Contents
- Anti-Virus protection
- About computer protection against certain legitimate applications
- About virus scan status
- Enabling and disabling Anti-Virus protection of messages
- Enabling and disabling Anti-Virus scanning for a rule
- Configuring Anti-Virus engine settings
- Setting default values for Anti-Virus engine settings
- Configuring actions on messages during Anti-Virus scanning
- Configuring tags added to message subjects after Anti-Virus scanning
- Configuring Anti-Virus scan restrictions and exclusions
Anti-Virus protection
Kaspersky Secure Mail Gateway provides anti-virus protection of messages: It scans email messages for viruses and other threats and disinfects infected objects using the current (latest) version of Anti-Virus databases.
Messages are scanned for viruses and other threats by Anti-Virus engine. Anti-Virus engine scans the body of the message and all attached files in any format (attachments) using the Anti-Virus databases. The Anti-Virus engine detects and blocks email attachments that are intended for a limited number of recipients and are components of targeted attacks designed to exploit software vulnerabilities.
In addition to virus scanning of messages, you can enable detection of certain legitimate applications by the Anti-Virus component.
Based on the scan results, the Anti-Virus engine assigns the message one of the virus scan status labels and adds a tag with the status at the beginning of the message subject (Subject field).
Depending on the status assigned, the application performs actions in accordance with the message processing rule settings. You can select actions to be performed by the application on messages with a certain status and configure tags to be added to messages based on the Anti-Virus scanning result. Before processing a message, the application saves a copy of it in Backup.
You can specify the maximum size of attachments to be scanned and determine the objects to be skipped during Anti-Virus scanning. Attachments in certain formats and with certain names can be excluded from the scan.
The Anti-Virus engine is enabled by default. If required, you can disable Anti-Virus module or disable Anti-Virus scanning for any rule.
About computer protection against certain legitimate applications
Legitimate applications are applications that may be installed and used on computers of users and are intended for performing user tasks. However, when exploited by intruders, legitimate applications of certain types can harm the user's computer and the corporate LAN. If hackers gain access to these applications, or if they plant them on the user's computer, some of their features can be used to compromise the security of the user's computer or the corporate network.
These applications include IRC clients, auto-dialers, file downloaders, computer system activity monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
Such applications are described in the table below.
Type |
Name |
Description |
|---|---|---|
Client-IRC |
Online chat clients |
Users install these applications to communicate with people in Internet Relay Chats. Intruders use them to spread malware. |
Dialer |
Auto-dialers |
They can establish phone connections over a modem in hidden mode. |
Downloader |
Downloader applications |
They can download files from web pages in hidden mode. |
Monitor |
Monitor applications |
They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers). |
PSWTool |
Password restorers |
They allow viewing and restoring forgotten passwords. Intruders secretly plant them on computers for the same purpose. |
RemoteAdmin |
Remote administration programs |
They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly plant them on computers for the same purpose: to monitor and control computers. Legitimate remote administration applications differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legitimate applications are unable to do so. |
Server-FTP |
FTP servers |
They function as FTP servers. Intruders plant them on computers to gain remote access to them via the FTP protocol. |
Server-Proxy |
Proxy servers |
They function as proxy servers. Intruders plant them on computers to send spam from them. |
Server-Telnet |
Telnet servers |
They function as Telnet servers. Intruders plant them on computer to gain remote access to them via the Telnet protocol. |
Server-Web |
Web servers |
They function as web servers. Intruders plant them on computers to gain remote access to them via the HTTP protocol. |
RiskTool |
Tools for managing a virtual machine |
They offer the user additional capabilities for managing the computer. The tools allow the user to hide files or windows of active applications and terminate active processes. |
NetTool |
Network tools |
They offer the user of the computer on which they are installed additional capabilities for interacting with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers. |
Client-P2P |
P2P network clients |
They allow working on peer-to-peer networks. They can be used by intruders for spreading malware. |
Client-SMTP |
SMTP clients |
They send email messages without the user's knowledge. Intruders plant them on computers to send spam from them. |
WebToolbar |
Web toolbars |
They add toolbars to the interfaces of other applications to use search engines. |
FraudTool |
Pseudo-programs |
They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything. |
About virus scan status
Based on the results of scanning for viruses, the Anti-Virus engine assigns one of the following virus scan statuses to messages:
- Clean (Clean message)—Object is not infected.
- Infected (Infected message)—Object is infected; either it cannot be disinfected, or disinfection has not been attempted.
- Disinfected (Disinfected message)—Object is disinfected.
- Encrypted (Encrypted message)—Object cannot be scanned because it is encrypted.
- Corrupted (Corrupted message)—Object is corrupted or an error occurred during scanning.
- Attachments with macros—Message contains a macro in the attachment.
Enabling and disabling Anti-Virus protection of messages
To enable or disable Anti-Virus protection of messages:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, do one of the following:
- Flip on the toggle switch next to the name of the Anti-Virus settings group to enable anti-virus protection of messages.
- Flip off the toggle switch next to the name of the Anti-Virus settings group to disable anti-virus protection of messages.
Enabling and disabling Anti-Virus scanning for a rule
You can enable or disable virus scanning of messages for one or several rules. Anti-Virus scanning is enabled by default.
Before enabling or disabling Anti-Virus scanning of messages for a rule, make sure that Anti-Virus engine of Kaspersky Secure Mail Gateway is enabled.
To enable or disable virus scanning of messages for a rule:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the name of the rule to open the rule for which you want to enable or disable virus scanning of messages.
- Select the Anti-Virus section.
- Do one of the following:
- Flip on the toggle switch next to the name of the Anti-Virus settings group to enable virus scanning of messages for a rule.
- Flip off the toggle switch next to the name of the Anti-Virus settings group to disable virus scanning of messages for a rule.
- Click the Apply button in the lower part of the workspace.
Configuring Anti-Virus engine settings
To configure Anti-Virus engine settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, click any link to open the Anti-Virus settings window.
- In the Protection and heuristic analysis settings group, select one of the following options in the drop-down list Use KSN:
- Yes, if you want to use KSN.
- No, if you do not want to use KSN.
- In the Protection and heuristic analysis settings group, select one of the following options in the drop-down list Use heuristic analysis:
- Yes, if you want to use Heuristic Analysis.
- No, if you do not want to use Heuristic Analysis.
- If you have enabled Heuristic Analyzer, in the Protection and heuristic analysis settings group in the Heuristic analysis level list select the level of heuristic analysis.
- In the Protection and heuristic analysis settings group, select one of the following options in the I consider some legitimate applications that can be exploited by hackers, to be dangerous for the corporate LAN drop-down list:
- Yes, if you believe that such applications can be exploited by criminals to harm the computer network of your organization.
- No, if you do not believe that such applications can be exploited by criminals to harm the computer network of your organization.
Such legitimate applications include, for example, commercial remote administration utilities, IRC clients, dialers, file downloaders, computer system activity monitors, and password management utilities. Messages in which such applications are detected will be processed according to the rules for infected objects.
- If, in the I consider some legitimate applications that can be exploited by hackers, to be dangerous for the corporate LAN list, you selected Yes, in the Protection and heuristic analysis settings group in the Enable detection of some legitimate applications drop-down list select one of the following options:
- Yes, if you want to enable detection of such applications by Kaspersky Secure Mail Gateway.
- No, if you want to disable detection of such applications by Kaspersky Secure Mail Gateway.
- In the Performance settings group, in the Maximum scanning time field specify the maximum virus scan time in seconds.
If the virus scan of a message does not finish within the time limit you specified, Kaspersky Secure Mail Gateway:
- Stops scanning the message (Skip action).
- Assigns Clean (Clean message) status to the message.
- Adds the
av-status="Clean"label to the message subject. - Delivers the message to the recipient.
- Adds the following entry to the /var/log/maillog event log:
<scan time and date> <Kaspersky Secure Mail Gateway hostname>: not clean: message-id=<message ID>: relay-ip=<IP address of the computer of the message recipient>: action="Skipped": rules=<rule ID>: size=<message size>: mail-from=<email address of the message sender>: rcpt-to=<email address of the message sender>: av-status="Clean", ap-status="Error", as-status="Error", ma-status="NotScanned, disabled by settings", cf-status="NotScanned, disabled by settings">
- In the Performance settings group, in the Maximum scanning level field specify the maximum scanning level for messages scanned by the Anti-Virus engine.
- Click the Apply button.
Setting default values for Anti-Virus engine settings
To set default values for Anti-Virus engine settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
- In the Anti-Virus section, click any link to open the Anti-Virus settings window.
- In the lower part of the Anti-Virus settings window, click the Set default values link.
- Click the Apply button.
Configuring actions on messages during Anti-Virus scanning
To configure the actions to be performed by Kaspersky Secure Mail Gateway on messages during virus scanning:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the link with the name of the rule to open the rule for which you want to configure actions on messages during virus scanning.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- In the If an infected file is detected drop-down list, select one of the following actions to perform on infected messages that pose a threat to the local area network of your organization:
- Disinfect.
- Delete attachment.
- Delete message
- Reject
- Skip
The Disinfect action is selected by default.
- If the action of the If an infected file is detected setting is set to Disinfect, in the right part of the workspace in the If disinfection fails drop-down list select one of the following actions to take on infected messages that cannot be disinfected:
- Delete attachment.
- Delete message
- Reject
The Delete attachment action is selected by default.
- If you selected one of the actions Disinfect, Delete attachment or Delete message, you can configure copies of messages to be automatically saved in Backup before those messages are processed. To do so, select the check box next to the Place copy in Backup setting name.
By default, before performing the Disinfect, Delete attachment and Delete message actions, the application places a copy of messages in Backup.
- In the If scan errors detected drop-down list, select one of the following actions to take on messages that returned errors during scanning:
- Delete attachment.
- Delete message
- Reject
- Skip
The Skip action is selected by default.
- If you selected one of the actions Delete attachment or Delete message] you can configure copies of messages to be automatically saved in Backup before those messages are processed. To do so, select the check box next to the Place copy in Backup setting name.
By default, before performing the Delete attachment and Delete message the application places a copy of messages in Backup.
- In the If encrypted object is detected drop-down list, select one of the following actions to take on messages containing encrypted objects:
- Delete attachment.
- Delete message
- Reject
- Skip
The Skip action is selected by default.
- If you selected one of the actions Delete attachment or Delete message] you can configure copies of messages to be automatically saved in Backup before those messages are processed. To do so, select the check box next to the Place copy in Backup setting name.
By default, before performing the Delete attachment and Delete message the application places a copy of messages in Backup.
- Select the Process attachments with macros check box if you want the application to process attachments with macros.
- In the If a macro is detected drop-down list, select one of the following actions to take on messages containing macros in an attachment:
- Delete attachment.
- Delete message
- Reject
- Skip
The Delete attachment action is selected by default.
- If you selected one of the actions Delete attachment or Delete message] you can configure copies of messages to be automatically saved in Backup before those messages are processed. To do so, select the check box next to the Place copy in Backup setting name.
By default, before performing the Delete attachment and Delete message actions, the application places a copy of messages in Backup.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.
Configuring tags added to message subjects after Anti-Virus scanning
To configure tags that Kaspersky Secure Mail Gateway adds to the message subject after virus scanning:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the name of the rule to open the rule for which you want to configure tags added to message subjects after virus scanning.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- Add a tag to the Subject field of infected messages. To do so, perform the following:
- In the If an infected file is detected settings group, click the link to the right of the Add the following text to the subject of an infected email message setting name to open the Tag for messages that contain malicious objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of infected messages. For example, you can add the Infected tag.
- Click the OK button.
The Tag for messages that contain malicious objects window closes.
- Add a tag to the Subject field of disinfected messages. To do so, perform the following:
- In the If an infected file is detected settings group, click the link to the right of the Add the following text to the subject of a disinfected email message setting name to open the Tag for messages that contain disinfected objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of disinfected messages. For example, you can add the Cured tag.
- Click the OK button.
The Tag for messages that contain disinfected objects window closes.
- Add a tag to the Subject field of messages with objects found to contain errors during scanning. To do so, perform the following:
- In the If scan errors detectedsettings group, click the link to the right of the Add the following text to subject of email message setting name to open the Tag for messages with objects that cause scan errors window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of messages that returned scan errors. For example, you can add the Corrupted tag.
- Click the OK button.
The Tag for messages with objects that cause scan errors window closes.
- Add a tag to the Subject field of messages that contain encrypted objects. To do so, perform the following:
- In the If encrypted object is detected settings group, click the link to the right of the Add the following text to subject of email message setting name to open the Tag for messages that contain encrypted objects window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of messages containing encrypted objects. For example, you can add the Encrypted tag.
- Click the OK button.
The Tag for messages that contain encrypted objects window closes.
- Add a label to the Subject field of messages that contain macros in an attachment. To do so, perform the following:
- In the If a macro is detected settings group, click the link to the right of the Add the following text to subject of email message setting name to open the Tag for messages with a macro in the attachment window.
- In the field under the name of the window, enter the text that you want to add at the beginning of the subject of messages containing macros in an attachment. For example, you can add the Attachments with Macros tag.
- Click the OK button.
The Tag for messages with a macro in the attachment window closes.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.
Configuring Anti-Virus scan restrictions and exclusions
To configure restrictions and exclusions during virus scanning for a rule:
- In the main window of the application web interface, open the management console tree and select the Rules section.
- In the list of rules, click the link with the name of the rule to open the rule for which you want to configure restrictions and exclusions from virus scanning of messages.
- Select the Anti-Virus section.
- Flip on the toggle switch next to the name of the Anti-Virus settings group if it is off.
- If you want to exclude archives from virus scanning, in the Exclusions from scanning settings group select the Do not scan archives check box.
- To exclude message attachments of a certain size from virus scanning, do the following in the Exclusions from scanning settings group:
- Click the link to the right of the Do not scan objects larger than setting name to open the Attachment size scan limit window.
- In the field under the window name, enter the maximum size of objects to be scanned in the range from 0 KB to 1048576 KB (1 GB).
If the value is set to 0 KB, no restrictions apply to the size of objects.
- Click the OK button.
The Attachment size scan limit window closes.
- To exclude message attachments with certain names from virus scanning, do the following in the Exclusions from scanning settings group:
- Click the link to the right of the Do not scan attachments by name masks setting name to open the Banned names window.
- In the field under the window name, enter the masks of names of attachments that you want to exclude from virus scanning.
Masks can contain any symbols. Separate masks with the ";" symbol.
- Click the OK button.
The Banned names window closes.
- If you want to exclude message attachments of a certain format from virus scans, do the following in the Exclusions from scanning settings group:
- Click the link to the right of the Do not scan attachments by file types setting name to open the Banned attachment types window.
- Select check boxes next to the formats of attachments that you want to exclude from virus scanning.
- Click the Close button.
The Banned attachment types window closes.
- Click the Apply button in the lower part of the workspace.
In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that Anti-Virus scanning of messages is enabled for the rule and the rule for which you have configured settings is enabled.