To configure threat detection, do the following:
Mail Security detects viruses, worms, and Trojan horses in all major file types. Antivirus scanning must be enabled for Mail Security to detect threats.
Threat detection scanning applies to all types of scans.
See“About the types of scanning that you can perform”on page 171.
Enable threat detection scanning
Mail Security uses Bloodhound technology to supplement the detection of threats by signature.
You can customize your level of protection against new threats, from zero protection to a high level of protection. A high level of protection increases protection of your network; however, server performance might be affected. At lower levels of protection, an unknown threat might escape detection, but the trade-off with server performance decreases. In most cases, the default (Medium) setting is appropriate.
See“How Mail Security detects risks”on page 100.
Set the Bloodhound detection level
Mail Security detects that an email message is a mass-mailer worm or virus when this feature is enabled. If Mail Security detects that an email message is a mass-mailer worm or virus, it deletes the infected email message and any attachments. Mail Security does not send notifications after deleting a mass-mailer worm or virus message and any attachments. When the mass-mailer detection feature is not enabled, an infected mass-mailer email message is treated the same as an infected message.
Enable mass-mailer worm-infected message detection
Mail Security provides default antivirus rules, which are always enabled. You can modify these rules.
Modify default threat detection rules, as needed
To configure threat detection
1
In the console on the primary navigation bar, click Policies.2
In the sidebar under Antivirus, click Antivirus Settings.3
In the content pane under Antivirus Settings, check Enable virus scanning. Virus scanning is enabled by default.4
In the Bloodhound detection list, select one of the following using the drop-down menu:Disables Bloodhound detection. Off
Optimizes server performance, but might not detect potential threats. Low
Provides a balance between threat detection and server performance. The default setting is Medium.
Medium
Increases the detection of threats, but might impact server performance. High
5
Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages.6
In the Rules table, select any of the following rules to view or modify them in the preview pane:Applies to messages or attachments that contain threats that can be repaired.
This option is always enabled. Basic Virus Rule
Applies to messages or attachments that contain threats that cannot be repaired.
This option is always enabled. Unrepairable Virus
Rule
Applies to messages that contain security risks, such as adware or spyware.
See“Configuring security risk detection”on page 104.
This option is enabled by default. Security Risk Rule
The settings for the rule that you select appear in the preview pane.
7
In the preview pane, in the Action to take list, select the action to take when a threat is detected using the drop-down menu.8
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message.The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file contained %violation% and was %action%. You can use variables in your customized text.
See“About alert and notification variables”on page 235.
9
Check one or more of the following to send email notifications about the detection:■ Notify administrators
Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:
■ Default Subject line text: Administrator Alert: Symantec Mail Security detected %violation%
■ Default Message body text: Location of the infected item: %location% Sender of the infected item: %sender% Subject of the message: %subject% The attachment(s) "%attachment%" was %action% for the following reasons: %information% This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule%
■ Notify internal sender
Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:
■ Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address
■ Default Message body text: %subject% Recipient of the message: %recipient%
■ Notify external sender
Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:
■ Default Subject line text: Symantec Mail Security detected %violation% in a message sent from your address
■ Default Message body text: Subject of the message: %subject% Recipient of the message: %recipient%
See“About alert and notification variables”on page 235.
10
On the toolbar, click Deploy changes to apply your changes.See“Deploying settings and changes to a server or group”on page 75.