Exchange plugin

The Exchange plugin of MailSecurity complements existing Exchange workflows. By deeply integrating with the server, it provides transparent malware protection: without noticeable delays or user interaction, all incoming and outgoing objects are scanned and only passed on if they are free of malware. Plugin deployment looks like a regular client-server deployment. The Exchange plugin is deployed to the Exchange server and reports to a ManagementServer. This can be an existing network ManagementServer or a ManagementServer that is installed along with the Exchange plugin. When using an existing ManagementServer, the Exchange plugin will show up in G Data Administrator’s client management area. With an Exchange client selected, the CLIENTS, TASKS, REPORTS and STATISTICS tabs offer functionality that is similar to their normal client management counterparts. Using the EXCHANGE SETTINGS module, malware scan and AntiSpam settings can be configured, as well as virus signature and program file updates. When enabled, the Exchange plugin will automatically update itself whenever it connects to the ManagementServer (in the interval defined under SERVER SETTINGS > SYNCHRONIZATION). A manual update can be initiated at any time on the CLIENTS tab.

16.1.1. Antivirus

Several types of scans can be configured by MailSecurity for Exchange. The on-access scan guarantees permanent protection, while the on-demand scan can be configured to scan specific mailboxes at specific times.

16.1.1.1. On-access scan

Comparable to the file system monitor of G Data Security Client, the on-access scan monitors all incoming and outgoing e-mails on the Exchange server. E-mails are scanned automatically and only made available if they are free of malware. On the GENERAL tab you can enable the on-access scan and configure its scan parameters under SCAN SETTINGS. The scan can be carried out using one or two scan engines. Using two engines provides optimal security and is the recommended option. However, if scan performance is not as good as expected, one of the two engines can be disabled. This still offers very good detection while increasing performance. Scan performance can be further influenced by selecting the type of files that should be scanned. The most secure option is to scan all files, but this does take more time than a limited scan. A limited scan only includes program files and documents,

16. Mail server security

the file types most likely to be infected. Heuristics can be used to further increase detection by analyzing typical characteristics of malware. It slightly increases the chance of getting false positives, but greatly enhances malware detection. Enabling scans of archive files makes sure that even malware hiding inside of archives is found. This does increase scan time and if an infected file is found within the archive, the complete archive will be disinfected or removed. If you have configured quarantine measures, the complete e-mail message (including the archive) will be quarantined. The CHECK ARCHIVES option can be disabled if all clients are using the file system monitor to ensure that malware is picked up as soon as it is extracted from the archive.

Image 65: G Data Administrator, Exchange settings, General

If malware is detected, several actions can be taken. The recommended option is to try to remove the malware from the file, moving it to the quarantine if removal does not succeed. This will prevent data loss as much as possible, while making sure the malware cannot be run. The REPORTS module will show a report when malware is blocked and allow you to examine quarantined files. Alternatively, MailSecurity can delete infected attachments, delete the entire message or log the threat without blocking it. Immediately deleting an infected object is the most secure option, but can cause data to be removed in case of a false positive detection. Only logging threats is not recommended; this will ignore any detected malware, allowing Exchange and its clients to access and possibly execute it. Even though a report will be added to the REPORTS module, which can help administrators manually take action, the time window between report and action allows for infection and potentially further distribution.

16.1.1.2. On-demand scan

The TASKS module lets you schedule single and periodic scans, which function similar to client scan jobs (see chapter 9.2). The settings are identical to those for client scan jobs, except for options that are not relevant for Exchange objects. Instead of defining the scan scope using the file system, an Exchange scan job is defined to operate on specific mailboxes. As with file system scans, it is recommended to scan all objects on the server regularly. This can be achieved by planning a weekly, biweekly or monthly scan job. A full scan job can be very performance-intensive. It should be scheduled during off-peak times, such as the weekend or at night.

16.1.2. AntiSpam

A large percentage of e-mail traffic consists of spam. While not containing malware, many of these messages are unwanted, such as mass mailings of pharmaceutical ads or illegal software sales. Spam filters have long been deployed on individual clients in order to remove incoming spam messages before they reach the inbox. This is an effective way to make sure that individual users do not need to spend time on reading and removing them, but it requires each client to have local spam filtering capabilities, such as a network- or client-specific configuration, an up-to-date rule set of spam definitions and local self-learning capabilities. The Exchange plugin provides a powerful spam filter on the server level, taking care of unwanted messages before they even reach the clients.

AntiSpam for Exchange is only available for Exchange servers which are running the Hub Transport role.

Image 63: G Data Administrator, Exchange settings, AntiSpam

All incoming e-mails are scanned and categorized as safe, SUSPECTED SPAM, HIGH SPAM PROBABILITY or VERY HIGH SPAM PROBABILITY. Safe messages are delivered immediately but for each of the other three categories, individual reactions can be configured. E-mails can be outright rejected, which is a thorough way of dealing with spam, but might accidentally block non-spam messages as well (false positives). To make sure that no legitimate e-mails are accidentally rejected, you can configure spam to be moved to the Spam or Quarantine folder instead. This allows you to examine messages manually and move them back to the Inbox or remove them permanently. Alternatively, a prefix can be added to the subject. Messages will still be delivered, but users will have a way of identifying spam.

Prefixes also allow for (local) filter rules to sort out unwanted messages. When spam is moved to the Spam or Quarantine folder, a report is automatically added to the REPORTS module. When using the option to deliver or reject e-mails, administrators can choose whether to have reports added to the REPORTS module or not. This option should be considered carefully, as it can generate a large number of reports.

When the Spam folder measure has been configured for one or more categories, MailSecurity for Exchange adds the header X-G-Data-MailSecurity-for-Exchange-MoveToJunkFolder: True to each spam message in that category.

The messages are automatically moved to the Spam folder, a process that can be sped up by creating a server-side

16. Mail server security

inbox rule. The rule will cause Exchange Server to move messages to the Spam folder immediately. Using the Exchange Management Shell, execute the following PowerShell script to set the rule for all mailboxes. In the first command, <Account> should be replaced with the account of the user executing the script:

[PS] $mailboxes = get-mailbox -resultsize unlimited | add-mailboxpermission -user <Account> -accessrights fullaccess

[PS] $mailboxes | foreach { new-inboxrule -name "MoveToJunkFolder" -mailbox $($_.Alias) -MoveToFolder

"$($_.Alias):\Junk-E-Mail" -HeaderContainsWords "X-G-Data-MailSecurity-for-Exchange-MoveToJunkFolder:

True" -StopProcessingRules $true -confirm:$false -force }

In addition to the three categories, spam is filtered using a black- and whitelist approach. E-mail addresses and domains can be added to the whitelist in order to bypass the spam filter. Any incoming messages from whitelisted domains or addresses are deemed safe and delivered immediately. Blacklisted messages are treated as spam and will be treated according to the configuration under VERY HIGH SPAM PROBABILITY.