Microsoft Antigen for Exchange Best Practices

Microsoft Antigen for Exchange Version 9.0

Microsoft Corporation Published: February 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2007 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Outlook, Visual Basic, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Review the Microsoft Antigen Privacy Statement at the Microsoft Antigen Web site.

Contents
Microsoft Antigen for Exchange Best Practices..........................................................................1 Contents...................................................................................................................................3 Introduction to Microsoft Antigen for Exchange best practices...................................................4 Deployment considerations.......................................................................................................4 During a virus outbreak.............................................................................................................5 General Options........................................................................................................................5 General Options - Important Settings.....................................................................................6 Microsoft Exchange Best Practices Analyzer.............................................................................9 Scanning considerations.........................................................................................................10 Scan on Scanner Update General Option............................................................................10 Store scanning effects.............................................................................................................10 Store scanning when using default settings..........................................................................11 Updating engines....................................................................................................................12 Antivirus settings.....................................................................................................................12 Bias setting..........................................................................................................................12 Action..................................................................................................................................13 Quarantine files....................................................................................................................14 Filtering files by type and by extension....................................................................................14 Filtering by file type..............................................................................................................14 Filtering by file extension......................................................................................................15 Recommended methods for configuring a file filter...............................................................16 Additional topics...................................................................................................................16 Filtering on the SMTP Scan Job..............................................................................................17

Introduction to Microsoft Antigen for Exchange best practices

This document details the recommended settings to use when configuring Microsoft Antigen for Exchange Version 9.0 with Service Pack 1. Following these recommendations will help to ensure the best possible configuration for your system, thereby preventing harm to your e-mail infrastructure. These settings are recommendations from technical specialists at Microsoft. However, the settings are intended primarily as guidelines; for optimal results, they should be monitored and adjusted to fit the needs of your enterprise. Note: As a rule, Antigen defaults are the recommended settings. For complete installation and usage instructions, see the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library.

Deployment considerations
For global protection throughout the enterprise, it is recommended that Antigen for Exchange be deployed on all Gateway and Mailbox servers. For optimal performance, all Gateway servers should have identical protection settings. Before installing Antigen on a Mailbox server, you should conduct careful capacity planning and performance assessments to ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by antivirus scanning. The Antigen multiple engine architecture helps to maximize antivirus protection through diversity. Studies have shown that scanning with five engines decreases the window of vulnerability from the time that a new threat is encountered to the time that at least one engine vendor has released a protective signature. By default, messages are scanned only once by Antigen. However, it is a best practice to schedule background scanning on the Mailbox server to periodically rescan messages by using the latest available signatures. Note: Because such a configuration is likely to negatively affect system performance, it is recommended that you do not use more then 5 scan engines for any given scan job.

To enable background scanning on engine update 1. Enable the Realtime Scan Job for the Storage Groups that you would like scanned by the Background Scanner. 2. In the Schedule Job pane, enable the Background Scan Job and schedule it to run at a selected date, time, and frequency.

During a virus outbreak

During a virus outbreak scenario, it is recommended that you enable the Scan on Scanner Update feature in General Options. This causes e-mail to be scanned repeatedly each time that your scan engines are updated. Usually, you would not select this setting; however, if your server has a significant amount of free capacity and the e-mail experience is not affected, leaving this feature on all the time ensures the highest level of protection. Keep in mind that selecting this feature can have a considerable performance impact on a busy server, because it leads to significantly more scanning at the Store. You can also use Background scanning (which applies the latest signatures for the engines chosen for the Realtime Scan Job) to scan a Mailbox server after a known outbreak has occurred. This will clean the server of malware that was received before protection signatures were available. If additional information is known about certain characteristics of the malicious e-mail, file filters or Sender subject filters can be enabled in the Realtime Scan Job.

General Options
General Options, which is accessed from the SETTINGS shuttle of the Antigen Administrator, provides access to a variety of system-level settings for Antigen for Exchange. This eliminates the need to directly access the registry to change the settings. Although there are many options that can be controlled through the General Options pane, each of them has a default setting (Enabled, Disabled, or a value) that is probably the correct one for your enterprise. These settings rarely need to be changed.

General Options - Important Settings

You should pay particular attention to these settings: Critical Notification List If Antigen stops working on the server, or if there is a serious issue with scanning, Antigen will send a notification that is vital to maintaining a stable and secure environment. Whenever a server attempts to download and update a scan engine, it is a best practice to send a notification. Although this will generate multiple e-mails each hour from each server, it is an effective way of tracking current processes. If a scan engine fails to update, it is easy to identify the cause and take the appropriate action. A simple rule can be set up in Microsoft Office Outlook to manage the volume of notifications. Antigen can scan the actual message body for embedded viruses. Because message body scanning is performance-intensive, it is disabled by default in the Realtime Scan Job. Usually, the best practice is to keep it disabled for Realtime, except during a virus outbreak that might involve a message body virus. Message body scanning is always enabled for the SMTP Scan Job. You should select this option because Antigen cannot parse the file. You should select this option because Antigen cannot parse the file. You should select this option because encrypted files cannot be scanned by antivirus scan engines. You should select this option because viruses and worms can be embedded in container files (such as .doc, .xls, .ppt, and .shs). You should also enable the equivalent setting for the Internet and Realtime scan jobs.

Send Update Notification

Body Scanning Realtime

Delete Corrupted Compressed Files Delete Corrupted Uuencode Files Delete Encrypted Compressed Files

Scan Doc Files - Manual

Scan on Scanner Update

It is recommended that you turn on this option during an outbreak scenario, so that e-mail will be rescanned each time an engine is updated. You will achieve the best protection because scanning is always done with the latest signatures. When the outbreak passes, turn this option off again, because it can negatively affect system performance. To enhance performance, Antigen allows additional processes to be created for the Realtime Scan Job. If the first process is busy scanning a file, the second process begins to scan, and so on. By changing this value, the number of processes can be increased up to ten. The Antigen Service must be recycled for the change to take effect. However, be cautious when increasing the number of processes, because each additional process consumes more server resources. It is best to add processes one at a time, and evaluate the performance at each step. It is recommended that you set the number of processes to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have the Realtime Process Count set to four (the default). If the server contains two processors, each of which is dual core, the recommended setting is eight. These same guidelines apply to the Internet Process Count. Although the default value of Secure Mode is more secure than the other parameter option, Compatibility Mode, Secure Mode can involve considerable administrative overhead. For example, if you have a quarantined file that needs to be released, you must stop the file filter completely before you can release it, and then go back and enable the filter again. Therefore, you may find that Compatibility Mode is more suitable.

Realtime Process Count

Deliver From Quarantine Security

Max Container File Size

It is recommended that you change this value to match your e-mail policy concerning the largest allowable file attachment size. If a filter match or a virus is detected, attachments larger than this value will automatically be deleted. By default, this setting is 26,214,400 bytes. Antigen can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field to indicate who should be sent internal notifications. Domains should be entered as a semicolon-delimited list (for example, microsoft.com;microsoft.net;company.com), with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that subdomains are covered by the entry. For example, domain.com will include subdomain.domain.com and subdomain2.domain.com. Alternate domains, such as domain.net or domain.org, must be entered individually. If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address field blank). Enter all of your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more about this key, see the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library.

Internal Address

Enable Background Scan if 'Scan On Scanner Update' Enabled

Initiates a background scan every time a scan engine is updated, if the General Option setting Scan on Scanner Update is enabled. This setting can be left enabled, even when Scan on Scanner Update is disabled. Background Scanning applies only to Mailbox servers that have Antigen installed.

Microsoft Exchange Best Practices Analyzer

The Microsoft Exchange Best Practices Analyzer collects settings and values from the registry, Active Directory directory service (AD), metabase, and Performance Monitor. The settings are compared against a set of Best Practice rules. A report is then generated that provides administrators with recommendations for improving the system. To download and run Microsoft Exchange Best Practices Analyzer, go to Exchange Best Practices Analyzer. Among the items that the Exchange Best Practices Analyzer checks are whether your Antigen Services have started, settings that are described in General Options, and the following registry settings that are not available as General Options: InternetTimeout. To prevent time-out problems when scanning messages, try increasing the time specified in the InternetTimeout registry value. Because this is a hidden registry value, you will need to create a new DWORD registry value called InternetTimeout and set the time in milliseconds. If the value is set too low, this may cause the virus scanner to time out too quickly when processing a single item. If the value is set too high, the virus scanner may spend too much time processing a single item. Therefore, a minimum value of 150000 and a maximum value of 660000 is recommended. RealtimeTimeout. This setting concerns Store scanning rather than Internet scanning. It must be created and set to the same specifications as the InternetTimeout registry key. For more information about registry values, see Appendix B - Registry Keys in the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library.

Scanning considerations
This section discusses the effects of different scanning options on SMTP scanning (SMTP Scan Job) and Store scanning (Realtime or Manual Scan Job). Store scanning includes two General Options that can be enabled as desired: Scan on Scanner Update and Enable Background Scan if 'Scan on Scanner Update' Enabled). Each option affects Store scanning behavior. Generally speaking, as each additional option is enabled, the amount of Store scanning increases, as does the level of protection. Increased scanning, however, potentially affects performance.

Scan on Scanner Update General Option

This setting causes previously scanned files to be rescanned when accessed following a scanner update. This provides heightened security protection by rescanning messages with the latest signatures. This setting is applicable only to Mailbox servers. For additional best practices about scanner updates, see Updating engines.

Enable Background Scan if 'Scan on Scanner Update' Enabled General Option

This setting initiates a background scan every time a scan engine is updated, if the General Option setting Scan on Scanner Update has been enabled. This setting is applicable only to Mailbox servers. Because engine updates occur frequently, this setting will have the effect of initiating a background scan on large Mailbox stores.

Transport scanning for outbound messages

It is good Internet etiquette to scan your outbound e-mail messages for viruses. In addition, this can protect you from legal liability if an infected PC in your organization attempts to send out viruses (a common behavior of worm viruses).

Store scanning effects

The following sections show, in table format, the effects that the various options have on Store Scanning.

10

Store scanning when using default settings

The following table describes the default Store Scanning used by Antigen for Exchange. This is the behavior you will see if no default settings are changed. Normal Mode (defaults) On first access On subsequent access During Background Scan During manual scan Always scan. Do not scan. Always scan. Always scan.

The following tables show the deviations from the normal mode that occur as you enable the options.

Store scanning with a single option enabled

The following tables show the effect of enabling one additional store scanning option when running a Realtime or Manual Scan Job. Scan on Scanner Update enabled On subsequent access Scan if an engine has updated since previous on-access scan.

Store scanning with two options enabled

The following table describes the effect of enabling two store scanning options. Scan on Scanner Update enabled Enable Background Scan if 'Scan on Scanner Update' enabled On subsequent access Scan if an engine has updated since previous on-access scan. Also starts a background scan every time an engine updates.

11

Updating engines
It is recommended that you use the UNC method of updating your engines. That is, have one server receive updates from the Microsoft HTTP server, and then share those updates among the other servers in your environment. After one server receives an engine update, it can share that update with any other server whose network update path points to it. This can save significantly on Internet bandwidth and make your updates quicker and more efficient. To use the UNC updating method, see the File scanner updating overview chapter in the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library. Updates should be staggered across an environment so that the Gateway layer updates its engines first, with the back end servers updating their engines later in the hour. Then, if an update causes unexpected behavior, you have whatever time interval that you have specified (for example, 30 minutes) to ensure that the problematic update does not get to the back-end servers. Be aware of the specifics of the engines that you are using. Some virus labs routinely release signatures more frequently than others, although all labs respond to a major outbreak with more frequent updates. The update schedule for any engine that updates more frequently than others should be set accordingly. Even if you are not using a particular engine, you should update the engine once a day, so that if you need to activate it, the signatures will be up-to-date.

Antivirus settings
Configure the scan job with your engine, bias setting, action, and quarantine selections.

Bias setting
The bias setting controls how many engines are used to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be detected. However, the more engines you use, the greater the impact on your systems performance. While Antigen for Exchange uses a very efficient in-memory scanning process, each additional engine adds to scanning time and resource usage. Therefore, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. Generally, it is recommended that you use all available scan engines. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its

12

performance. Then, you can use several engines on your other servers where performance is not as critical. It is recommended that you use the same engines and bias settings on all Gateway servers. This ensures the same degree of scanning on inbound, outbound, and internal mail, and also helps to prevent unnecessary duplicate scanning. When using Maximum Certainty, mail flow is held up whenever a scan engine is being updated because Maximum Certainty requires that every message be scanned by every selected engine. To provide complete scan engine coverage, mail is queued until the scan engine update is finished (typically, less than 30 seconds). To avoid this, you should select Favor Certainty, in which case scanning and mail flow continue via all other selected engines while an engine is being updated.

SMTP Scan Job bias

It is recommended that you set the bias level to Favor Certainty. This is your servers first line of defense against unwanted and malicious messages and attachments; therefore, as much of the load as possible should be handled at this level. It is recommended that you use Inbound, Outbound, and Internal Scanning on all servers. A message traveling between Exchange servers in different routing groups will be transmitted by using SMTP. Therefore, by scanning at this level, you can identify and stop an outbreak of an SMTP mass mailer and keep it on the server from which it originated.

Realtime Scan Job bias

It is recommended that you set the bias level to Favor Certainty, because the safety of the email infrastructure should be your main concern. This setting will ensure that all of the available engines are used (those that are not being updated) and that no e-mail messages can be opened without having passed through the maximum number of engine scans.

Manual Scan Job bias

It is recommended that the settings be the same as those you select for the Realtime Scan Job.

Action
It is recommended that you set the action setting to Delete: Remove Contents. Attempting to clean and repair an attachment was more useful years ago, when cleanable viruses were more common and valid documents were often infected. The virus world has changed over the years, and the vast majority of viruses today are not cleanable. Also, a valid infected file is much less common. Most of the time, the entire attachment is a virus and has no valid content. Because

13

the attempt to clean the virus requires additional processing resourceswhich, in most cases, are wastedthe Delete option is a better choice.

Quarantine files
The Quarantine feature provides an added level of security because you can retrieve a message that has been incorrectly tagged as a virus. However, there is overhead involved in quarantining files, particularly if many viruses are captured each day. Large organizations can block millions of viruses in a month. Many of these, however, might be worm viruses that are never quarantined. Ideally, you want to quarantine detected viruses, but you might determine that the better course is to simply delete them, even at the risk of losing valid e-mail message content. Not quarantining or sending notifications can greatly simplify your virus management, but this includes the risk of losing e-mail communications that users might want to receive.

Filtering files by type and by extension

You can filter files in a number of ways: By type, for example DOCFILE file type By extension, for example *.exe By name, for example, filename.extension By size, for example >5mb

This section focuses on the difference between filtering by file type and by file extension. The Microsoft Antigen for Exchange User Guide, available at the Microsoft Antigen TechNet Library, goes into detail about the other ways of filtering files, as well as how to configure all the file filtering options.

Filtering by file type

To filter file attachments by type, create a * file filter and select the file types you want filtered in the File Types section of the Administrator console. For example, create the filter * and set the File Types to MP3. This ensures that all MP3 files are filtered regardless of their file name or extension. Even if the file is renamed it will still be filtered. For example, if the file extension is renamed from .MP3 to .xyz, it will still be detected by the MP3 filter you configured. One advantage of setting a generic * filter and associating it with a certain file type is that it reduces the chance of false positives since Antigen looks at the file header information instead of the file name. Therefore, it is recommended that you use this configuration whenever possible.

14

Note: There is additional information on configuring file type filters for Office 2007 and older files in the Microsoft Antigen for Exchange User Guide.

Filtering by file extension

To filter files that have a specific extension, you can create a generic filter for the extension and set the File Types selection to All Types. For example: Create the filter *.exe* and set the File Types selection to All Types. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter. This ensures that all files with an .exe extension are filtered. You can also set the File Types to a specific type. However, when doing so the file extension and file type must both match for the filter to be applied correctly. If the file extension filter does not match the extension of the attached file, the specified action will not be applied regardless of the file type. Example: File Filter 1) *.rtf 2) * File Type DOCFILE All Types Action Skip: detect only Delete: remove contents

If you send through an attachment with a .doc extension, for example filename.doc, it will be deleted rather than skipped. The first action listed of Skip: detect only will not be applied but the second (Delete: remove contents) will be. Even though Antigen recognizes the file as a Microsoft Word document, the file extension does not match the first extension filter of *.rtf. Even if you set the first filter to All Types instead of DOC, the attached file still will not match the filter because it does not have a .rtf extension. However, if the file extension matches, the File Type is checked to see if it too matches, and if so, the action is applied, even on renamed files. Example: File Filter 1) *.doc File Type DOCFILE Action Delete: remove contents

If you rename an .exe to a .doc, Antigen will not remove it. Although the file extension matches the filter, Antigen is able to determine that the file is not a valid DOCFILE file; therefore it does not match the file type you configured.

15

Recommended methods for configuring a file filter

In summary, the following are the recommended methods for configuring a file filter: Create a * file filter and select the specific File Types (for example, DOCFILE) you want filtered. Create a generic filter for the extension (for example, *.exe*) and set File Types to All Types. Create a generic filter for the extension (for example, *.exe*) and set File Types to a specific type. Note that this is the riskiest method since you must be sure of the file type and file extension when creating such a filter.

Additional topics
The Microsoft Antigen for Exchange User Guide, available at the Microsoft Antigen TechNet Library, describes the following additional topics related to file filtering: Configuring file filters based on their size. Creating filter lists containing multiple file filters.

Using wildcard characters to have your filter match patterns in the file name, rather than a specific file name. Configuring a filter so that it checks only inbound or outbound messages. Filtering container files. Excluding the contents of a container file from being scanned for filter matches. Using file filtering to block some file types and permit others. Importing and exporting items into/from a file filter list.

Creating a filter set template, which can contain a combination of file filters and content filters. Disabling file filtering for specific scan jobs.

16

Filtering on the SMTP Scan Job

It is recommended that you set up a filter list for the SMTP Scan Job that contains the file types that are most likely to be infected. Additional filtering capabilities can be obtained by using Microsoft Exchange Server 2003 message filtering (see the Exchange 2003 help topics). One difference between Antigen file filtering and Exchange file filtering is that Exchange filters only the file name, while Antigen attempts to detect and filter files that match the file type, even if the file name has been changed. Note: You should review this list periodically. To configure a filter list of potentially dangerous file types 1. Create a filter list for all files with the following extensions: Extension *.ace *.ade *.adp *.adt *.app *.asp *.arj *.asd *.bas *.bat *.bin *.btm *.cbt *.ceo *.chm *.cmd Type of file Archive file Microsoft Office Access Project Extension Microsoft Access Project ACT! Document template Executable application Active Server Page file Archive file Word file that always has macros Microsoft Visual Basic class module Batch file Binary file Batch to memory batch file Computer-based training Virus Compiled HTML Help file Windows NT Command script

17

Extension *.cla *.class *.com *.cpl *.crt *.csc *.css *.dll *.drv *.exe *.email *.fon *.hlp *.hta *.htm* *.inf *.ins *.isp *.je *.js *.jse *.lib *.lnk *.mdb *.mde *.mht *.mhtml *.mhtm

Type of file Java class file Java class file Microsoft MS-DOS program Control Panel extension Security certificate Corel script file Cascading style sheet file DLL file Driver file Program Microsoft Office Outlook Express e-mail message Font file Help file HTML program HTML file Setup information Internet Naming Service Internet Communication settings JScript file JScript file Jscript Encoded Script file Program Library Common Object file format Shortcut Access database file MDE database Archived Web page Archived Web page Archived Web page

18

Extension *.msc *.msi *.mso *.msp *.mst *.obj *.ocx *.ov? *.pcd *.pgm *.pif *.prc *.rar *.reg *.scr *.sct *.shb *.shs *.smm *.swf *.sys *.tar *.url *.vb *.vbe *.vbs *.vxd

Type of file Microsoft Common Console document Microsoft Windows Installer package Math script object file Microsoft Windows Installer patch Microsoft Visual Test source file Relocatable object code Object linking and embedding control executable OrgViewer file Photo CD image, Microsoft Visual compiled script CGI program Shortcut to MS-DOS program Palm Pilot resource file Archive file Registration entries Screen saver Windows Script component Shortcut into a document Shell Scrap object AMI Pro macro Macromedia file System device driver Archive file Internet shortcut VBScript file VBScript encoded script file VBScript file Virtual device driver

19

Extension *.wsc *.wsf *.wsh *} 2. Filter these files in any container file.

Type of file Windows Script component Windows Script file Windows Script Host Settings file CLSID Filter

3. Ensure that Delete Corrupted Compressed Files is selected in General Options. 4. Ensure that Delete Encrypted Compressed Files is selected in General Options. 5. Enable the filter. 6. Save the filter.

20