Symantec™ Mail Security for
Microsoft® Exchange
Symantec™ Mail Security for Microsoft® Exchange
Management Pack Integration Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version 6.5
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Symantec Mail Security for Microsoft Exchange — Management
Pack Integration Guide
... 7About the Symantec Mail Security for Microsoft Exchange Management Pack ... 7
Importing the management pack ... 8
About the Symantec Mail Security for Microsoft Exchange rules ... 9
About Licensing rules ... 10
About LiveUpdate rules ... 11
About Outbreak rules ... 11
About Performance rules ... 11
About Rapid Release rules ... 12
About Service rules ... 12
Viewing the Symantec Mail Security for Microsoft Exchange group ... 13
Disabling default rules ... 15
Viewing Symantec Mail Security for Microsoft Exchange events and performance data ... 15
Symantec Mail Security for
Microsoft Exchange —
Management Pack
Integration Guide
About the Symantec Mail Security for Microsoft
Exchange Management Pack
If you use Microsoft Exchange Server 2007/Server 2010, the Symantec Mail Security for Microsoft Exchange Management Pack lets you integrate Symantec Mail Security for Microsoft Exchange events with Microsoft Operations Manager 2005 (MOM). If you use Microsoft Exchange Server 2003, the Symantec Mail Security for Microsoft Exchange Management Pack lets you integrate Symantec Mail Security for Microsoft Exchange events with MOM and Microsoft System Center Operations Manager 2007 (SCOM). When you import the management pack in MOM/SCOM, it immediately begins monitoring objects based on default configurations and thresholds. These default configurations and thresholds (such as monitors, rules, and tasks) monitor specific Symantec Mail Security for Microsoft Exchange events in the Windows Event Log and the Windows Performance Monitor.
more information about Microsoft Operations Manager 2005, see the Microsoft Operations Manager 2005 documentation.
For more information about Symantec Mail Security for Microsoft Exchange, see the Symantec Mail Security for Microsoft Exchange Implementation Guide.
Importing the management pack
The system requirements for the computer on which you import the management pack are as follows:
■ Microsoft System Center Operations Manager 2007 (32-bit platform) or Microsoft Operations Manager 2005 (32-bit platform)
■ Microsoft SQL Server 2005 Enterprise Edition (32-bit platform)
The Microsoft SQL Server and SQL Agent services must be running when you install the management pack.
■ Microsoft Exchange Server 2010/2007/2003
■ Windows Server 2003
The management pack is supported for Symantec Mail Security 6.5 for Microsoft Exchange events only. The MOM/SCOM agent must be deployed to the servers on which Symantec Mail Security for Microsoft Exchange is installed. This agent collects events and performance data and forwards the information to MOM/SCOM. For information about how to deploy the agent or remove the Symantec Mail Security for Microsoft Exchange Management Pack, see the appropriate Microsoft documentation.
To import the management pack in MOM
1
Copy SMSMSE 6.5 Management Pack.akm to the following folder: \Program Files\Microsoft Operations Manager 2005\Management Packs2
In the MOM 2005 Administrator Console, in the left pane, right-clickManagement Packs, and then click Import/Export Management Pack.
3
In the Pack Import/Export Wizard panel, click Next.4
In the Import or Export Management Packs panel, click Import ManagementPacks and/or reports, and then click Next.
5
In the Select a Folder and Choose Import Type panel, click browse and select the following folder:\Program Files\Microsoft Operations Manager 2005\Management Packs
6
Click Import Management Packs only, and then click Next.Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide Importing the management pack
7
In the Select Management Packs panel, select SMSMSE 6.5 ManagementPack.akm, and then click Next.
8
Click Finish.9
In the Import Status window, click Close when the program finishes importing the management pack.To import the management pack in SCOM
1
Copy SMSMSE_6.5_Management_Pack.xml to the following folder: \Program Files\System Center Management Packs2
In the SCOM 2007 Operator Console in the left pane, right-click ManagementPacks, and then click Import Management Pack.
3
Browse and locate the SMSMSE_6.5_Management_Pack .xml file in the \Program Files\System Center Management Packs folder.4
In the Import Management Packs panel, click Import.5
In the Import Status window, click Close when the program finishes importing the management pack.About the Symantec Mail Security for Microsoft
Exchange rules
When you import the management pack, a Symantec Mail Security for Microsoft Exchange directory structure is automatically created and populated with pre-configured rules. These are rules that collect data about specific critical events. Symantec Mail Security for Microsoft Exchange event rules are as follows:
These are rules that collect data about specific critical events. The following event rules come under this category:
■ Licensing
See“About Licensing rules”on page 10.
■ LiveUpdate
See“About LiveUpdate rules ”on page 11.
■ Outbreak
See“About Outbreak rules ”on page 11.
■ Rapid Release
See“About Rapid Release rules”on page 12.
■ Services
See“About Service rules”on page 12. Event rules
9 Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide
These are rules that measure specific performance criteria. The following event rules come under this category.
See“About Performance rules ”on page 11. Performance rules
Note:Rules are not categorized for SCOM.
For information about how to modify rules or create new rules, see the appropriate Microsoft documentation.
About Licensing rules
Table 1lists the default Licensing rules and the events that trigger the rules. Table 1 Default Licensing rules
Description of event trigger Rule
The content license expired or is not installed, or the license file is damaged. Antivirus License Error
The content license expired or is not installed, or the license file is damaged. Invalid License - Console LiveUpdate Failed
To Update
The content license expired or is not installed, or the license file is damaged. Invalid License - LiveUpdate Failed to Update
Your content license expired or is not installed, or the license file is damaged. Invalid License - LiveUpdate Virus
Definitions Not Updated
Could not find a valid content license. Invalid License - Rapid Release Failed to
Update
The license file is expired, invalid, or damaged.
Invalid Symantec Premium AntiSpam License
The Symantec Premium AntiSpam license expired or is not installed, or the license file is damaged.
Symantec Premium AntiSpam License Error
The license file is expired, invalid, or damaged.
Unable to Install Antivirus License
The license file is expired, or the license file is damaged.
Unknown Symantec Enterprise Licensing Error
Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide About the Symantec Mail Security for Microsoft Exchange rules
About LiveUpdate rules
Table 2lists the default LiveUpdate rules and the events that trigger the rules. Table 2 Default LiveUpdate rules
Description of event trigger Rule
An error occurred with LiveUpdate. The LiveUpdate server is temporarily
unavailable, or the server has lost network connectivity. Check the Event Log for more information.
Console Communication Error with LiveUpdate
The LiveUpdate server is temporarily unavailable, or the server has lost network connectivity.
LiveUpdate Critical Error
The LiveUpdate server is temporarily unavailable, or the server has lost network connectivity.
LiveUpdate Error
Many people are attempting to access the LiveUpdate server simultaneously. LiveUpdate Host Busy
The LiveUpdate server is temporarily unavailable.
LiveUpdate No Carrier
The LiveUpdate server is temporarily unavailable.
LiveUpdate Unknown Error
Definition files are damaged or missing. Missing Virus Definitions
About Outbreak rules
Table 3lists the default Outbreak rules and the events that trigger the rules. Table 3 Default Outbreak rules
Description of event trigger Rule
An outbreak threshold was reached. Outbreak Occurrence
An outbreak is still occurring. Outbreak Reoccurrence
About Performance rules
Table 4lists the default Performance rules and the events that trigger the rules.
11 Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide
Table 4 Performance counters
Description Performance counter
Number of bytes scanned. Bytes Scanned
Number of bytes scanned per second. Bytes Scanned/Sec
Number of scans performed on messages and attachments.
Total Scans
Number of scans performed on messages and attachments per second.
Total Scans/Sec
Number of software threats detected. Threats and Risks Found
Number of software threats detected per second.
Threats and Risks Found/Sec
Number of content violations detected. Content Filtering Found
Number of content violations detected per second.
Content Filtering Found /Sec
Number of spam violations detected. Spam Violations Found
Number of spam violations detected per second.
Spam Violations Found/Sec
About Rapid Release rules
Table 5lists the default Rapid Release rules and the events that trigger the rules. Table 5 Default Rapid Release Rules
Description of event trigger Rule
An FTP failure occurred. FTP Failure
Unknown. Check the Event Log for more information.
General Error During Rapid Release
About Service rules
Table 6lists the default Services rules and the events that trigger the rules.
Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide About the Symantec Mail Security for Microsoft Exchange rules
Table 6 Default Services rules
Description of event trigger Rule
Check the Event Log for more information. Auto-Protect Process Failed to Start
Computer resources are low. Out of Memory
The Quarantine Server contains too many quarantined files.
Quarantine is Full
Check the Event Log for more information. Service Could Not Start
An attempt was made to start the service, but the service is already running. Service Could Not Start - Already Started
The Symantec Mail Security for Microsoft Exchange service cannot start.
Service Could Not Start – Auto-Protect Process Not Started
The program settings could not be obtained or are invalid.
Service Could Not Start - Configuration Invalid
Unable to logon to the Exchange server. Service Could Not Start - Cannot Logon to
the Exchange Server
There is not enough memory to start the service.
Service Could Not Start - Low Memory Conditions
The NT account specified does not have administrator privileges.
Service Could Not Start - Not Admin Account
The computer was restarted or shut down. Service Stopped
The Event Log is full. Unable to Record Events
Viewing the Symantec Mail Security for Microsoft Exchange group
You can view the default Symantec Mail Security for Microsoft Exchange group in the MOM/SCOM console.
Each rule contains a Knowledge Base that provides the following information:
A brief description of the rule Summary
What event triggered the rule Cause
Proposed resolutions for resolving the event issue Resolution
13 Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide
To view the Symantec Mail Security for Microsoft Exchange rule group in MOM
1
In the MOM 2005 Administrator Console under Management Packs, in the left pane, expand Rule Groups, expand Symantec, and then expand SymantecMail Security for Microsoft Exchange.
2
Expand any of the following categories to view the rules that are available for that category:■ Licensing ■ LiveUpdate ■ Outbreak ■ Performance ■ Rapid Release ■ Services
To view the Symantec Mail Security for Microsoft Exchange computer group in SCOM
1
In the SCOM 2007 Operator Console in the left pane, expand ManagementPacks Objects.
2
Under Management Pack Objects, select Rules.3
In the right pane under Rules, expand Type: Symantec Mail Security forMicrosoft Exchange Installation to view the rules that are available.
To view a rule's Knowledge Base in MOM
1
In the left pane, select the rule type that contains the rules for that category. For example, for the Licensing category, select Event Rules. For thePerformance category, select Performance Rules.
2
In the right pane, double-click the rule.3
In the Rule Properties dialog box, click the Knowledge Base tab. To view a rule's Knowledge Base in SCOM1
In the left pane, expand Management Packs Objects.2
Under Management Pack Objects, select Rules.3
In the right pane under Type: Symantec Mail Security for Microsoft ExchangeInstallation, double-click the rule for which you want to view the Knowledge
Base.
4
In the Rule Properties dialog box, click the Knowledge Base tab.Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide About the Symantec Mail Security for Microsoft Exchange rules
Disabling default rules
All of the Symantec Mail Security for Microsoft Exchange rules are enabled by default. You can disable the rules that you do not want to apply.
To disable default rules in MOM
1
In the MOM 2005 Administrator Console under Management Packs, in the left pane, expand Rule Groups, expand Symantec, and then expand SymantecMail Security for Microsoft Exchange.
2
Select a rule category and a rule type.For example, for the Licensing category, select Event Rules. For the Performance category, select Performance Rules.
3
In the right pane, double-click the rule that you want to disable.4
In the Event Rule Properties dialog box, uncheck This rule is enabled.5
Click OK.To disable default rules in SCOM
1
In the SCOM 2007 Operator Console in the left pane, expand ManagementPacks Objects.
2
Under Management Packs Objects, select Rules.3
In the right pane under Type: Symantec Mail Security for Microsoft ExchangeInstallation, double-click the rule that you want to disable.
4
In the Event Rule Properties dialog box, uncheck Rule is enabled.5
Click Apply, and then click OK.Viewing Symantec Mail Security for Microsoft
Exchange events and performance data
You can view Symantec Mail Security for Microsoft Exchange events and performance data in the MOM/SCOM console. The Events view contains the following rule violations: Licensing, LiveUpdate, Outbreak, Rapid Release, and Services. The Performance view contains Performance rule data.
To view Symantec Mail Security for Microsoft Exchange events in MOM
1
In the Operator Console in the Views pane, click Events.2
In the Event Views pane, expand All:Event Views, expand Symantec, and then expand Symantec Mail Security for Microsoft Exchange.15 Symantec Mail Security for Microsoft Exchange — Management Pack Integration Guide
3
Click SMSMSE Events.The events appear in the SMSMSE Events pane.
4
Select an event to view detailed information. The details appear in the Event Details pane.To view Symantec Mail Security for Microsoft Exchange events in SCOM
1
In the SCOM 2007 Operator Console in the left pane, click Monitoring.2
In the Monitoring Views pane, expand Monitoring, expand Symantec, and then expand SMSMSE.3
Click SMSMSE Events.The events appear in the SMSMSE Events in the right pane.
4
Select an event to view detailed information. The details appear in the Event Details pane.To view Symantec Mail Security for Microsoft Exchange performance data in MOM
1
In the Operator Console, in the Views pane, click Performance.2
In the Performance Views pane, expand All:Performance Views, expandSymantec, and then expand Symantec Mail Security for Microsoft Exchange.
3
Select the Performance rule that contains the specific criteria that you want to review.The performance data appears in the SMSMSE Performance Data pane. To view Symantec Mail Security for Microsoft Exchange performance data in SCOM
1
In the SCOM 2007 Operator Console in the left pane, click Monitoring.2
In the Monitoring Views pane, expand Monitoring, expand Symantec, and then expand SMSMSE.3
Select the Performance rule that contains the specific criteria that you want to review.The performance data appears in the SMSMSE Performance Data pane.