Contents
- Anti-Virus protection
- About Anti-Virus protection
- About computer protection against certain legitimate applications
- About Anti-Virus protection status
- Enabling and disabling Anti-Virus protection of messages
- Enabling and disabling Anti-Virus scanning for a rule
- Configuring Anti-Virus engine settings
- Setting default values for Anti-Virus engine settings
- Configuring actions on messages during Anti-Virus scanning
- Configuring tags added to message subjects after Anti-Virus scanning
- Configuring Anti-Virus scan restrictions and exclusions
Anti-Virus protection
This section contains information about Anti-Virus protection of messages and how to configure it.
About Anti-Virus protection
Kaspersky Secure Mail Gateway performs virus scanning of messages: scans email messages for viruses and other threats and disinfects infected objects using the current (latest) version of Anti-Virus databases.
Messages are scanned for viruses and other threats by Anti-Virus engine. Anti-Virus engine scans the body of the message and all attached files in any format (attachments) using the Anti-Virus databases. The Anti-Virus engine detects and blocks email attachments that are intended for a limited number of recipients and are components of targeted attacks designed to exploit software vulnerabilities.
In addition to virus scanning of messages, you can enable detection of certain legitimate applications by the Anti-Virus component.
Based on the scan results, the Anti-Virus engine assigns the message one of the virus scan status labels and adds a tag with the status at the beginning of the message subject (Subject field).
Depending on the status assigned, the application performs actions in accordance with the message processing rule settings. You can select actions to be performed by the application on messages with a certain status and configure tags to be added to messages based on the Anti-Virus scanning result. Before processing a message, the application saves a copy of it in Backup.
You can specify the maximum size of attachments to be scanned and determine the objects to be skipped during Anti-Virus scanning. Attachments in certain formats and with certain names can be excluded from the scan.
The Anti-Virus engine is enabled by default. If required, you can disable Anti-Virus module or disable Anti-Virus scanning for any rule.
About computer protection against certain legitimate applications
Legitimate applications are applications that may be installed and used on computers of users and are intended for performing user tasks. However, when exploited by intruders, legitimate applications of certain types can harm the user's computer and the corporate LAN. If intruders gain access to these applications, or if they plant them on the user's computer, some of their features can be used to compromise security.
These applications include IRC clients, auto-dialers, file downloaders, computer system activity monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
Such applications are described in the table below.
Type |
Name |
Description |
|---|---|---|
Client-IRC |
Online chat clients |
Users install these applications to communicate with people in Internet Relay Chats. Intruders use them to spread malware. |
Dialer |
Auto-dialers |
They can establish phone connections over a modem in hidden mode. |
Downloader |
Downloader applications |
They can download files from web pages in hidden mode. |
Monitor |
Monitor applications |
They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers). |
PSWTool |
Password restorers |
They allow viewing and restoring forgotten passwords. Intruders secretly plant them on computers for the same purpose. |
RemoteAdmin |
Remote administration programs |
They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly plant them on computers for the same purpose: to monitor and control computers. Legitimate remote administration applications differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legitimate applications are unable to do so. |
Server-FTP |
FTP servers |
They function as FTP servers. Intruders plant them on computers to gain remote access to them via the FTP protocol. |
Server-Proxy |
Proxy servers |
They function as proxy servers. Intruders plant them on computers to send spam from them. |
Server-Telnet |
Telnet servers |
They function as Telnet servers. Intruders plant them on computer to gain remote access to them via the Telnet protocol. |
Server-Web |
Web servers |
They function as web servers. Intruders plant them on computers to gain remote access to them via the HTTP protocol. |
RiskTool |
Tools for managing a virtual machine |
They offer the user additional capabilities for managing the computer. The tools allow the user to hide files or windows of active applications and terminate active processes. |
NetTool |
Network tools |
They offer the user of the computer on which they are installed additional capabilities for interacting with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers. |
Client-P2P |
P2P network clients |
They allow working on peer-to-peer networks. They can be used by intruders for spreading malware. |
Client-SMTP |
SMTP clients |
They send email messages without the user's knowledge. Intruders plant them on computers to send spam from them. |
WebToolbar |
Web toolbars |
They add toolbars to the interfaces of other applications to use search engines. |
FraudTool |
Pseudo-programs |
They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything. |
About Anti-Virus protection status
Based on the results of scanning for viruses, the Anti-Virus engine assigns one of the following Anti-Virus scan statuses to messages:
- Clean (Clean message)– the object is not infected.
- Infected (Infected message)– the object is infected; either it cannot be disinfected, or disinfection has not been attempted.
- Disinfected (Disinfected message) – the object is disinfected.
- Probably infected (Probably infected message) – the object is probably infected with an unknown virus or a new modification of a known virus.
- Encrypted (Encrypted message) – the object cannot be scanned because it is encrypted.
- Corrupted (Corrupted message) – the object is corrupted or an error occurred during scanning.
Enabling and disabling Anti-Virus protection of messages
To enable or disable Anti-Virus protection of messages:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, do one of the following:
- Flip on the toggle switch next to the name of the Anti-Virus settings group to enable Anti-Virus scanning of messages.
- Flip off the toggle switch next to the name of the Anti-Virus settings group to disable Anti-Virus scanning of messages.
Enabling and disabling Anti-Virus scanning for a rule
You can enable or disable Anti-Virus scanning of messages for one or several rules. Anti-Virus scanning is enabled by default.
Before enabling or disabling Anti-Virus scanning of messages for a rule, make sure that Anti-Virus engine of Kaspersky Secure Mail Gateway is enabled.
To enable or disable Anti-Virus scanning of messages for a rule:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the name of the rule to open the rule for which you want to enable or disable Anti-Virus scanning of messages.
- Select the Authentication of Mail Sender section.
- Do one of the following:
- Flip on the toggle switch next to the name of the Anti-Virus settings group to enable Anti-Virus scanning of messages for a rule.
- Flip off the toggle switch next to the name of the Anti-Virus settings group to disable Anti-Virus scanning of messages for a rule.
- Click the Apply button in the lower part of the workspace.
Configuring Anti-Virus engine settings
To configure Anti-Virus engine settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, click any link to open the Anti-Virus protection settings window.
- In the Protection and heuristic analysis settings group, select one of the following options in the Use KSN drop-down list:
- Yes — if you want to use KSN.
- No — if you do not want to use KSN.
- In the Protection and heuristic analysis settings group, select one of the following options in the Use heuristic analysis drop-down list:
- Yes — if you want to use Heuristic Analysis.
- No — if you do not want to use Heuristic Analysis.
- If you have enabled Heuristic Analyzer, in the Protection and heuristic analysis settings group in the Heuristic analysis level list select the level of heuristic analysis.
- In the Protection and heuristic analysis settings group, open the drop-down list I consider some legitimate applications that can be exploited by hackers, to be dangerous for the corporate LAN and select one of the following options:
- Yes if you believe that such applications can be exploited by criminals to harm the computer network of your organization.
- No if you do not believe that such applications can be exploited by criminals to harm the computer network of your organization.
Such legitimate applications include, for example, commercial remote administration utilities, IRC clients, dialers, file downloaders, computer system activity monitors, and password management utilities. Messages found to contain such applications are processed according to the rules for infected and probably infected objects.
- If your selection in the I consider some legitimate applications that can be exploited by hackers, to be dangerous for the corporate LAN list is Yes, select one of the following options in the Protection and heuristic analysis section in the Enable detection of some legitimate applications drop-down list:
- Yes if you want to enable detection of such applications by Kaspersky Secure Mail Gateway.
- No if you want to disable detection of such applications by Kaspersky Secure Mail Gateway.
- In the Performance settings group, in the Maximum scanning time field specify the maximum Anti-Virus scan time in seconds.
If the virus scan of a message does not finish within the time limit you specified, Kaspersky Secure Mail Gateway:
- Stops scanning the message (Skip action).
- Assigns Clean (Clean message) status to the message.
- Adds the
av-status="Clean"label to the message subject. - Delivers the message to the recipient.
- Adds the following entry to the /var/log/maillog event log:
<scan date and time> <Kaspersky Secure Mail Gateway host name>: not clean: message-id=<message ID>: relay-ip=<IP address of message recipient's computer>: action="Skipped": rules=<rule ID>: size=<message size>: mail-from=<message sender's email address>: rcpt-to=<message recipient's email address>: av-status="Clean", ap-status="Error", as-status="Error", ma-status="NotScanned, disabled by settings", cf-status="NotScanned, disabled by settings">
- In the Performance settings group, in the Maximum scanning level field specify the maximum scanning level for messages scanned by the Anti-Virus engine.
- Click the Apply button.
Setting default values for Anti-Virus engine settings
To set default values for Anti-Virus engine settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, click any link to open the Anti-Virus protection settings window.
- In the lower part of the Anti-Virus settings window, click the Set default values link.
- Click the Apply button.
Configuring actions on messages during Anti-Virus scanning
To configure the actions to be performed by Kaspersky Secure Mail Gateway on messages during Anti-Virus scanning:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the link with the name of the rule to open the rule for which you want to configure actions on messages during Anti-Virus scanning.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- In the If an infected or probably infected object is detected drop-down list, select one of the following actions to perform on infected or probably infected messages that pose a threat to the local area network of your organization:
- Disinfect
- Delete attachment.
- Delete message.
- Reject.
- Skip.
- If the value of the If an infected or probably infected object is detected setting is set to Disinfect, in the right part of the workspace in the If disinfection fails drop-down list select one of the following actions to be performed on infected or probably infected messages that could not be disinfected:
- Delete attachment.
- Delete message.
- Reject.
- If the value of the If an infected or probably infected object is detected is set to Disinfect, Delete attachment, or Delete message, you can configure message copies to be automatically saved in Backup before messages are processed. To do so, select the check box next to the Place copy in Backup setting name.
By default, the application places a message copy in Backup before performing the Disinfect, Delete attachment, or Delete message action.
- In the If scan errors detected drop-down list, select one of the following actions to take on messages that returned errors during scanning:
- Delete attachment.
- Delete message.
- Reject.
- Skip.
- In the If encrypted object is detected drop-down list, select one of the following actions to take on messages containing encrypted objects:
- Delete attachment.
- Delete message.
- Reject.
- Skip.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.
Configuring tags added to message subjects after Anti-Virus scanning
To configure tags that Kaspersky Secure Mail Gateway adds to the message subject after Anti-Virus scanning:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the name of the rule to open the rule for which you want to configure tags added to message subjects after Anti-Virus scanning.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- Add a tag to the Subject field of infected messages. To do so, perform the following:
- In the If an infected or probably infected object is detected settings group, click the link on the right of the name of the Add the following text to the subject of an infected or probably infected email message setting to open the Tag for messages that contain malicious objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of infected or probably infected messages. For example, you can add the Infected tag.
- Click OK.
The Tag for messages that contain malicious objects window closes.
- Add a tag to the Subject field of disinfected messages. To do so, perform the following:
- In the If an infected or probably infected object is detected settings group, click the link on the right of the name of the Add the following text to the subject of a disinfected email message setting to open the Tag for messages that contain disinfected objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of disinfected messages. For example, you can add the Cured tag.
- Click OK.
The Tag for messages that contain disinfected objects window closes.
- Add a tag to the Subject field of messages with objects found to contain errors during scanning. To do so, perform the following:
- In the If scan errors detected settings group, click the link on the right of the name of the Add the following text to subject of email message setting to open the Tag for messages with objects that cause scan errors window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of messages that returned scan errors. For example, you can add the Corrupted tag.
- Click OK.
The Tag for messages with objects that cause scan errors window closes.
- Add a tag to the Subject field of messages that contain encrypted objects. To do so, perform the following:
- In the If encrypted object is detected settings group, click the link on the right of the name of the Add the following text to subject of email message setting to open the Tag for messages that contain encrypted objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of messages containing encrypted objects. For example, you can add the Encrypted tag.
- Click OK.
The Tag for messages that contain encrypted objects window closes.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.
Configuring Anti-Virus scan restrictions and exclusions
To configure restrictions and exclusions during Anti-Virus scanning for a rule:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the link with the name of the rule to open the rule for which you want to configure restrictions and exclusions from Anti-Virus scanning of messages.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- If you want to exclude archives from Anti-Virus scanning, in the Exclusions from scanning settings group select the Do not scan archives check box.
- To exclude message attachments of a certain size from Anti-Virus scanning, do the following in the Exclusions from scanning settings group:
- Click the link on the right of the Do not scan objects larger than: setting to open the Attachment size scan limit window.
- In the field under the window name, enter the maximum size of objects to be scanned in the range from 0 KB to 1048576 KB (1 GB).
If the value is set to 0 KB, no restrictions apply to the size of objects.
- Click OK.
The Attachment size scan limit window closes.
- To exclude message attachments with certain names from Anti-Virus scanning, do the following in the Exclusions from scanning settings group:
- Click the link on the right of the name of the Do not scan attachments by name masks setting to open the Forbidden names window.
- In the field under the window name, enter the masks of names of attachments that you want to exclude from Anti-Virus scanning.
Masks can contain any symbols. Separate masks with the ";" symbol.
- Click OK.
The Forbidden names window closes.
- To exclude message attachments of a certain format from Anti-Virus scanning, do the following in the Exclusions from scanning settings group:
- Click the link on the right of the name of the Do not scan attachments by file types setting to open the Forbidden attachment types window.
- Select check boxes next to the formats of attachments that you want to exclude from Anti-Virus scanning.
- Click the Close button.
The Forbidden attachment types window closes.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.