg -Type ContentType

The following EMS command filters all email attachments that have the file name extension .exe on the Edge Transport server on which it is entered:

Add-AttachmentFilterEntry -Name *.exe -Type FileName

You can use commands based on the Set-AttachmentFilterListConfig EMS cmdlet to configure attachment filtering on an Edge Transport server. For example, the following EMS command sets the Attachment Filter agent to reject messages that have prohibited attachments and configures a custom response for rejected messages:

Set-AttachmentFilterListConfig -Action -Reject -RejectResponse "A prohibited attachment
was included in your e-mail message. Please remove the attachment and send your
message again."

2.2. Using Forefront Protection 2010 for Exchange Server

The file-filtering functionality provided by Microsoft Forefront Protection 2010 for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent. For example, Forefront can scan files that contain other files (container files) for offending file types. Forefront can scan the following container files and act on embedded files:

  • PKZip (.zip)

  • GNU Zip (.gzip)

  • Self-extracting compressed file archives (.zip)

  • Compressed files (.zip)

  • Java archive (.jar)

  • TNEF (winmail.dat)

  • Structured storage (.doc, .xls, .ppt, and others)

  • MIME (.eml)

  • SMIME (.eml)

  • UUEncode (.uue)

  • UNIX tape archive (.tar)

  • RAR archive (.rar)

  • MACBinary (.bin)

Forefront also enables you to filter files by file size. In addition, you can configure Forefront to quarantine filtered files or to send email notifications based on file filter matches.


2.3. Using Edge Transport Rules

You can use the Edge Rules agent and edge transport rules in Microsoft Exchange Server 2010 to help protect your organization from viruses.

Antivirus vendors and administrators respond to virus threats as quickly as possible, but there is inevitably a gap between the time that a virus threat appears and the time that a solution is available. This gap, during which a virus threat remains unknown and unresolved, is called a zero-day virus threat. Transport rules on Edge Transport servers help you manage and control zero-day virus threats in addition to preexisting or ongoing virus threats.

Most viruses contain unique characteristics that identify them, such as a specific email address in the From message header field, a specific subject, or an attachment. You can configure transport rules to identify potentially harmful messages by these unique characteristics and perform a specific action on them. Available actions include sending the message to a quarantine mailbox, deleting it completely, or adding a warning to the subject line. If you can identify an infected message on an Edge Transport server and either reject or delete it, you do not incur the cost (and risk) of storing the message on your internal servers or of scanning the message internally for viruses.

Edge transport rules are used to control the flow of messages that are sent to or received from the Internet. They help protect corporate network resources and data by applying an action to messages that meet specified conditions. These rules are configured for each server.

Edge transport rule conditions are based on data, such as specific words or text patterns in the message subject, body, header, or From address; the SCL; or attachment type. Actions determine how the message is processed when a specified condition is true. Possible actions include the quarantine of a message, dropping or rejecting a message, appending additional recipients, or logging an event. Optional exceptions exempt particular messages from having an action applied.

When you create a transport rule to identify virus threats, you need to examine the reports published about the virus and look for characteristics that identify the virus and that could be used in a transport rule. You also need to ensure that these characteristics do not match any content that may exist in legitimate messages. The following list describes some unique characteristics that a virus may contain:

  • A limited number of identifiable strings in the subject or message body

  • A specific email address in either the From header field or the To header field

  • A message header field that has a specific value

Edge transport rule conditions and exceptions consist of predicates that instruct the Edge Rules agent on an Edge Transport server to examine a specific part of an email message, such as sender, recipients, subject, other message headers, and the message body, to determine whether the rule should be applied to that message.

The Edge Rules agent inspects message properties for specified predicate values. To assign a value to a predicate, you must determine the predicate property. The following predicate properties are available as parameters of the New-TransportRule and Set-TransportRule EMS cmdlets:

  • SubjectContains Matches messages that contain the specified words in the Subject field

  • SubjectOrBodyContains Matches messages that contain the specified words in the Subject field or message body

  • HeaderContains Matches messages where the value of the specified message header contains the specified words

  • FromAddressContains Matches messages that contain the specified words in the From field

  • AnyOfRecipientAddressContains Matches messages that contain the specified words in the To, Cc, or Bcc fields of the message

  • SubjectMatches Matches messages where text patterns in the Subject field match a specified regular expression

  • SubjectOrBodyMatches Matches messages where text patterns in the Subject field or message body match a specified regular expression

  • HeaderMatches Matches messages where the specified message header field contains text patterns that match a specified regular expression

  • FromAddressMatches Matches messages that contain text patterns in the From field of the messages that match a specified regular expression

  • AnyOfRecipientAddressMatches Matches messages where text patterns in the To, Cc, or Bcc fields of the message match a specified regular expression

  • SclOver Matches messages with an SCL equal to or greater than the value specified

  • AttachmentSizeOver Matches messages that contain attachments larger than the specified value

  • FromScope Matches messages that are sent from the specified (external) address scope

After you identify the unique characteristics of a virus, you can create a transport rule to perform actions on it, such as delete, reject, or quarantine. Take care, however. If you decide to delete or reject a message, you cannot retrieve it. If you want to prevent the message from being delivered but do not want to irretrievably delete it, configure the rule to deliver the message to a quarantine mailbox.

The following actions are available as parameters of the New-TransportRule and Set-TransportRule EMS cmdlets on Edge Transport servers:

  • LogEvent Inserts an event into the Application log of the local Hub Transport server

  • PrependSubject Prepends a string to the start of the email message subject field

  • SetScl Configures the SCL on an email message

  • SetHeader Creates a new message header field or modifies an existing message header field

  • RemoveHeader Removes the specified message header field from an email message

  • AddToRecipient Adds one or more email addresses to the To address list of the email message. The original recipients can see the additional address.

  • CopyTo Adds one or more email addresses to the Cc field of the email message. The original recipients can see the original address.

  • BlindCopyTo Adds one or more email addresses to the Bcc address list of the email message. The original recipients are not notified and cannot see the additional address.

  • Disconnect Ends the connection between the sending server and the Edge Transport server without generating a non-delivery report message

  • RedirectMessage Redirects the email message to one or more email addresses specified by the administrator. The message is not delivered to the original recipient, and no notification is provided to the recipient or the sender.

  • Quarantine Redirects the email message to the spam quarantine mailbox

  • SmtpRejectMessage Deletes the email message and sends a notification to the sender. The recipients do not receive the message or notification. This action enables you to specify a specific DSN code.

  • DeleteMessage Deletes the email message without sending a notification to either the recipient or the sender

For example, the following EMS command creates an edge transport rule that sets an SCL level of 7 on any message from the sender NoReply@treyresearch.com where the subject contains the words “lower prices” unless the subject also contains the word “bicycle”:

New-TransportRule -Name "SpamDetection" -From "NoReply@treyresearch.com"
-SubjectContains "lower prices" -SetScl 7 ExceptIfSubjectContainsWords "bicycle"
Other -----------------
- SharePoint 2010 : The SharePoint Object Model (part 3) - Programmatically Using SQL Snapshots
- SharePoint 2010 : The SharePoint Object Model (part 2) - Export, Import, and Associated Types & Site Collection Backup and Restore
- SharePoint 2010 : The SharePoint Object Model (part 1) - Extending Catastrophic Backup and Restore Through the SharePoint API
- BizTalk 2010 Recipes : Business Activity Monitoring - Setting Up BAM Alerts
- BizTalk 2010 Recipes : Business Activity Monitoring - Using the BAM Portal
- Exchange Server 2010 : Ensuring Message Integrity (part 3) - Configuring Permissions on Active Directory Objects & Rights Management Services Federation
- Exchange Server 2010 : Ensuring Message Integrity (part 2) - Using TLS and MTLS & Implementing Domain Security
- Exchange Server 2010 : Ensuring Message Integrity (part 1) - Using S/MIME Extensions
- Windows Server 2003 : Designing a Security Infrastructure - Securing a Wireless Network
- Windows Server 2003 : Designing a Security Infrastructure - Planning a Security Update Infrastructure
- Windows Server 2008 : Network Addressing (part 3) - IPv4 to IPv6 Transitional Techniques
- Windows Server 2008 : Network Addressing (part 2) - Addressing IPv6
- Windows Server 2008 : Network Addressing (part 1) - Addressing and Subnetting IPv4
- Exchange Server 2010 : Implementing Compliance (part 4) - Implementing a Discovery Search & Creating and Configuring Ethical Walls
- Exchange Server 2010 : Implementing Compliance (part 3) - Using MailTips
- Exchange Server 2010 : Implementing Compliance (part 2) - Configuring Journaling
- Exchange Server 2010 : Implementing Compliance (part 1) - Configuring IRM
- Windows Server 2003 : Troubleshooting Name Resolution
- Windows Server 2003 : Planning DNS Security
- Windows Server 2003 : Implementing a NetBIOS Name Resolution Strategy
 
 
Most view of day
- QuarkXPress 8 : Checking spelling (part 1) - Running a spell check, Creating custom spelling dictionaries
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Selecting Trusted Publishers and Locations
- Microsoft PowerPoint 2010 : Finalizing Your Slide Show - Setting Up a Slide Show
- Windows Phone 8 : Working with File Explorer (part 2) - Removing Media from Your Phone
- Microsoft Excel 2010 : Calculating the Mode (part 4) - Getting the Mode of Categories with a Formula - Using Formula Evaluation
- Microsoft Project 2010 : Tracking Progress on Tasks (part 3) - Entering a Task’s Completion Percentage
- Windows Server 2003 on HP ProLiant Servers : The Physical Design and Developing the Pilot - Network Services
- Microsoft Excel 2010 : Calculating the Mode (part 3) - Getting the Mode of Categories with a Formula - Accommodating a Function’s Arguments
- Windows Server 2003 : Windows Firewall (part 2) - Service Pack Firewall Modifications - Modifications
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Network Load Balancing (part 2) - Creating a Network Load Balancing cluster
Top 10
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
- Windows Phone 8 : Configuring Mailbox Settings (part 1) - Linking Mailboxes
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 6) - Tracking installed roles, role services, and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 5) - Installing components at the prompt
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 4) - Managing server binaries
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 3) - Adding server roles and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 2) - Installing components with Server Manager - Viewing configured roles and role services
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro