Installation instructions

Manuals Brands GFI Manuals Software MailSecurity, 10-24, 1 Year SMA

GFI MailSecurity for Exchange/SMTP 10

Manual

By GFI Software Ltd.

Summary of content (200 pages)

PAGE 1

GFI MailSecurity for Exchange/SMTP 10 Manual By GFI Software Ltd.
PAGE 2

http://www.gfi.com Email: info@gfi.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of GFI Software Ltd. GFI MailSecurity is copyright of GFI SOFTWARE Ltd.  2000-2008 GFI Software Ltd. All rights reserved.
PAGE 3

Contents About GFI MailSecurity 1 Introduction to GFI MailSecurity ..................................................................................... 1 Key features of GFI MailSecurity ................................................................................... 1 Virus checking using multiple virus engines ........................................................ 1 Email attachment checking/filtering .....................................................................
PAGE 4

Quarantine Upgrade tool .............................................................................................. 39 Using the quarantine upgrade tool ..................................................................... 39 General settings 41 Introduction to settings ................................................................................................. 41 Define the administrator‟s email address .....................................................................
PAGE 5

Configuring decompression filter actions ..................................................................... 84 Enable/disable decompression filters .......................................................................... 85 The Trojan & Executable Scanner 87 Introduction to the Trojan & Executable Scanner ........................................................ 87 What is a Trojan horse? .....................................................................................
PAGE 6

How do I subscribe to a quarantine search folder RSS feed? ......................... 114 Enable the Directory Harvesting filter on quarantined emails .................................... 115 Reporting 119 Introduction to GFI MailSecurity Reporting ................................................................ 119 Configuring the statistical information database ........................................................ 119 Configuring a Microsoft Access database backend ..................................
PAGE 7

System requirements ................................................................................................. 143 Installation procedure ................................................................................................. 143 Launching GFI MailSecurity 10.0 ReportPack for GFI ReportCenter ........................ 147 Selecting a product ....................................................................................................
PAGE 8

Monthly email traffic ......................................................................................... 180 Processed and blocked emails per month ....................................................... 181 Processed emails per month............................................................................ 182 Blocked emails per month ................................................................................ 183 Administrative Reports .........................................................
PAGE 9

About GFI MailSecurity Introduction to GFI MailSecurity The need to monitor email messages for dangerous, offensive or confidential content has never been more evident. The most deadly viruses, able to cripple your email system and corporate network in minutes, are being distributed worldwide via email in a matter of hours (for example, the MyDoom worm). Products that perform single vendor anti-virus scanning do not provide sufficient protection.
PAGE 10

viruses can spread so quickly and cause immense damage, it is best to quarantine such emails before they are distributed to your email users. When GFI MailSecurity quarantines an email, the administrator can review it and then delete or approve the message. Furthermore, you might choose to quarantine mails carrying *.mp3 or *.mpg files, as these hog bandwidth and can needlessly burden a mail server's disk space.
PAGE 11

Screenshot 1 - GFI MailSecurity Configuration GFI MailSecurity from a user's perspective GFI MailSecurity is totally transparent to the user. This means that the user will not notice that GFI MailSecurity is active until it blocks an email that triggers a rule, for example, an email that contains a forbidden attachment or a virus. In the case of a suspicious attachment, GFI MailSecurity will quarantine the email for review by the administrator.
PAGE 12
PAGE 13

Installing GFI MailSecurity Introduction This chapter explains how to install and configure GFI MailSecurity. You can install GFI MailSecurity directly on your mail server or you can choose to install it on a separate machine configured as a mail relay/gateway server. When installing on a separate machine, you must first configure the machine to relay the inbound and outbound emails to your mail server prior to installing this mail security software.
PAGE 14

 Edge Server Role  Hub Transport Role (and any other Microsoft Exchange 2007 server roles which are irrelevant to GFI MailSecurity)  Mailbox and Hub Transport Server Role (and any other Microsoft Exchange 2007 server roles which are irrelevant to GFI MailSecurity) Installing GFI MailSecurity on a mail relay server Figure 2 - Installing GFI MailSecurity on a mail gateway/relay server When installing on a separate server (i.e.
PAGE 15

Installing GFI MailSecurity in front of your firewall Figure 3 - Installing GFI MailSecurity on a separate machine on a DMZ If running a Windows 2000/2003 firewall such as Microsoft ISA Server, a good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on the firewall itself. This allows you to keep your corporate mail server behind the firewall.
PAGE 16

 Install GFI MailSecurity on the node local hard drive. NOTE: Do not install GFI MailSecurity on the shared drive.  Install the GFI MailSecurity WWW virtual directory on the node‟s Default Web Site.  If you are installing on an IIS cluster, make sure you bind GFI MailSecurity to the Clustered SMTP Virtual Server instance. The following steps show you how to install GFI MailSecurity in a typical Active/Passive Cluster environment.
PAGE 17

server fails over to a cluster node. More information about this issue can be found in Microsoft Knowledge Base Article 885440. Due to the above, the GFI MailSecurity configuration could become unavailable following a failover or moving of an Exchange Virtual Server from one node of the cluster to the other. Installing Service Pack 2 for Exchange Server 2003 is thus recommended.
PAGE 18

installation mode is the way that GFI MailSecurity accesses/gathers the list of email users for generating its scanning rules and notifications.
PAGE 19

Preparing to install GFI MailSecurity on an IIS mail relay server In order to install GFI MailSecurity on a mail relay/gateway machine, it must be running the IIS SMTP Service and World Wide Web service. You must also configure the machine as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the gateway machine. This section describes how you can configure your mail relay and install GFI MailSecurity.
PAGE 20

Screenshot 2 - Assign an IP address to the mail relay server 3. Assign an IP address to the SMTP relay server from the IP address list and then click OK. Step 3: Configure the SMTP service to relay mail to your mail server Now you must configure the SMTP service to relay inbound messages to your mail server. Start by creating a local domain in IIS to route mail: 1. On the taskbar, click Start  Settings  Control Panel. Doubleclick Administrative Tools and then double-click Internet Information Services.
PAGE 21

Screenshot 3 - SMTP Domain Wizard - Selecting domain type b) Select Remote and then click Next. c) Type the domain name in the Name box and then click Finish. IMPORTANT NOTE ABOUT LOCAL DOMAINS NOTE: Upon installation, GFI MailSecurity will import Local Domains from the IIS SMTP service. If you add additional Local Domains in IIS SMTP service, you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically.
PAGE 22

Screenshot 4 - Configure the new domain Step 4: Secure your mail relay server In this step, you will set up your SMTP virtual server‟s mail Relay Restrictions. This means that you must specify which machines may relay email through this virtual server (i.e., effectively limit the servers that can send email via this server). 1. Right-click the Default SMTP Virtual Server node and then click Properties. 2.
PAGE 23

Screenshot 5 - Relay Restrictions dialog 3. Click Only the list below and then click Add to specify the list of permitted computers. Screenshot 6 - Specify machines which may relay email via virtual server 4. In the Computer dialog box, specify the IP of the mail server that will be forwarding the email to this virtual server and then click OK to add the entry to the list.
PAGE 24

 Single computer: Select this option to specify one particular host that will relay email via this server. If you want to look up the IP address of a specific host, click DNS Lookup.  Group of computers: Select this option to specify the base IP address for the computers that you want to relay.  Domain: Select this option to include all the computers of a specified domain. This means that the domain controller will openly relay emails via this server.
PAGE 25

3. Click OK and restart the Microsoft Exchange Server from the services applet. If you have Microsoft Exchange Server 2000/2003: You will need to set up an SMTP connection that forwards all email to GFI MailSecurity: 1. Start the Exchange System Manager. 2. Right-click the Connectors Node, click New  SMTP Connector and then specify the connector name. 3.
PAGE 26

Verify the MX record of your DNS server as follows: 1. Open the command prompt, type nslookup and press Enter. 2. Type set type=mx and press Enter. 3. Type your mail domain and press Enter. 4. The MX record should return a single IP that must correspond to the IP of the machine running GFI MailSecurity. Screenshot 8 - Checking the MX record of your domain Step 7: Test your new mail relay server Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly. 1.
PAGE 27

2. Save any pending work and close all open applications on the machine. 3. Check that the machine you are installing GFI MailSecurity on meets the system and hardware requirements specified earlier in this chapter. To install GFI MailSecurity follow these steps: 1. Run the GFI MailSecurity setup program by double-clicking on the MailSecurity10.exe file. The installation wizard will perform some unpacking operations and then display the Welcome page. Click Next to continue. 2.
PAGE 28

4. Setup will now ask you to select the mode that GFI MailSecurity will use to retrieve the list of your email users. You must select one of the following options:  Yes, all email users are available on Active Directory. – Select this option to continue installing GFI MailSecurity in Active Directory mode. In this mode, GFI MailSecurity creates userbased rules, for example Attachment Checking rules, based on the list of users available in the Active Directory.
PAGE 29

feeds. You can specify custom virtual directory names if you want, or else leave the defaults. NOTE: If you are installing on a Microsoft Exchange Server 2007 machine, the IIS SMTP service is not required, since it has its own built in SMTP server. In such a case, the SMTP Server Setup area is not displayed and you can click Next to continue and go to step 7 directly. GFI MailSecurity relies on the IIS SMTP service to send and receive SMTP mail. It binds to your default SMTP virtual server (i.e.
PAGE 30

Installation Wizard. Refer to the following section for information on how to use this wizard. NOTE 2: If you are upgrading from a previous version (version 9 onwards) of GFI MailSecurity, you might be prompted to upgrade your quarantine database to a new Firebird database format. For more information, refer to the Quarantine Upgrade tool section in this manual.
PAGE 31

GFI MailSecurity Post-Installation Wizard NOTE: This section applies only when installing GFI MailSecurity on a Microsoft Exchange Server 2007 machine. IMPORTANT: You need to complete this wizard for GFI MailSecurity to work with Microsoft Exchange Server 2007. The GFI MailSecurity installation wizard launches the GFI MailSecurity Post-Installation Wizard when you click Finish.
PAGE 32

Screenshot 12 – Collecting information from Microsoft Exchange Server 2007 3. The wizard will display the accepted domain list collected from Microsoft Exchange Server 2007. If you need to specify another local domain, type it in the Local domains box and click Add. If you want to remove a domain that you added from this page, click on it from the list, and then click Remove. NOTE: The local domains you add from this page affect the GFI MailSecurity installation only.
PAGE 33

5. The wizard displays a list of the Microsoft Exchange Server 2007 server roles detected on this machine, and a list of the GFI MailSecurity components it needs to register for it to be able to process and scan emails passing through the server. Screenshot 14 - Server roles detected and list of components to install. 6. Click Next to install the required GFI MailSecurity components. Screenshot 15 - Installing the required GFI MailSecurity components 7.
PAGE 34

Screenshot 16 - GFI MailSecurity Post-Installation Wizard finish page Adding GFI MailSecurity to the Windows DEP Exception List Data Execution Prevention (DEP) is a set of hardware and software technologies that perform memory checks to help prevent malicious code from running on a system. The DEP technology is available only on Microsoft Windows XP with Service Pack 2, Microsoft Windows Server 2003 (x32 Edition) with Service Pack 1 and Microsoft Windows Server 2003 (x64 Edition).
PAGE 35

5. Click Add and from the dialog box browse to the GFI MailSecurity installation folder, , and choose GFiScanM.exe. 6. Click Add and from the dialog box browse to the GFI MailSecurity installation folder, , and choose kavss.exe. 7. Click Apply and OK to apply the changes. 8. Restart the "GFI Content Security Auto-Updater Service" and the "GFI MailSecurity Scan Engine" services.
PAGE 36

Screenshot 17 - GFI MailSecurity SwitchBoard 3. If you selected Local mode, you do not need to configure anything else. If you selected IIS mode you now need to configure the Active Directory accounts or groups that have access to the Configuration and Quarantine Store, and you can change the virtual directory name where the GFI MailSecurity pages are stored. NOTE: If you select Local mode you need to add „http://127.0.0.1‟ to the list of trusted sites in Internet Explorer.
PAGE 37

Screenshot 19 - Configuration / Quarantine store Access Control Lists 6. To configure the accounts that get access to the configuration pages, use the Add and Remove buttons underneath the Configuration URL Access Control List. If you want to deny access to a listed account without removing it from the list, select the check box under the Deny column. 7. To configure the accounts that get access to the quarantine store, use the Add and Remove buttons underneath the Quarantine URL Access Control List.
PAGE 38

Screenshot 20 - New SwitchBoard settings successfully applied 11. When the process completes, click OK. Adding local host to the trusted sites list When you configure GFI MailSecurity to be accessible only locally, you need to add the local host address, „http://127.0.0.1‟, to the list of trusted sites in Internet Explorer. To do this, follow these steps: 1. Click the Control Panel shortcut under the Start menu. 2. From the Control Panel open the Internet Options applet. 3.
PAGE 39

Screenshot 22 - Trusted sites dialog 7. Click Close. 8. Click OK in the Internet Properties dialog box to close it and save the new settings. Securing access to the GFI MailSecurity Quarantine RSS feeds You can configure GFI MailSecurity to create quarantine RSS feeds on specific quarantine folders. To configure who can subscribe to the quarantine RSS feeds, follow these steps: 1. Click the GFI MailSecurity SwitchBoard shortcut found under Start  Programs  GFI MailSecurity. 2.
PAGE 40

Screenshot 23 - GFI MailSecurity SwitchBoard 3. In the IIS mode access control list dialog box you can configure who can subscribe to the quarantine RSS feeds.
PAGE 41

4. Use the Add and Remove buttons underneath the RSS URL Access Control List. If you want to deny access to a listed account without removing it from the list, select the check box under the Deny column. 6. When ready click OK. 7. If you want to specify a different virtual directory name, you can do so by editing the entry in the RSS Virtual directory box. 8. Click OK to save your changes. A progress bar shows you the progress while applying the new settings.
PAGE 42

Screenshot 26 - GFI MailSecurity accessed under local mode only Accessing the configuration from a remote machine To access the GFI MailSecurity configuration or quarantine store from a remote machine, follow these steps: 1. Start Microsoft Internet Explorer. 2. In the address bar, specify the following address: „http:///‟ to access the configuration or „http:////quarantine‟ to access the quarantine store directly.
PAGE 43

Screenshot 27 - GFI MailSecurity accessed under IIS mode Entering your license key after installation The unregistered, evaluation version of GFI MailEssentials expires after 10 days. Screenshot 28 - License key information When you obtain the 30-day evaluation key or the purchased licensed key, you can enter your license key in the GFI MailSecurity  Licensing node, without having to re-install the product.
PAGE 44

Entering the license key should not be confused with the process of registering your company details on our website. This is important, since it allows us to give you support, and notify you of important product news. Register at http://www.gfi.com/pages/regfrm.htm.
PAGE 45

 GFI Content Security Auto-Updater Service  GFI MailSecurity Attendant Service  GFI MailSecurity Scan Engine  IIS Admin  Simple Mail Transfer Protocol (SMTP). 5. To convert and import the GFI MailSecurity 8 settings to the GFI MailSecurity 10 configuration database, you need to run the msec8upg.exe tool found in the GFI MailSecurity 10 folder, for example: c:\program files\GFI\ContentSecurity\MailSecurity. Screenshot 29 - GFI MailSecurity 8 configuration settings migration tool 6.
PAGE 46

10. You now need to start all the services that you stopped in step 4 above, from the Services control applet. 11. Use the GFI MailSecurity 10 configuration to check that the GFI MailSecurity 8 settings were migrated correctly. Upgrading from GFI MailSecurity 9 to GFI MailSecurity 10 NOTE: The upgrade process cannot be reverted. If you upgrade GFI MailSecurity to version 10, you cannot go back to version 9 of the product.
PAGE 47

Quarantine Upgrade tool Starting from GFI MailSecurity 10 SR8, Quarantine information is stored in a Firebird database format instead of Microsoft Access database. For upgrades between version 9 and 10 and between previous builds of version 10 to GFI MailSecurity 10 SR8, the Quarantine upgrade tool automates to the migration of pre-existing quarantine data to the new Firebird database format. NOTE: The old quarantine data will not be available until imported.
PAGE 48
PAGE 49

General settings Introduction to settings Screenshot 33 - GFI MailSecurity general settings page The Settings node allows you to configure a number of general options, including the administrator‟s email address, the Update URLs, the list of Local Domains, the SMTP server bindings and the management of the user list when GFI MailSecurity is installed in SMTP mode only. To configure the general settings, click the GFI MailSecurity  Settings node.
PAGE 50

Configuring proxy server settings for automatic updates GFI MailSecurity will automatically search and download updates (for example, virus definitions updates and Trojan & Executable Scanner definitions updates) from the GFI update servers. If the server on which GFI MailSecurity is installed, connects to the internet through a proxy server, you need to configure the proxy server settings as follows: 1. Click the Settings node to open the general settings page. 2. Click the Updates tab. 3.
PAGE 51

Adding Local Domains Screenshot 35 - Local Domains list GFI MailSecurity needs to know what your local domains are to be able to classify an email as inbound or outbound. During installation, GFI MailSecurity will import local domains from the IIS SMTP service. If, however, you wish to add or remove local domains afterwards, you must follow these steps: 1. Click the Settings node to open the general settings page. 2. Click the Local Domains tab and specify the name of the domain in the Domain box. 3.
PAGE 52

Screenshot 36 - Binding GFI MailSecurity to a different SMTP Server GFI MailSecurity relies on the IIS SMTP service to send and receive SMTP mail. By default, it binds to your default SMTP virtual server. However, if you have multiple SMTP virtual servers installed on your machine, you can select to which one you want to bind GFI MailSecurity. You can select your virtual SMTP server both during the installation stage as well as from the Bindings tab after the installation.
PAGE 53

Screenshot 37 - User Manager The User Manager tab displays the current list of local users, and it allows you to add or remove local users. The list of local users entered here is used when configuring user-based rules, such as Attachment Checking rules and Content Checking rules. To add a new local user follow these steps: 1. Enter the email address in the Email address box. 2. Click Add.
PAGE 54

To remove a local user follow these steps: 1. Select the local user you want to remove from the Local Users list. 2. Click Remove. 3. Repeat steps 1 and 2 to remove more than one local user. 4. Click Apply.
PAGE 55

Configuring virus checking Configuring Virus Scanning Engines The virus-checking feature of GFI MailSecurity scans all SMTP traffic, inbound and outbound emails, for viruses using multiple Virus Scanning Engines. When GFI MailSecurity is installed on the Microsoft Exchange server machine, you can also configure GFI MailSecurity to scan the information store for viruses.
PAGE 56

The Virus Scanning Engines are listed in the same order of priority used by GFI MailSecurity to scan emails for viruses (Priority 0 being the highest or top priority). Each Virus Scanning Engine must be configured separately. To configure virus checking, click the required Virus Scanning Engine from the Status page on display in the right window. Alternatively, you can expand the Virus Scanning Engines node and click the required Virus Scanning Engine node (for example, Kaspersky).
PAGE 57

. Screenshot 42 - Anti-virus Scanning Engines: AVG configuration page (General Tab) To configure the AVG engine: 1. Expand the GFI MailSecurity  Virus Scanning Engines node and then click AVG. 2. To scan SMTP traffic using this Virus Scanning Engine, select the Enable Gateway Scanning (SMTP) check box. You now need to select whether you want to scan inbound and outbound emails using this Virus Scanning Engine.
PAGE 58

5. After you have configured all the required parameters, click Apply. All changes and configuration settings will take effect immediately. NOTE: The section at the bottom of the General tab displays information on the scanning engine. This includes the Virus database version and release date. License details for the current anti-virus engine are also displayed. AVG web site For more information about the virus patterns included in the AVG engine, visit the AVG website at http://www.grisoft.com.
PAGE 59

select whether you want to scan inbound and outbound emails using this Virus Scanning Engine. To scan inbound emails select the Scan Inbound Emails through SMTP Transport Event Sink check box. To scan outbound emails select the Scan Outbound Emails through SMTP Transport Event Sink check box. 3. If you installed GFI MailSecurity on the Microsoft Exchange machine, you will also have the option to scan the Information Store using this Virus Scanning Engine.
PAGE 60

BitDefender configuration Screenshot 44 - Virus Scanning Engines: BitDefender configuration page (General Tab) To configure the BitDefender engine: 1. Expand the GFI MailSecurity  Virus Scanning Engines node and then click BitDefender. 2. To scan SMTP traffic using this Virus Scanning Engine, select the Enable Gateway Scanning (SMTP) check box. You now need to select whether you want to scan inbound and outbound emails using this Virus Scanning Engine.
PAGE 61

4. BitDefender Control also allows you to block or ignore emails with attachments that contain macros. This feature can be configured by selecting one of the following options:  Do not check macros – Select this option if you want GFI MailSecurity to ignore macros and only scan emails for viruses.  Block all documents containing macros – Select this option if you want to quarantine all emails that contain a macro (even if the macro is a genuine one).
PAGE 62

Screenshot 45 - Virus Scanning Engines: McAfee configuration page (General Tab) McAfee website For more information about the virus patterns included in the McAfee engine, visit the McAfee website at http://www.mcafee.com Norman configuration The configuration options of the Norman Virus Scanning Engine are identical to those of the BitDefender engine. For more information on how to configure these options, refer to the „BitDefender Configuration‟ section earlier in the manual.
PAGE 63

Screenshot 46 - Virus Scanning Engines: Norman configuration page Norman website For more information about the virus patterns included in the Norman Virus Control (NVC) engine, visit the NVC website at http://www.norman.
PAGE 64

Virus scanner actions Screenshot 47 - Virus Scanning Engine: Configuration page (Actions Tab) In GFI MailSecurity, you can configure what each of the installed Virus Scanning Engines should do whenever an infected email is detected. To configure the actions of a virus scanner: 1. Select the virus scanner that you want to configure and click the Actions tab. 2.
PAGE 65

what email parts were removed and for what reason. This behavior is always enabled and is not affected by this setting.  Notify administrator – Select this option if you want to notify the administrator whenever this virus scanner detects an infected email. 4. Select the Log occurrence to this file check box and specify a log file name in the box below, if you want to log the virus scanning activity to a log file.
PAGE 66

 Only check for updates – Select this option if you want GFI MailSecurity to just check and notify the administrator whenever updates are available for this virus scanner. NOTE: This option will NOT download the available updates.  Check for updates and download – Select this option if you want GFI MailSecurity to check and automatically download any updates available for this virus scanner. 4.
PAGE 67

of virus scanners that need to detect a virus to stop virus scanning, in the box. Click Apply. Screenshot 50 - Configure virus scanning optimizations For example, if you select this option and enter 2 in the box, virus scanning on an item that contains a virus is performed by at most two virus-scanning engines, if they detect it. Emails that do not contain a virus are scanned by all enabled virus-scanning engines anyway.
PAGE 68

Screenshot 51 – Information Store Protection node NOTE: When you disable Information Store Virus Scanning, the Information Store Scanning option of all Virus Scanning Engines is disabled automatically. When you enable Information Store Virus Scanning, the Information Store Scanning option of all Virus Scanning Engines is enabled automatically. This setting does not affect the Gateway scanning option of each Virus Scanning Engine.
PAGE 69

Screenshot 53 – VSAPI scan settings 4. From the VSAPI Settings tab, you can enable background Information Store Scanning, by selecting the Enable background scanning check box. This option will cause all the contents of the Information Store to be scanned, which depending on the amount of items stored in the Information Store could result in a huge processing load on the Exchange server.
PAGE 70

6. To save and instruct GFI MailSecurity to make use of the new settings, click Apply.
PAGE 71

Configuring Attachment Checking Introduction to Attachment Checking This chapter explains how to set up Attachment Checking in GFI MailSecurity. The Attachment Checking feature allows you to set up a policy regarding what types of email attachments you will allow on your mail server. To set up such a policy, GFI MailSecurity uses the concept of 'Rules'. A rule is a condition that you set, such as, “block all executable attachments”.
PAGE 72

Screenshot 55 - Attachment Checking: General Tab 3. Specify the name of the rule and select whether to apply this rule to inbound and/or outbound emails by selecting the respective check boxes. 4. Decide on the type of attachment blocking required:  Block all – Select this option to block email attachments of any type.  Block this list – Select this option to block ONLY the listed attachment types.
PAGE 73

 Block all except this list - Select this option to block attachment types that are not included in the list. NOTE 1: To add an attachment type to the list, input the required full file name or file extension in the box next to the Add button. When ready, click Add. You can use asterisk (*) wildcards to replace characters or strings in the attachment type/extension. For example, specifying *orders*.mdb blocks all mdb files which contain the string 'orders' in the file name. Specifying *.
PAGE 74

 Delete email: Select this option to delete the email and attachment completely.  Move to folder: This option will move the email to the specified folder. Input the folder name in the box provided underneath this option. NOTE: Please note that you cannot configure actions to affect a single attachment within an email. Actions will always affect the whole email containing the attachment. 8.
PAGE 75

Screenshot 57 - Attachment Checking: Users/Folders Tab 11. Choose one of the following options:  Only this list – Select this option if you want to apply this rule to all email users/groups or public folders present in the list.  All except this list – Select this option if you want to apply this rule to all email users, groups or public folders NOT present in the list. 12. To add email users, user groups and/or public folders to the list, click Add.
PAGE 76

NOTE: You do not need to input the full name of the user/user group or public folder. It is enough to enter at least three characters. GFI MailSecurity will list all the names that contain the specified characters. For example, if you input „ott‟, GFI MailSecurity will return names like „Scott Adams‟ and „Freeman Prescott„, if they are available. 15. Select the check box at the start of the listed name(s) to indicate the ones that you wish to add to the list and click OK.
PAGE 77

Make changes to an existing rule To modify an existing rule: 1. Click the GFI MailSecurity  Attachment Checking node. 2. From the Attachment Checking page (in the right window), click the name of the rule that you want to modify. 3. Make the required changes (for example, Rename the rule, etc.) in the rule properties and click Apply to accept the changes you made. Changes will take effect immediately. Enabling/disabling rules You can check and change the status of a rule (i.e.
PAGE 78
PAGE 79

Configuring Content Checking Introduction to Content Checking This chapter will show you how to set up Content Checking in GFI MailSecurity. The Content Checking feature allows you to create rules in which you define keywords and logical operators to filter emails that contain offensive or confidential information for example. Screenshot 60 - Content Checking page In GFI MailSecurity, you can configure Content Checking rules from the Content Checking node.
PAGE 80

Screenshot 61 - Content Checking: General Tab 5. If you want PGP encrypted emails to infringe this rule, select the Block PGP encrypted emails check box. 6. Next, you need to configure whether to scan email bodies and attachments, and the keywords an email must contain to trigger this Content Checking rule. Click the Body tab to configure these options. 7.
PAGE 81

Screenshot 62 - Content Checking: Body Tab 9. To match keywords in the conditions list only against whole words, select the Match whole words only check box. 10. If you want the Content Checking rule to scan email attachments for the conditions specified in the previous steps, select the Apply above conditions to attachments check box. 11. You then need to specify which filename extensions to scan. To add a filename extension, type it in the File extension entry box and then click Add.
PAGE 82

list. If you want to scan all the attachments except the ones you specified in the list, click Check all except attachments having file extensions in the list. NOTE: Enter the filename extension only, for example, if you want to scan text files, enter “txt” only, not “*.txt” or “.txt”. 12. If you want the Content Checking rule to check the email subject, click the Subject tab to specify the keywords that will infringe this rule if found in the email subject. 13.
PAGE 83

Move to folder: This option will move the email to the specified folder. Type the folder name in the box provided underneath this option. 18. Content Checking rules can be configured to send email notifications to the administrator and/or user whenever an email infringes a rule. You can configure the required notifications by selecting any of the following options: Notify local user: Select this option if you want to notify the email local users when the email infringes this content checking rule.
PAGE 84

20. Now, you must specify the users for whom this rule applies. By default, GFI MailSecurity will apply the rule to all email users. However, if you want this rule to affect only a selection of users, click the Users/Folders tab. Screenshot 65 - Content Checking: Users/Folders Tab 21. Choose one of the following options: Only this list – Select this option if you want to apply this rule to all email users/groups or public folders present in the list.
PAGE 85

MailSecurity), to check if the specified entry exists. Any user, group or public folder that matches will be listed below. NOTE: You do not need to input the full name of the user/user group or public folder. It is enough to enter at least three characters. GFI MailSecurity will list all the names that contain the specified characters. For example, if you input „ott‟, GFI MailSecurity will return names like „Scott Adams‟ and „Freeman Prescott„, if they are available. 25.
PAGE 86

Make changes to an existing content checking rule To modify an existing rule: 1. Click the GFI MailSecurity  Content Checking node. 2. From the Content Checking page (in the right window), click the name of the rule that you want to modify. The content checking rule will be loaded. 3. Make the required changes (for example, rename the rule, etc.) in the rule properties and click Apply. Changes will take effect immediately. Enabling/disabling rules You can check and change the status of a rule (i.e.
PAGE 87

Decompression engine Introduction to the Decompression engine The Decompression engine decompresses and analyzes archives attached to an email.
PAGE 88

Configuring the decompression engine filters Check password protected archives Screenshot 69 - Configuring password protected archives options This filter allows you to quarantine or delete emails that contain password-protected archives. To configure this filter: 1. Click the GFI MailSecurity  Decompression node. 2. From the list of available filters (in the right window), click on Check password protected archives. 3. Select the Check password protected archives check box to enable this filter. 4.
PAGE 89

Check for recursive archives Screenshot 70 - Configuring recursive archives options This filter allows you to quarantine or delete emails that contain recursive archives. Recursive archives, also known as nested archives, are archives that contain other/multiple levels of subarchives (i.e. archives within archives).
PAGE 90

Check size of uncompressed files in archives Screenshot 71 - Configuring checks for the size of uncompressed files in archives This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed. Hackers sometimes use this method in a DoS (Denial of Service) attack: By sending an archive that can be uncompressed to a very large file, they can often crash content security or anti-virus software. To configure this filter: 1.
PAGE 91

Check for amount of files in archives Screenshot 72 - Configuring the amount of files in archive check This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive. You can specify the number of files allowed in archive attachments from the configuration options included in this filter. To configure this filter: 1. Click the GFI MailSecurity  Decompression node. 2.
PAGE 92

Configure this option as follows: 1. Click the GFI MailSecurity  Decompression node. 2. From the list of filters (in the right window), click on Scan within archives. 3. Select the Scan within archives check box to scan any archive attachments present in an email using the decompression and attachment scanning rules.
PAGE 93

Enable/disable decompression filters Screenshot 74 - Decompression tool filters list To enable or disable any of the available decompression filters: 1. Click the GFI MailSecurity  Decompression node. 2. In the right window, select the check box of the filter(s) that you want to enable or disable. 3. Click Enable selected or Disable selected accordingly. NOTE: You can select all check boxes in one go by selecting the check box next to the Description column heading at the top-left of the list.
PAGE 94
PAGE 95

The Trojan & Executable Scanner Introduction to the Trojan & Executable Scanner GFI MailSecurity includes an advanced Trojan and Executable Scanner, which is able to analyze and determine the function of an executable file. This scanner can subsequently quarantine any executables that perform suspicious activities (such as a Trojan). What is a Trojan horse? The Trojan horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war.
PAGE 96

Configuring the Trojan & Executable Scanner From the Trojan & Executable Scanner node, you can define the level of security that you require and the actions you want GFI MailSecurity to take on emails containing malicious executable files. Configuring the security level Screenshot 75 - Trojan and Executable Scanner: General Tab To configure the Trojan & Executable Scanner: 1. Click the GFI MailSecurity  Trojan & Executable Scanner node. 2.
PAGE 97

 Low Security - Select this option to quarantine all malicious executables. If the executable contains at least one high-risk signature, it will be immediately quarantined. Configuring actions Screenshot 76 - Trojan and Executables Scanner: Actions Tab 5. Click the Actions tab to configure the actions you want GFI MailSecurity to take on emails containing a malicious executable.
PAGE 98

3. Select the Automatically check for updates check box to enable the auto-update feature. 4. From the Downloading options list, select one of the following download options:  Only check for updates – Select this option if you want GFI MailSecurity to just check and notify the administrator whenever updates are available for the Trojan & Executable Scanner. NOTE: This option will NOT download the available updates.
PAGE 99

The Email Exploit Engine Introduction to e-mail exploits What is an exploit? An exploit uses known vulnerabilities in applications or operating systems to compromise the security of a system, for example, execute a program or command, or install a backdoor. It "exploits" a feature of a program or the operating system for its own use. What is an e-mail exploit? An email exploit is an exploit launched via email.
PAGE 100

2. From the Email Exploit Engine page (in the right window), select the check box of the exploit(s) that you want to enable or disable. 3. Click Enable Selected or Disable Selected accordingly. The status change is displayed immediately in the exploits Status column. Screenshot 78 - Email Exploit list Configuring the Email Exploit Engine properties To configure the Email Exploit Engine properties: 1. Click the GFI MailSecurity  Email Exploit Engine node. 2.
PAGE 101

 Delete email: Select this option to delete the email containing the email exploit completely. 5. When an email exploit is detected, you can also choose to inform the administrator and/or user by sending email notifications. You can configure the required notifications by selecting any of the following options:  Notify local user: Select this option if you want to notify the email local users when this filter detects an email exploit.
PAGE 102

Email Exploit Engine updates You can configure GFI MailSecurity to download Email Exploit Engine updates automatically or to notify the administrator whenever new updates are available. To configure automatic updates: 1. Click the GFI MailSecurity  Email Exploit Engine node. 2. Click the Updates tab. 3. Select the Automatically check for updates check box to enable the auto-update feature. 4.
PAGE 103

The HTML Sanitizer Introduction to the HTML Sanitizer The HTML Sanitizer scans and cleans from scripting code the email body parts that have the MIME type set to “text/html” and all the attachments that have an extension of “.htm” or “.html”. The HTML is cleaned from all the scripts, rendering it harmless. The HTML sanitization process is an automated process, which does not require administrator intervention.
PAGE 104

3. Select the emails you want to check for HTML scripts and clean by selecting any of the following options:  Check inbound emails – Select this option to scan and clean HTML scripts from all inbound emails.  Check outbound emails – Select this option to scan and clean HTML scripts from all outbound emails. 4. Click Apply.
PAGE 105

Patch Checking Introduction to Patch Checking The Patch Checking feature verifies if there are any software patches available for your version of GFI MailSecurity by directly connecting/querying the GFI Update Servers. Screenshot 83 - List of available patches If software updates are present on the GFI Servers, this feature lists them out for you to download.
PAGE 106

updates (in the right window), click the Download link included in the last column of each patch. This will start the download process. Repeat the same procedure for all the listed updates. 3. After all downloads are complete, you can start installing the software updates. Since the software patches vary in file format (i.e. could be DLL files, EXE files, etc.), you must read the relative patch information for the installation instructions.
PAGE 107

Quarantine Introduction to the Quarantine Store As outlined earlier in the manual, you can configure GFI MailSecurity to quarantine the emails that fail any of the content policy or content security checks. You can then review the quarantined emails and either approve or delete them. You can approve/delete quarantined emails either directly from the Quarantine Store or through a Quarantine Action Form.  Approve/Delete directly from the Quarantine Store (recommended).
PAGE 108

Screenshot 84 - Quarantine Store status page Searching for emails in the Quarantine Store Screenshot 85 - Quarantine Store: Quick Search To search for emails in the GFI MailSecurity Quarantine Store, follow these steps: 1. Click on either the GFI MailSecurity  Quarantine node or the GFI MailSecurity  Quarantine  Search Folders node. 2.
PAGE 109

 Search in quarantine reason – Specify a keyword or phrase and click Search to find quarantined emails that contain that specific word/string in the quarantine reason. Screenshot 86 – Quick search results Search Folders What is a search folder? A Search Folder is a special type of folder that has a search query associated to it. The contents of the search folder are the quarantined emails that match the search query.
PAGE 110

3. In the Search folder name box, type a name for the new search folder, for example, “Emails blocked by Attachment Rules”. 4. If you installed GFI MailSecurity on the Microsoft Exchange Server machine, you can limit the emails in this search folder to those blocked from a particular source. From the list under the Item source area, you can select one of the following:  Information store (VSAPI) – Only quarantined items forming part of the Information Store will be displayed.
PAGE 111

Screenshot 87 - New Search Folder properties page  Item direction – Select this option to limit the items included in this search folder to either Inbound or Outbound emails. NOTE 1: Leave this option unselected if you want to include both Inbound and Outbound emails in this Search Folder.
PAGE 112

NOTE 2: This option is only enabled when GFI MailSecurity is not installed on a Microsoft Exchange machine, or if it is, the Item source selected was Gateway.  Date - Select this option to group emails by date. Specify a date in the relevant box or alternatively click the calendar button and select the required date from the calendar window. Specify a Date Range You can also group emails by Date Range.
PAGE 113

Changing Search Folder properties Screenshot 89 - Search Folder options To modify the properties, search criteria and auto-purge settings of an existing search folder: 1. Expand the GFI MailSecurity  Quarantine  Search Folders node. 2. Click on the Search Folder you want to modify and from the right pane, click Edit search folder. 3. Make the required changes to the search folder properties.
PAGE 114

1. Expand the GFI MailSecurity  Quarantine node and select the sub-node that contains the email(s) you want to approve (for example, select the Today node if you want to approve emails that were quarantined today). Alternatively, you can use Quick Search to look for the emails that you want to approve. NOTE: You can approve an email that was quarantined today from the Today node, the This Week node, the All Emails node as well as from any Search Folder that contains the email.
PAGE 115

NOTE: You can delete an email that was quarantined today from the Today node, the This Week node, the All Emails node as well as from any Search Folder that contains the email. The difference between the mentioned nodes is the amount of emails that are present within. 2. Select the check box of the email(s) you want to delete and click Delete items. NOTE 1: If you want to delete all the listed emails, you do not need to select all the check boxes individually. Just click Delete all.
PAGE 116

View the full security threat report of an email To view the full security threat report of a quarantined email, follow these steps: 1. Expand the GFI MailSecurity  Quarantine node and select the sub-node that contains the email(s) you want to view (for example, select the Today node if you want to view emails that GFI MailSecurity quarantined today). Alternatively, you can use Quick Search to look for the emails that you want to view. 2. GFI MailSecurity lists the quarantined emails in a table.
PAGE 117

Screenshot 92 - Viewing the full security threat report of a quarantined email GFI MailSecurity for Exchange/SMTP Quarantine  109
PAGE 118

Enable email approval via HTML approval forms Screenshot 93 - Quarantine Options configuration page You can configure GFI MailSecurity to send HTML Quarantine Action Forms through email to the administrator or an authorized user. The Quarantine Action Form makes it possible for the administrator to approve or delete quarantined emails directly from the email client without accessing the Quarantine Store. To enable the sending of HTML Quarantine Action Forms, follow these steps: 1.
PAGE 119

How to approve or delete quarantined emails from an email client When GFI MailSecurity quarantines an email, the administrator receives an email containing an HTML Quarantine Action Form. The form contains details related to the quarantined email including the reason why it was blocked and any attachments that were included in the email.
PAGE 120

NOTE: If a threat is detected in an outbound email, the recipients will receive the original email with the malicious parts removed. A security notice is attached to the email to inform the recipients what email parts were removed and for what reason. This behavior is always enabled and is not affected by the „notify local users‟ setting.
PAGE 121

feed. Through the RSS feed reader, the administrator is periodically informed of new blocked content in the quarantine store. NOTE: For a list of freely available RSS feed readers please visit http://kbase.gfi.com/showarticle.asp?id=KBID002661. The RSS feed readers listed support authentication and have been tested with the quarantine RSS feeds feature of GFI MailSecurity. How do I configure RSS on a quarantine folder? To enable RSS feeds on specific quarantine folders, follow these steps: 1.
PAGE 122

Screenshot 97 - Quarantine folder RSS feed 4. Select the Enable Quarantine RSS feeds on this folder check box. 5. Specify an interval in minutes in the Refresh feed content every box. The default value is 10 minutes. 6. Specify the maximum number of items you want the feed to include in the Feed should contain at most box.
PAGE 123

Screenshot 98 - Copy RSS feed URL 2. Click Copy Shortcut. 3. Use your favorite RSS feed reader application to create a new RSS feed subscription. Use the RSS feed URL copied in the previous step to specify the location of the feed. NOTE: If you want to subscribe to all the enabled quarantine search folder RSS feeds in one go, copy the shortcut of the OPML icon. RSS feed reader applications usually have an option to import RSS feeds from an OPML file.
PAGE 124

Active Directory or email server, GFI MailSecurity will delete the blocked email instead of storing it in the quarantine store. The Directory Harvesting filter determines if a user exists or is local, by performing user lookups against the Active Directory or LDAP server you configure. To enable the Directory Harvesting filter on the quarantine store, follow these steps: 1. Click the GFI MailSecurity  Quarantine Options node. 2. Click the Directory Harvesting tab.
PAGE 125

7. Click Update DN list to populate the Base DN list and select the appropriate entry from the list. 8. To test your LDAP configuration settings, specify a valid email address in the Email address box and click Test. If the lookup succeeds, Email address found is displayed underneath the Email address box. NOTE 1: If you installed GFI MailSecurity in Active Directory user mode on a DMZ, the Active Directory of a DMZ normally does not include all the network users (i.e.
PAGE 126
PAGE 127

Reporting Introduction to GFI MailSecurity Reporting Through the reporting option, you can configure GFI MailSecurity to log statistical data, such as the amount of emails being processed and quarantined, into a database. You can then buy the GFI MailSecurity ReportPack add-on, to generate informative reports based on the data collected in the database.
PAGE 128

Configuring a Microsoft Access database backend Screenshot 101 – Configuring a Microsoft Access database backend 1. Click MS Access and type the complete path including the filename of the database file in which the statistical data must be stored. If you only specify a filename, the database file is created in the default path i.e. C:\Program Files\GFI\ContentSecurity\MailSecurity\data\ 2. Click Apply.
PAGE 129

Configuring a Microsoft SQL Server database backend Screenshot 102 - Configuring SQL Server Database backend 1. Click SQL Server. 2. Click Detected server and then select the SQL Server from the Server list or else click Manually specified server and in the box type the IP or server name where Microsoft SQL Server is hosted. 3. Type the name of a user that is authorized to access the Microsoft SQL Server in the User box. 4. Type the password for this account in the Password box. 5.
PAGE 130

Microsoft SQL Server. For more information, refer to step 6 in the „Creating a new database on Microsoft SQL Server‟ section below. Creating a new database on Microsoft SQL Server 1. Open the SQL Server Enterprise Manager (Start  Programs  Microsoft SQL Server  Enterprise Manager) and expand the Microsoft SQL Server node where you want to create the database. Screenshot 103 - Creating a new database 2. Right-Click the Databases node and then click New Database. 3.
PAGE 131

5. From the Login name list, select . Screenshot 105 - Specifying authentication mode 6. In the SQL Server Login Properties dialog box, type the login name, for example, „MailSecurityUser', in the Name box. Under the Authentication area, click SQL Server Authentication and then type a password in the Password box. 7. Select the database you have just created from the Database list. 8. Click the Database Access tab. 9. Select the check box near the Database you have just created.
PAGE 132
PAGE 133

Realtime Monitor About the Realtime Monitor Through the Realtime Monitor page, you can monitor the GFI MailSecurity email processing activity in a „Live‟ environment. Therefore, you can use this option to check the status of each email and determine whether an email was successfully processed, not processed or quarantined. Screenshot 107 - Realtime Monitor page Monitoring email activity Click the GFI MailSecurity  Realtime Monitor node to open the Realtime Monitor page.
PAGE 134

 Number of unprocessed emails in the last 24 hours – number of emails that are not processed by GFI MailSecurity and not delivered to the recipient. One reason this can happen is when the email is corrupted spam and therefore could not be processed successfully. A copy of these emails can be found at <..\GFI\Content Security\MailSecurity\FailedMails> folder. NOTE: For more information about unprocessed emails refer to: http://kbase.gfi.com/showarticle.
PAGE 135

Miscellaneous Version Information Screenshot 108 - Version Information page To view the GFI MailSecurity version information, click the GFI MailSecurity  Version Information node. The version information page displays the GFI MailSecurity version number currently installed and the build information. To check whether you have the latest build of GFI MailSecurity installed on your machine, click Check if newer build exists.
PAGE 136

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL DANIEL VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
PAGE 137

Advanced topics Customizing the notification templates GFI MailSecurity sends notification emails to the administrator/user whenever an event that needs attention occurs. There are two types of notifications:  Administrative notifications – GFI MailSecurity sends these notifications, for example, when a license is going to expire, when a new patch is available, and when new anti-virus engine updates are available.
PAGE 138

Variables used in XSL-based notification templates Notify user and notify manager notifications (in notifyuser folder and notifymanager folder respectively) Node Description “itemsenderemailaddress” The sender‟s email address. “itemsubject” The quarantined email subject. “itemdeliverytime” The date and time the message was delivered. “itemrecipients/recipient” The message recipients. Use xsl:for-each to enumerate. “action” Action taken on message by GFI MailSecurity.
PAGE 139

XSL Template On an email was blocked which has violated the following rules:
PAGE 140
Setting Virus Scanning API Performance Monitor Counters When you install GFI MailSecurity on the Microsoft Exchange machine directly, you can use the Performance Monitor MMC to keep an eye on Virus Scanning API performance through the performance monitor counters made available by Microsoft Exchange. NOTE: The VSAPI performance monitor counters are only available on a Microsoft Exchange Server 2007 machine with the Mailbox Server Role installed.

PAGE 141

Virus Scan Messages Processed – This is a cumulative value of the total number of top-level messages that are processed by the virus scanner. Virus Scan Messages Processed/sec – This counter represents the rate at which top-level messages are processed by the virus scanner. Virus Scan Messages Cleaned – The total number of top-level messages that are cleaned by the virus scanner. Virus Scan Messages Cleaned/sec – The rate at which top-level messages are cleaned by the virus scanner.

PAGE 142

PAGE 143

Troubleshooting Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter. The main sources of information available to users are:  The manual – most issues can be solved by reading this manual.  GFI Knowledge Base articles  Web forum  Contacting GFI Technical Support Knowledge Base GFI maintains a Knowledge Base, which includes answers to the most common problems.

PAGE 144

Build notifications We strongly suggest that you subscribe to our build notifications list. This way, you will be immediately notified about new product builds. To subscribe to our build notifications, visit: http://www.gfi.com/pages/productmailing.htm.

PAGE 145

GFI MailSecurity ReportPack Introduction About GFI ReportCenter Figure 4 – GFI ReportCenter is a centralized reporting framework GFI ReportCenter is a centralized reporting framework that utilizes the installed product ReportPacks to provide you with a list of available reports that you can generate. The information contained in the report is based on the data collected by the specific GFI product.

PAGE 146

example of a ReportPack is the GFI MailSecurity 10.0 ReportPack, further described in the following section. About the GFI MailSecurity 10.0 ReportPack The GFI MailSecurity 10.0 ReportPack is a full-fledged reporting companion to GFI MailSecurity. With the GFI MailSecurity 10.0 ReportPack, you can generate concise executive reports and detailed administrative reports. From graphical traffic pattern reports for management, to tabular daily processed emails vs.

PAGE 147

Screenshot 110 - The GFI ReportCenter management console The GFI ReportCenter management console is split into two panes, the navigation panel to the left of the screen, and the report-viewing pane to the right. The navigation panel consists of the Product Selection list, from where you can select the GFI product ReportPack you want to use, and various panels, as outlined below, through which you can access all the features of GFI ReportCenter.

PAGE 148

 Click on the Help panel button to view the quick reference guide in the report pane of the GFI ReportCenter management console. In the report-viewing pane, you can view and analyze generated reports, maintain the list of scheduled reports, and explore the samples and descriptions of the default reports.

PAGE 149

Report export to various formats By default, GFI ReportCenter allows you to export reports to various formats. Supported formats include HTML, PDF, XLS, DOC and RTF. You can configure a preferred report output format to be used as a default output format for scheduled reports. When creating or editing a scheduled report, you can choose to use the default output format, or else select another output format for the specific scheduled report.

PAGE 150

console. For more information, refer to the „Entering your license key after installation‟ section in this manual.

PAGE 151

GFI MailSecurity ReportPack Installation System requirements Install the GFI MailSecurity 10.0 ReportPack on a computer that meets the following requirements:  Windows 2000 (SP4) / XP (SP2) / 2003 operating system  Internet Explorer 6 or higher  .NET Framework version 1.1. Installation procedure The GFI MailSecurity 10.0 ReportPack installation wizard will perform the following operations during the installation process.

PAGE 152

Screenshot 111 - Installation welcome page 2. In the welcome page, click Next to continue the installation. Screenshot 112 - GFI ReportCenter framework detection dialog 3. If the current version of your GFI ReportCenter framework is not compatible with the GFI MailSecurity 10.0 ReportPack, you will be prompted to download and install an updated version. To download the latest version of the GFI ReportCenter automatically, leave the dialog options as default and click Next.

PAGE 153

Screenshot 113 - Check for a more recent build of the GFI MailSecurity 10.0 ReportPack 4. Choose whether you want the installation wizard to search for a newer build of the GFI MailSecurity 10.0 ReportPack on the GFI website. Then, click Next to proceed with the installation. 5. In the license page, read the licensing agreement carefully and then click I accept the terms in the license agreement. Click Next to continue. 6. Enter your Name, Company, and License key.

PAGE 154

If you configured GFI MailSecurity to log reporting data into a Microsoft Access database, click Use Microsoft Access and then specify the full path in the Database Path box. If on the other hand, you configured GFI MailSecurity to log reporting data into a Microsoft SQL Server database, click Use Microsoft SQL Server and then specify the server name or IP number of the machine hosting the Microsoft SQL Server in the Database Server box.

PAGE 155

NOTE: After the installation is complete, you can change the email settings used by GFI ReportCenter at any time from the Options panel. Click Next to continue. 9. Specify the product installation path or click Next to leave as default. The installation needs approximately 100 MB of free disk space. 10. The installation wizard is now ready to copy the required files and finalize the installation. To proceed click Install. 11. When all the files are copied, the installation wizard displays the finish page.

PAGE 156

PAGE 157

GFI MailSecurity ReportPack - Default reports Introduction After installing the GFI MailSecurity 10.0 ReportPack, a number of pre-configured reports can immediately be generated on the data stored in the reporting database backend of GFI MailSecurity. These default reports are organized into two categories: Executive Reports: The executive reports group consists of eight reports that provide concise statistics and information on how GFI MailSecurity is performing.

PAGE 158

 Processed and blocked emails per week  Monthly processed and blocked emails GFI MailSecurity default reports are accessed by clicking on the Default Reports panel button. Generating a default report To generate a default report: 1. Click on the Default Reports panel button to bring up the list of default reports available. Screenshot 117 – Generating a default report 2. Right-click on the report you want to generate and click on one of the Run for last options.

PAGE 159

Screenshot 118 - Report generation progress Viewing the generated report GFI ReportCenter displays the generated reports in the report-viewing pane, on the right hand side of the screen.

PAGE 160

Report browsing options Browse the generated report page by page. Zoom in/Zoom out. Search the report for particular text or characters. Go directly to a specific page. Breakdown the report into a group tree (e.g. by date/time). Print the report. Report storage and distribution options Export the report to a specific file format and save on a disk. Distribute the generated report by email.

PAGE 161

GFI MailSecurity ReportPack - Custom reports Introduction With GFI ReportCenter, you can create custom reports that fit specific date ranges based on the default report templates included in the GFI MailSecurity 10.0 ReportPack. Creating a new custom report To create a custom report: 1. Click on the Default Reports panel button to bring up the list of default reports available. 2.

PAGE 162

Screenshot 122 - Report name and description for a custom report 5. In the Date Filters page, you need to specify what period of data you want to include in the custom report. You can either specify a fixed date range, so that the report always includes the same data, or else you can specify a variable date range, for example, for the last 6 months. When you select a variable date range, the data included in the custom report will vary depending on when the report is generated. Click Next to continue.

PAGE 163

Screenshot 124 - GFI ReportCenter listing the new custom report Generate a custom report To generate a custom report: 1. Click on the Custom Reports panel button to bring up the list of custom reports available. 2. Right-click on the custom report you want to generate and then click Run.

PAGE 164

Editing a custom report To edit the configuration settings of a custom report: 1. Click on the Custom Reports panel button to bring up the list of custom reports available. 2. Right-click on the custom report you want to modify and then click Edit. This will bring up the Custom Report Wizard through which you can make the required changes. For more information on how to use the Custom Report Wizard, refer to the „Creating a new custom report‟ section earlier in this chapter.

PAGE 165

GFI MailSecurity ReportPack Scheduling reports Introduction With GFI ReportCenter, you can schedule reports. You can either schedule a report to be generated once on a particular date or else to be generated periodically starting from a particular date. With scheduling, you can thus automate the generation of reports as well as schedule the generation of reports in off peak hours, such as after office working hours, so that you make the best use of system resources.

PAGE 166

Screenshot 127 - Schedule Report Wizard 3. Click Next to continue. Screenshot 128 - Report name and description for a scheduled report 4. In the Name and Description page, provide a descriptive report name and description in the Report Name and Report Description boxes, and then click Next to continue.

PAGE 167

Screenshot 129 - Scheduled report time schedule 5. In the Time Schedule page, select whether you want to generate the report once or periodically. If you want to generate once on a particular date, click Generate this report (once) on the following day/time, then select the date and time from the calendar. If you want to generate this report periodically starting from a particular date, click Generate this report every. Specify an interval amount, and then select a value from the Interval list.

PAGE 168

6. If you want to save the generated scheduled report on disk, select the Export to file check box. The report will be saved in the format and to the location on disk specified in the Default Scheduling Options dialog box. For further information, refer to the „Configuring default scheduling options‟ section further on in the manual.

PAGE 169

 Server: Specify the machine name or IP address of your SMTP (outbound) email server. If the specified server requires authentication, select the SMTP Server requires login check box and specify the logon credentials in the User name and Password boxes.  Report format: Reports are sent via email as attachments. Select the file format in which you want to send the scheduled report from the list. Click OK to close the Email Alerts Options dialog box.

PAGE 170

Viewing the list of scheduled reports Screenshot 133 - List of scheduled reports To view the list of scheduled reports, click on the Scheduled Reports panel button and then click on the Scheduled Reports List node. The following details are displayed:  Schedule Name: The custom name that was specified during the creation of the scheduled report.  Report Name: The name of the default or custom report scheduled.  Last Generation: Shows when the last report was generated.

PAGE 171

Screenshot 134 - Schedule activity monitor The activity monitor displays the following events: Information: The scheduled report was successfully generated. Warning: The scheduled report was not generated since the product license is invalid or has expired. Error: The scheduled report was not generated due to some error. Typical errors include:  Errors when attempting to save the generated report to a specific location on disk, for example, out of disk space.

PAGE 172

2. Right-click on the scheduled report you want to disable and then click Disable. The status of scheduled reports is indicated by an icon to the left of each scheduled report as follows: - Indicates that the scheduled report is disabled. - Indicates that the scheduled report is enabled. To enable a scheduled report, follow these steps: 1. Click on the Scheduled Reports panel button and then click on the Scheduled Reports List node. 2.

PAGE 173

GFI MailSecurity ReportPack Configuring default options Introduction While installing the GFI MailSecurity 10.0 ReportPack, you configured some default settings that are used by the GFI ReportCenter when distributing reports by email and storing reports to disk, as well as on which GFI MailSecurity reporting database you want to base the reports. If the need arises, you can re-configure these settings from the GFI ReportCenter management console as shown in the following sections.

PAGE 174

Configuring the GFI MailSecurity reporting database source To change the GFI MailSecurity reporting database source, follow these steps: 1. Click on the Options panel button. 2. Right-click on the Database Source node and then click Set Database Source. Screenshot 136 - Microsoft SQL Server reporting database 3. Select the reporting database type, from the Database Type list. If you selected Microsoft Access, go to step 5. If you selected Microsoft SQL Server, go to step 4. 4.

PAGE 175

Screenshot 137 – Microsoft Access reporting database 6. Click OK to save the new settings and close the Database Source dialog box. Configuring default scheduling options To configure the default settings the scheduled reports use when distributing reports by email or saving to disk, follow these steps: 1. On the Tools menu, click Default Scheduling Options. 2. Configure the default email options as outlined in point 7 of the „Scheduling a report‟ section earlier in the manual. 3.

PAGE 176

Rich Text Format (.RTF) - Use this format to save the report in a format that consumes less disk space and which allows accessibility through different word processors in different operating systems.

PAGE 177

GFI MailSecurity ReportPack - General options Entering your license key after installation If you purchased a license key for the GFI MailSecurity 10.0 ReportPack, enter your License key using the Options  Licensing node (no re-installation/re-configuration required) NOTE 1: You must purchase a different license key for every GFI product ReportPack to be installed and accessed through the GFI ReportCenter framework. For example, to install both the GFI FAXmaker 12.0 ReportPack and the GFI MailSecurity 10.

PAGE 178

Screenshot 140 - Licensing dialog 4. Type in the GFI MailSecurity 10.0 ReportPack license key. 5. Click OK. Viewing the current licensing details To view your current licensing details, click on the Options panel button and select the Licensing node. The licensing details are displayed in the right pane of the management console. Viewing the GFI MailSecurity 10.0 ReportPack version details To view the version information of the GFI MailSecurity 10.0 ReportPack: 1. Select GFI MailSecurity 10.

PAGE 179

2. Click on the Options panel button. 3.

PAGE 180

PAGE 181

GFI MailSecurity ReportPack Exporting Settings Introduction This section will show you how to export the settings configured for the GFI MailSecurity 10.0 ReportPack into an XML file. This is useful if you need to take a backup of the favorite reports list and the configured custom and scheduled reports. Exporting settings is also useful if you need to setup an installation of GFI ReportCenter on another machine.

PAGE 182

Screenshot 142 - Export setting dialog box 3. Click Export configuration options. 4. Type the full path, including filename with extension XML, in the box provided, to specify where you want the exported settings to be saved. 5. Click OK to start the export process. 6. When the settings are exported successfully, the following dialog box is displayed. Screenshot 143 - Settings exported successfully 7. Click OK to close the dialog box.

PAGE 183

Importing the GFI MailSecurity 10.0 ReportPack Settings To import GFI MailSecurity 10.0 ReportPack settings, follow these steps: 1. Click on the Options panel button. 2. Right-click on the Import/Export Configuration node and then click Import/Export Configuration. 3. Click Import configuration options. 4. Type the full path, including filename with extension XML, in the box provided, to specify from which XML file you want to import the GFI MailSecurity 10.0 ReportPack settings.

PAGE 184

Screenshot 145 - Settings exported successfully 7. Click OK to close the dialog box. 8. For the imported settings to take effect, you need to exit GFI ReportCenter, and then start it.

PAGE 185

GFI MailSecurity ReportPack - Default Reports List Executive Reports Viruses Blocked Monthly This report shows you how many virus-infected emails GFI MailSecurity blocked per month in a table. The graph included in the report will help you visualize information such as virus outbreak trends.

PAGE 186

Inbound and outbound email traffic per week days This report combines the amount of emails sent and received during a particular period into a single week to present a bar graph showing inbound and outbound traffic for each day of the week. Since the amount of emails sent or received on each day of the week is stacked on the same bar, you can visually determine the ratio of emails sent versus received on the mail server.

PAGE 187

Outbound email traffic per week days This report combines the amount of emails sent during a particular period into a single week to present a bar graph showing outbound traffic for each day of the week. Through this report, you can determine on which days of the week your organization sends the most emails.

PAGE 188

Monthly email traffic This report shows you how many emails were received and sent per month in a table. The report further includes a stacked bar graph of the data present in the table to help you visualize traffic trends over the period selected for the report. Since the amount of emails sent or received per month is stacked on the same bar, you can visually determine the ratio of emails sent versus received on the mail server.

PAGE 189

Processed and blocked emails per month This report combines data from the period you select into the twelve months to show you how many emails were processed, blocked due to a security threat and what percentage of the processed emails was blocked email for each month of the year. The same data is also presented as an area graph. Apart from getting a picture of how email traffic patterns vary from month to month, you can also spot interesting trends regarding the amount of security threats received.

PAGE 190

Processed emails per month This report combines data from the period you select into the twelve months to show you how many emails were processed for each month of the year. The same data is also presented as an area graph.

PAGE 191

Blocked emails per month This report combines data from the period you select into the twelve months to show you how many emails were blocked due to a security threat for each month of the year. The same data is also presented as an area graph.

PAGE 192

Administrative Reports Processed and blocked emails per four hours This report combines data from the period you select into a single day to show you how many emails were processed, blocked due to a security threat and what percentage of the processed emails was blocked email in four hour blocks starting from midnight. The same data is also presented as an area graph. Through this report, you can get a picture of how email traffic and security threat patterns vary throughout the day.

PAGE 193

Processed emails per four hours This report combines data from the period you select into a single day to show you how many emails were processed in four-hour blocks. The same data is also presented as an area graph.

PAGE 194

Blocked emails per four hours This report combines data from the period you select into a single day to show you how many emails were blocked due to a security threat in four-hour blocks. The same data is also presented as an area graph.

PAGE 195

Daily processed and blocked emails This report displays how many emails were processed, blocked due to a security threat and what percentage of the processed emails was blocked email for each day in the period you select. Furthermore, this report provides a total sum of emails processed and blocked for the period you select.

PAGE 196

Processed and blocked emails per week This report combines data from the period you select into a single year to show you how many emails were processed, blocked due to a security threat and what percentage of the processed emails was blocked email during each week of the year. The same data is also presented as an area graph.

PAGE 197

Monthly processed and blocked emails This report lists the amount of emails processed, blocked due to a security threat and what percentage of the processed emails was blocked email for each month during the period selected. Furthermore, this report provides a total sum of emails processed and blocked for the period you select.

PAGE 198

190  GFI MailSecurity ReportPack - Default Reports List GFI MailSecurity for Exchange/SMTP

PAGE 199

GFI MailSecurity ReportPack Troubleshooting Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter. The main sources of information available to users are:  The manual – most issues can be solved by reading this manual.  GFI Knowledge Base articles  Web forum  Contacting GFI Technical Support Knowledge Base GFI maintains a Knowledge Base, which includes answers to the most common problems.

PAGE 200

Build notifications We strongly suggest that you subscribe to our build notifications list. This way, you will be immediately notified about new product builds. To subscribe to our build notifications, visit: http://www.gfi.com/pages/productmailing.htm.