F-Secure Anti-Virus for Microsoft Exchange

F-Secure Anti-Virus for
Microsoft Exchange
Administrator’s Guide

"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure
product names and symbols/logos are either trademarks or registered trademarks of F-Secure
Corporation. All product names referenced herein are trademarks or registered trademarks of their
respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of
others. Although F-Secure Corporation makes every effort to ensure that this information is accurate,
F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure
Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of
this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of F-Secure Corporation.
Copyright © 1993-2006 F-Secure Corporation. All rights reserved.
Portions Copyright © 1991-2006 Kaspersky Lab.
This product includes software developed by the Apache Software Foundation (http://
www.apache.org/). Copyright © 2000-2006 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2006 The PHP
Group. All rights reserved.
This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution
are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file.
All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the
“Artistic License”.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372
GB2374260
GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
12000040-7B15

Contents
About This Guide 9
How This Guide Is Organized ............................................................................................ 10
Conventions Used in F-Secure Guides.............................................................................. 12
Symbols .................................................................................................................... 12
Chapter 1 Introduction 14
1.1 Overview ....................................................................................................................15
1.2 How F-Secure Anti-Virus for Microsoft Exchange Works...........................................16
1.3 Key Features..............................................................................................................19
1.4 F-Secure Anti-Virus Mail Server and Gateway Products ...........................................21
Chapter 2 Deployment 23
2.1 Installation Modes ......................................................................................................24
2.2 Network Requirements...............................................................................................24
2.3 Deployment Scenarios ...............................................................................................25
2.3.1 Minimum Installation.......................................................................................25
2.3.2 Medium to Large Installation ..........................................................................27
2.3.3 Performance-Critical Installation.....................................................................28
2.3.4 Microsoft Exchange Cluster Environment ......................................................30
Chapter 3 Installation 32
3.1 System Requirements................................................................................................33
3.1.1 Minimum System Requirements.....................................................................33
3.1.2 Which SQL Server to Use for the Quarantine Database? ..............................35
3

3.1.3 Web Browser Software Requirements ...........................................................36
3.2 Improving Reliability and Performance ......................................................................37
3.3 Centrally Administered or Stand-alone Installation? ..................................................38
3.4 Installation Overview ..................................................................................................38
3.5 Installing F-Secure Anti-Virus for Microsoft Exchange...............................................40
3.6 After the Installation ...................................................................................................59
3.6.1 Importing Product MIB files to F-Secure Policy Manager Console.................59
3.6.2 Configuring the Product..................................................................................60
3.7 Upgrading the Previous Version ................................................................................60
3.8 Upgrading the Evaluation Version..............................................................................63
3.9 Uninstalling F-Secure Anti-Virus for Microsoft Exchange ..........................................64
Chapter 4 Using F-Secure Anti-Virus for Microsoft Exchange 65
4.1 Overview ....................................................................................................................66
4.2 Administering F-Secure Anti-Virus for Microsoft Exchange .......................................66
4.3 Using the Web Console .............................................................................................67
4.3.1 Logging in for the First Time...........................................................................67
4.4 Checking the Product Status......................................................................................70
4.5 Configuring the Web Console ....................................................................................73
4.6 Using F-Secure Policy Manager Console ..................................................................74
4.7 Modifying Settings and Viewing Statistics..................................................................75
4.7.1 Centrally Administered Mode .........................................................................75
4.7.2 Stand-alone Mode ..........................................................................................76
4.8 Manually Processing Mailboxes and Public Folders ..................................................77
4.8.1 Centrally Administered Mode .........................................................................77
4.8.2 Stand-alone Mode ..........................................................................................86
4.8.3 Creating Scanning Operations .......................................................................87
4.9 Configuring Alert Forwarding ...................................................................................119
4.9.1 Centrally Administered Mode .......................................................................119
4.9.2 Stand-Alone Mode........................................................................................122
4.10 Viewing Alerts ..........................................................................................................123
4

Chapter 5 Centrally Managed Administration 125
5.1 Overview ..................................................................................................................126
5.2 F-Secure Anti-Virus for Microsoft Exchange Settings ..............................................126
5.2.1 Real-Time Processing ..................................................................................128
5.2.2 Manual Processing.......................................................................................159
5.2.3 Scheduled Processing..................................................................................174
5.2.4 Content Scanner Servers .............................................................................175
5.2.5 Quarantine....................................................................................................178
5.2.6 Reporting......................................................................................................182
5.2.7 Advanced......................................................................................................182
5.3 F-Secure Anti-Virus for Microsoft Exchange Statistics.............................................184
5.3.1 Common.......................................................................................................185
5.3.2 Real-Time Processing ..................................................................................186
5.3.3 Manual Processing.......................................................................................189
5.3.4 Quarantine....................................................................................................192
5.4 F-Secure Content Scanner Server Settings.............................................................193
5.4.1 Interface........................................................................................................195
5.4.2 Virus Scanning .............................................................................................196
5.4.3 Virus Statistics ..............................................................................................199
5.4.4 Database Updates........................................................................................201
5.4.5 Spam Filtering ..............................................................................................202
5.4.6 Threat Detection Engine...............................................................................204
5.4.7 Proxy Configuration......................................................................................205
5.4.8 Advanced......................................................................................................206
5.5 F-Secure Content Scanner Server Statistics ...........................................................208
5.5.1 Server...........................................................................................................208
5.5.2 Scan Engines ...............................................................................................209
5.5.3 Common.......................................................................................................210
5.5.4 Spam Control................................................................................................210
5.5.5 Virus Statistics ..............................................................................................211
5.6 F-Secure Automatic Update Agent Settings ............................................................212
5.7 F-Secure Management Agent Settings ....................................................................214
Chapter 6 Administration with Web Console 216
6.1 Overview ..................................................................................................................217
5

6.2 F-Secure Anti-Virus for Microsoft Exchange Settings ..............................................218
6.2.1 Summary ......................................................................................................218
6.2.2 Virus Scanning .............................................................................................220
6.2.3 Stripping Attachments ..................................................................................236
6.2.4 Content Filtering ...........................................................................................246
6.2.5 Manual Scanning..........................................................................................253
6.2.6 Quarantine....................................................................................................257
6.2.7 Advanced......................................................................................................267
6.2.8 Internal Domains ..........................................................................................273
6.3 F-Secure Content Scanner Server Settings.............................................................275
6.3.1 Summary ......................................................................................................275
6.3.2 Database Updates........................................................................................282
6.3.3 Scan Engines ...............................................................................................284
6.3.4 Proxy Configuration......................................................................................289
6.3.5 Archive Scanning..........................................................................................292
6.3.6 Advanced......................................................................................................295
6.3.7 Interface........................................................................................................297
6.4 F-Secure Automatic Update Agent Settings ............................................................298
6.4.1 Summary ......................................................................................................299
6.4.2 Automatic Updates .......................................................................................301
6.4.3 PM Proxies ...................................................................................................303
6.5 F-Secure Management Agent Settings ....................................................................304
Chapter 7 Quarantine Management 307
7.1 Introduction ..............................................................................................................308
7.2 Configuring Quarantine Options...............................................................................309
7.3 Searching the Quarantined Content.........................................................................310
7.4 Query Results Page .................................................................................................314
7.5 Viewing Details of a Quarantined Message .............................................................316
7.6 Reprocessing the Quarantined Content...................................................................318
7.7 Releasing the Quarantined Content.........................................................................319
7.8 Removing the Quarantined Content.........................................................................321
7.9 Deleting Old Quarantined Content Automatically.....................................................321
7.10 Quarantine Logging..................................................................................................322
7.11 Quarantine Statistics ................................................................................................323
6

7.12 Moving the Quarantine Storage ...............................................................................324
Chapter 8 Administering F-Secure Spam Control 326
8.1 Overview ..................................................................................................................327
8.2 Spam Control Settings in Centrally Managed Environments ...................................328
8.3 Spam Control Settings in Web Console...................................................................331
8.4 Realtime Blackhole List Configuration .....................................................................336
8.4.1 Enabling Realtime Blackhole Lists ...............................................................336
8.4.2 Optimizing F-Secure Spam Control Performance ........................................338
Chapter 9 Updating Virus and Spam Definition Databases 340
9.1 Overview ..................................................................................................................341
9.2 Automatic Updates with F-Secure Automatic Update Agent....................................341
9.3 Configuring Automatic Updates ...............................................................................342
9.4 Manual Updates .......................................................................................................342
9.4.1 Using FSUPDATE ........................................................................................342
9.4.2 Updating the Virus Definition Database Remotely Using LATEST.ZIP ........343
Appendix A Deploying the Product on a Cluster 344
A.1 System and Network Recommendations ................................................................ 345
A.2 Installation Overview ................................................................................................347
A.3 Creating Quarantine Storage ...................................................................................348
A.3.1 Quarantine Storage in Active-Passive Cluster .............................................348
A.3.2 Quarantine Storage in Active-Active Cluster ................................................353
A.4 Installing the Product................................................................................................356
A.4.1 Installing on Active-Passive Cluster .............................................................356
A.4.2 Installing on Active-Active Cluster ................................................................358
A.5 Administering the Cluster Installation with F-Secure Policy Manager......................360
A.6 Using the Quarantine in the Cluster Installation.......................................................363
A.7 Troubleshooting .......................................................................................................363
Appendix B Variables in Warning Messages 364
List of Variables................................................................................................................ 365
Outbreak Management Alert Variables ............................................................................ 367
7

Appendix C Services and Processes 368
Chapter D Troubleshooting 374
D.1 Overview ..................................................................................................................375
D.2 Starting and Stopping...............................................................................................375
D.3 Viewing the Log File.................................................................................................375
D.4 Common Problems and Solutions............................................................................376
D.4.1 Installing Service Packs................................................................................379
D.4.2 Securing the Quarantine...............................................................................379
D.4.3 Administration Issues ...................................................................................380
D.5 Frequently Asked Questions ....................................................................................381
D.6 F-Secure Automatic Update Agent Troubleshooting................................................386
Technical Support 392
F-Secure Online Support Resources ............................................................................... 393
Web Club .........................................................................................................................395
Virus Descriptions on the Web .........................................................................................395
8

ABOUT THIS GUIDE
How This Guide Is Organized.................................................... 10
Conventions Used in F-Secure Guides ..................................... 13
9

10
How This Guide Is Organized
F-Secure Anti-Virus for Microsoft Exchange Administrator's Guide is
divided into the following chapters:
Chapter 1. Introduction. General information about F-Secure Anti-Virus
for Microsoft Exchange and other F-Secure Anti-Virus Mail Server and
Gateway products.
Chapter 2. Deployment. Instructions and examples how to set up your
network environment before you can install F-Secure Anti-Virus for
Microsoft Exchange.
Chapter 3. Installation. Instructions how to install and set up F-Secure
Anti-Virus for Microsoft Exchange.
Chapter 4. Using F-Secure Anti-Virus for Microsoft Exchange.
Instructions how to use and administer F-Secure Anti-Virus for Microsoft
Exchange.
Chapter 9. Updating Virus and Spam Definition Databases. Instructions
how to update your virus definition database.
Chapter 5. Centrally Managed Administration. Instructions how to
remotely administer F-Secure Anti-Virus for Microsoft Exchange and
F-Secure Content Scanner Server when they have been installed in
centralized administration mode.
Chapter 6. Administration with Web Console. Instructions how to
administer F-Secure Anti-Virus for Microsoft Exchange with the Web
Console.
Chapter 8. Administering F-Secure Spam Control. General information
about and instructions on how to configure F-Secure Spam Control.
Appendix A. Deploying the Product on a Cluster. Describes how the
product can be deployed and used on the cluster environment.
Appendix B. Variables in Warning Messages. Lists variables that can
be included in virus warning messages.
Appendix C. Services and Processes. Describes services, devices and
processes of F-Secure Anti-Virus for Microsoft Exchange.

About This Guide 11
Chapter D. Troubleshooting. Solutions to some common problems.
Technical Support. Contains the contact information for assistance.
About F-Secure Corporation. Describes the company background and
products.
See the F-Secure Policy Manager Administrator's Guide for detailed
information about installing and using the F-Secure Policy Manager
components:
F-Secure Policy Manager Console, the tool for remote
administration of F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server, which enables communication
between F-Secure Policy Manager Console and the managed
systems.

12
Conventions Used in F-Secure Guides
Symbols
Fonts
This section describes the symbols, fonts, and terminology used in this
manual.
l
WARNING: The warning symbol indicates a situation with a
risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information
that you need to consider.
REFERENCE - A book refers you to related information on the
topic available in another document.
NOTE - A note provides additional information that you should
consider.
TIP - A tip provides information that can help you perform a task
more quickly or easily.
⇒ An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to
buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book
titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table
captions, and for directory tree names.
Courier New is used for messages on your computer screen.

PDF Document
For More Information
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your
keyboard.
Arial underlined (blue) is used for user interface links.
Arial italics is used for window and dialog box names.
This manual is provided in PDF (Portable Document Format). The PDF
document can be used for online viewing and printing using Adobe®
Acrobat® Reader. When printing the manual, please print the entire
manual, including the copyright and disclaimer statements.
Visit F-Secure at http://www.f-secure.com for documentation, training
courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would
welcome your feedback. If you have any questions, comments, or
suggestions about this or any other F-Secure document, please contact
us at documentation@f-secure.com.
13

1
INTRODUCTION
Overview..................................................................................... 15
How F-Secure Anti-Virus for Microsoft Exchange Works ........... 16
Key Features .............................................................................. 19
F-Secure Anti-Virus Mail Server and Gateway Products............ 21
14

1.1 Overview
Malicious code, such as computer viruses, is one of the main threats for
companies today. In the past, malicious code spread mainly via disks and
the most common viruses were the ones that infected disk boot sectors.
When users began to use office applications with macro capabilities -
such as Microsoft Office - to write documents and distribute them via mail
and groupware servers, macro viruses started spreading rapidly.
After the millennium, the most common spreading mechanism has been
the e-mail. Today about 90% of viruses arrive via e-mail. E-mails provide
a very fast and efficient way for viruses to spread themselves without any
user intervention and that is why e-mail worm outbreaks, like Sober,
Netsky and Bagle, have caused a lot of damage around the world.
F-Secure Anti-Virus Mail Server and Gateway products are designed to
protect your company's mail and groupware servers and to shield the
company network from any malicious code that travels in HTTP or SMTP
traffic. In addition, they protect your company network against spam. The
protection can be implemented on the gateway level to screen all
incoming and outgoing e-mail (SMTP), web surfing (HTTP and
FTP-over-HTTP) and file transfer (FTP) traffic. Furthermore, it can be
implemented on the mail server level so that it does not only protect
inbound and outbound traffic but also internal mail traffic and public
sources, such as Public Folders on Microsoft Exchange servers.
Providing the protection already on the gateway level has plenty of
advantages. The protection is easy and fast to set up and install,
compared to rolling out antivirus protection on hundreds or thousands of
workstations. The protection is also invisible to the end users which
ensures that the system cannot be by-passed and makes it easy to
maintain. Of course, protecting the gateway level alone is not enough to
provide a complete antivirus solution; file server and workstation level
protection is needed, also.
Why clean 1000 workstations when you can clean one attachment at the
gateway level?
CHAPTER 1 15
Introduction

16
1.2 How F-Secure Anti-Virus for Microsoft Exchange
Works
Scanning
Attachments and
Message Bodies
Flexible and Scalable
Anti-Virus Protection
F-Secure Anti-Virus for Microsoft Exchange is designed to detect and
disinfect viruses and other malicious code from e-mail transmissions
through Microsoft Exchange 2000/2003 Server. Scanning is done in real
time as the mail passes through Microsoft Exchange Server. On-demand
scanning of user mailboxes and Public Folders is also available.
F-Secure Anti-Virus for Microsoft Exchange scans attachments and
message bodies for malicious code. It can also be instructed to remove
particular attachments according to the file name or the file extension. In
addition, it can filter out messages containing keywords that have been
defined as disallowed.
If the intercepted mail contains malicious code, F-Secure Anti-Virus for
Microsoft Exchange can be configured to disinfect or drop the content.
Any malicious code found during the scan process can be placed in the
Quarantine, where it can be further examined. Stripped attachments can
also be placed in the Quarantine for further examination.
F-Secure Anti-Virus for Microsoft Exchange is installed on Microsoft
Exchange 2000/2003 Server and it intercepts mail traveling through
mailboxes and Public folders. Intercepted attachments and documents
are sent to F-Secure Content Scanner Server, which returns disinfected
files back to F-Secure Anti-Virus for Microsoft Exchange.
The two-component product architecture ensures that the anti-virus
protection does not increase the load on the protected system and that
the infected data is never stored on the production network. It also
enables you to implement a server pool, so you can share the traffic load
between multiple F-Secure Content Scanner Servers and have backup
servers if the traffic to primary servers stops for some reason.

Powerful and Always
Up-to-date
Virus and Spam
Outbreak Detection
Stand-alone and
Centralized
Administration Modes
Alerting F-Secure Anti-Virus for Microsoft Exchange has extensive alerting
functions, which means that the system administrator can specify a
recipient inside the company network to be notified about the infection
found in the data content. Of course, the network administrator can be
notified about the infection also.
Scalability and
Reliability
F-Secure Anti-Virus for Microsoft Exchange uses the award-winning
F-Secure Anti-Virus scanner to ensure the highest possible detection rate
and disinfection capability. The daily F-Secure Anti-Virus signature
database updates provide F-Secure Anti-Virus for Microsoft Exchange an
always up-to-date protection capability.
F-Secure Anti-Virus scanner consistently ranks at the top when compared
to competing products. Our team of dedicated virus researchers is on call
24-hours a day responding to new and emerging threats. In fact,
F-Secure is one of the only companies to release tested virus definition
updates on a daily basis, to make sure our customers are receiving the
highest quality service and protection.
Massive spam and virus outbreaks consist of millions of messages which
share at least one identifiable pattern that can be used to distinguish the
outbreak. Any message that contains one or more of these patterns can
be assumed to be a part of the same spam or virus outbreak.
F-Secure Anti-Virus for Microsoft Exchange can identify these patterns
from the message envelope, headers and body, in any language,
message format and encoding type. It can detect spam messages and
new viruses during the first minutes of the outbreak.
F-Secure Anti-Virus for Microsoft Exchange can be installed either in
stand-alone or centrally administered mode. Depending on how it has
been installed, F-Secure Anti-Virus for Microsoft Exchange is managed
either with the Web Console or F-Secure Policy Manager.
F-Secure Policy Manager provides a scalable way to manage the security
of multiple applications on multiple operating systems, from one central
location. F-Secure Policy Manager is comprised of two components,
F-Secure Policy Manager Console and F-Secure Policy Manager Server,
CHAPTER 1 17
Introduction

18
which are used to administer applications. They are seamlessly
integrated with the F-Secure Management Agents that handle all
management functions on local hosts.
Easy to Administer If F-Secure Anti-Virus for Microsoft Exchange is installed in stand-alone
mode it can be managed with the web-based user interface. With Web
Console, you can configure F-Secure Anti-Virus for Microsoft Exchange
settings, set up scheduled scans or run manual processes any time you
want.
If F-Secure Anti-Virus for Microsoft Exchange has been installed in
centrally administered configuration, it is managed with F-Secure Policy
Manager. With its graphical user interface, F-Secure Policy Manager
Console provides a centralized view of the domains and hosts in your
network and lets you configure the security policies for all F-Secure
components. F-Secure Policy Manager receives status information from
F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server is the server side component that
handles communication between F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Policy Manager Console. It exchanges security
policies, software updates, status information, statistics, alerts, and other
information between F-Secure Policy Manager Console and all managed
systems.
Figure 1-1 (1) E-mail arrives from the Internet to F-Secure Anti-Virus for Microsoft
Exchange, which (2) filters malicious content from mails and attachments, and (3)
delivers cleaned files forward.

1.3 Key Features
F-Secure Anti-Virus for Microsoft Exchange provides the following
features and capabilities.
Superior Protection Superior detection rate with multiple scanning engines.
Automatic malicious code detection and disinfection.
Virus Outbreak
Detection
Heuristic scanning detects also unknown Windows and macro
viruses.
Recursive scanning of ARJ, BZ2, CAB, GZ, JAR, LZH, MSI,
RAR, TAR, TGZ, Z and ZIP archive files.
Automatic daily virus definition database updates.
Suspicious and unsafe attachments can be stripped away from
e-mails.
Password protected archives can be treated as unsafe.
Intelligent file type recognition.
Message filtering based on keywords in message subjects and
text.
Utilizes the low-level Anti-Virus API (AV API 2.0) for Microsoft
Exchange 2000 Server, and AV AP 2.5 for Microsoft Exchange
2003 Server.
The virus outbreak detection is an additional active layer of
protection that automatically detects virus outbreaks and
quarantines suspicious messages.
Virus outbreaks are transparently detected and infected
messages are quarantined before the outbreak becomes
widespread.
The product can notify the administrator about virus outbreaks.
Quarantined unsafe messages can be reprocessed
automatically.
CHAPTER 1 19
Introduction

20
Transparency and
Scalability
Viruses are intercepted before they can enter the network and
spread out on workstations and servers.
Real-time scanning of internal, inbound and outbound mail
messages and Public Folder notes.
Automatic protection of new mailboxes and Public Folders.
Total transparency to end-users. Users cannot bypass the
system, which means that messages and documents cannot be
exchanged without scanning.
Support for Windows 2000 Advanced Server or Windows Server
2003 clusters. Both Active-Passive and Active-Active clusters are
supported.
Management Controlling and monitoring the behavior of the products remotely.
Protection against
Spam
Starting predefined operations remotely.
Monitoring statistics provided by the products remotely with
F-Secure Policy Manager or F-Secure Anti-Virus for Microsoft
Exchange Web Console.
Possibility to configure and manage stand-alone installations with
the convenient F-Secure Anti-Virus for Microsoft Exchange Web
Console.
Contains new quarantine management features: you can manage
and search quarantined content with the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
Possible spam messages are transparently detected before they
become widespread.
Efficient spam detection based on different analyses on the
e-mail content.
Multiple filtering mechanisms guarantee the high accuracy of
spam detection.
Spam detection works in every language and message format.

1.4 F-Secure Anti-Virus Mail Server and Gateway
Products
The F-Secure Anti-Virus product line consists of workstation, file server,
mail server, gateway and mobile products.
F-Secure Internet Gatekeeper is a high performance, totally
automated web (HTTP and FTP-over-HTTP) and e-mail (SMTP)
virus scanning solution for the gateway level. F-Secure Internet
Gatekeeper works independently of firewall and e-mail server
solutions, and does not affect their performance.
F-Secure Anti-Virus for Microsoft Exchange protects your
Microsoft Exchange users from malicious code contained within
files they receive in mail messages and documents they open
from shared databases. Malicious code is also stopped in
outbound messages and in notes being posted on Public Folders.
The product operates transparently and scans files in the
Exchange Server Information Store in real-time. Manual and
scheduled scanning of user mailboxes and Public Folders is also
supported.
F-Secure Anti-Virus for MIMEsweeper provides a powerful
anti-virus scanning solution that tightly integrates with Clearswift
MIMEsweeper for SMTP and MIMEsweeper for Web products.
F-Secure provides top-class anti-virus software with fast and
simple integration to Clearswift MAILsweeper and WEBsweeper,
giving the corporation the powerful combination of complete
content security.
F-Secure Internet Gatekeeper for Linux provides a
high-performance solution at the Internet gateway level, stopping
viruses and other malicious code before the spread to end users
desktops or corporate servers. The product scans SMTP, HTTP,
FTP and POP3 traffic for viruses, worms and trojans, and blocks
and filters out specified file types. ActiveX and Java code can
also be scanned or blocked. The product receives updates
CHAPTER 1 21
Introduction

22
automatically from F-Secure, keeping the virus protection always
up to date. A powerful and easy-to-use management console
simplifies the installation and configuration of the product.
F-Secure Messaging Security Gateway delivers the
industry’s most complete and effective security for e-mail. It
combines a robust enterprise-class messaging platform with
perimeter security, antispam, antivirus, secure messaging and
outbound content security capabilities in an easy-to-deploy,
hardened appliance.

2
DEPLOYMENT
Installation Modes....................................................................... 24
Network Requirements............................................................... 24
Deployment Scenarios ............................................................... 25
23

24
2.1 Installation Modes
2.2 Network Requirements
F-Secure Anti-Virus for Microsoft Exchange can be installed either in
stand-alone or centrally administered mode. In stand-alone installation,
F-Secure Anti-Virus for Microsoft Exchange is managed with Web
Console. In centrally administered mode, it is managed centrally with
F-Secure Policy Manager components: F-Secure Policy Manager Server
and F-Secure Policy Manager Console.
To administer F-Secure Anti-Virus for Microsoft Exchange in the centrally
administered mode, you have to install the following components:
F-Secure Policy Manager Server (on a dedicated machine)
F-Secure Policy Manager Console (on the administrator's
machine)
This network configuration is valid for all scenarios described in this
chapter. Make sure that the following network traffic can travel:
Service Process Inbound ports Outbound ports
F-Secure Content Scanner
Server
F-Secure Anti-Virus for
Microsoft Exchange Web
Console
F-Secure Automatic
Update Agent
%ProgramFiles%\F-Secure\
Content Scanner Server\
fsavsd.exe
%ProgramFiles%\F-Secure\
Web User Interface\
bin\fswebuid.exe
18971 (TCP) +
1024-65536 (TCP), only
with F-Secure Anti-Virus
for Internet Mail on a
separate host
F-Secure Automatic Update.exe 371 (UDP), only if
BackWeb Polite Protocol
is used
DNS (53, UDP/TCP),
HTTP (80) or other known
port used for HTTP proxy
25023 DNS (53, UDP and TCP),
1433 (TCP), only with the
dedicated SQL server
DNS (53, UDP and TCP),
HTTP (80)

Service Process Inbound ports Outbound ports
FSNRB %ProgramFiles%\F-Secure\
Common\fnrb32.exe
FSMA (AMEH) %ProgramFiles%\F-Secure\
Common\fameh32.exe
F-Secure Quarantine
Manager
%ProgramFiles%\F-Secure\
Quarantine Manager\fqm.exe
2.3 Deployment Scenarios
2.3.1 Minimum Installation
- DNS (53, UDP/TCP),
HTTP (80)
- DNS (53, UDP/TCP),
SMTP (25)
- DNS (53, UDP/TCP),
1433 (TCP), only with the
dedicated SQL server
Depending on the number of protected systems and the amount of data
traffic, you might consider various scenarios of deploying F-Secure
Anti-Virus for Microsoft Exchange. There are various ways to deploy
F-Secure Anti-Virus for Microsoft Exchange that are suitable to different
environments.
If the mail traffic is not very heavy, see “Minimum Installation”, 25.
If the mail traffic is rather heavy, see “Medium to Large
Installation”, 27.
For very large, performance-critical installations, see
“Performance-Critical Installation”, 28.
For Microsoft Exchange Cluster Environments, see “Microsoft
Exchange Cluster Environment”, 30.
If the mail traffic is not very heavy, you can install F-Secure Content
Scanner Server on the same machine that runs Microsoft Exchange
Server. In this case, both F-Secure Content Scanner Server and
F-Secure Anti-Virus for Microsoft Exchange will reside on the Microsoft
Exchange Server.
CHAPTER 2 25
Deployment

26
You can administer F-Secure Anti-Virus for Microsoft Exchange and
F-Secure Content Scanner Server by using the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
Figure 2-1 F-Secure Anti-Virus for Microsoft Exchange minimum installation
Alternatively, you can choose to install F-Secure Policy Manager to
enable centralized administration of F-Secure Content Scanner Server
and F-Secure Anti-Virus for Microsoft Exchange.

2.3.2 Medium to Large Installation
If the mail traffic is rather heavy, F-Secure Content Scanner Server should
be installed on a dedicated machine. This minimizes the extra load on the
Microsoft Exchange Server.
You should install F-Secure Anti-Virus for Microsoft Exchange in
centralized administration mode on each Microsoft Exchange Server.
Figure 2-2 F-Secure Anti-Virus for Microsoft Exchange, medium to large
installation
CHAPTER 2 27
Deployment

28
2.3.3 Performance-Critical Installation
In very large, performance-critical installations you should use multiple
F-Secure Content Scanner Server installations. Each F-Secure Content
Scanner Server should be installed on a dedicated machine. F-Secure
Anti-Virus for Microsoft Exchange can share the virus scanning load
between multiple F-Secure Content Scanner Servers.
Figure 2-3 F-Secure Anti-Virus for Microsoft Exchange with multiple F-Secure
Content Scanner Servers

F-Secure Anti-Virus for Microsoft Exchange should be installed in
centralized administration mode on each Microsoft Exchange Server.
Figure 2-4 F-Secure Anti-Virus for Microsoft Exchange installed on each
Microsoft Exchange Server
CHAPTER 2 29
Deployment

30
2.3.4 Microsoft Exchange Cluster Environment
F-Secure Anti-Virus for Microsoft Exchange can be installed on a
Windows 2000 Advanced Server or Windows Server 2003 Enterprise
Edition cluster. The product supports standard two-node Active-Passive
and Active-Active clusters.
Microsoft Exchange needs to be properly configured and running in
the cluster before installing F-Secure Anti-Virus for Microsoft
Exchange.
F-Secure Anti-Virus for Microsoft Exchange needs to be installed
separately on both cluster nodes. When installing in Microsoft Exchange
cluster environment, the product must be installed in centrally managed
mode, so that you can configure and manage the product with F-Secure
Policy Manager. Changing the product settings with F-Secure Anti-Virus
for Microsoft Exchange Web Console is not supported in cluster
environments, but it can be used for some quarantine management
functions.
The settings on both cluster nodes must be identical. To ensure this,
place the servers as their own domain in the F-Secure Policy Manager
Console and configure all the settings on the domain level, not on the
host level.
It is recommended to install a local F-Secure Content Scanner Server on
both cluster nodes. However, if a remote F-Secure Content Scanner
Server is used, the dedicated IP address of each cluster node must be
visible to the remote F-Secure Content Scanner Server.
When installing the product, the setup program detects Microsoft
Exchange Cluster automatically. The setup program also creates a cluster
resource for the product automatically. The cluster resource makes it
possible to use the product in the cluster, by giving the control of the
resource to the cluster service. This and other resources together
guarantee that the product works properly in the cluster in every situation.
You can check the state of the resource in Microsoft Cluster Administrator
console, under the same branch where the Exchange resources reside.
For detailed instructions, see “Deploying the Product on a Cluster”, 344.

A Note about Installing on Active-Passive Cluster
The product can be installed either on an active or a passive cluster node.
When installing on a passive node (which does not have active Microsoft
Exchange services), the setup program may display a notification about
missing Microsoft Exchange components, but the installation can be
continued.
CHAPTER 2 31
Deployment

3
INSTALLATION
System Requirements ................................................................ 33
Improving Reliability and Performance....................................... 37
Installation Overview .................................................................. 38
Installing F-Secure Anti-Virus for Microsoft Exchange ............... 40
After the Installation.................................................................... 59
Upgrading the Previous Version................................................. 60
Upgrading the Evaluation Version .............................................. 63
Uninstalling F-Secure Anti-Virus for Microsoft Exchange........... 64
32

3.1 System Requirements
F-Secure Anti-Virus for Microsoft Exchange is installed on the computer
running Microsoft Exchange Server and requires the following hardware
and software.
3.1.1 Minimum System Requirements
F-Secure Anti-Virus for Microsoft Exchange has to be installed to the
same machine that runs Microsoft Exchange Server. You need to log in
with administrator-level privileges to install F-Secure Anti-Virus for
Microsoft Exchange.
In order to install the product successfully on a non-english version
of the operating system, your default system locale should be the
same as the language of the operating system. You can set the
locale in Control Panel > Regional Options > General > Your locale
(location).
Operating system: Microsoft® Windows 2000 Server with
the latest service pack
Microsoft® Windows 2000 Advanced
Server with the latest service pack
Microsoft® Windows Server 2003,
Standard Edition with latest service pack
Microsoft® Windows Server 2003,
Enterprise Edition with latest service
pack
Microsoft® Windows Server 2003 R2,
Standard Edition
Microsoft® Windows Server 2003 R2,
Enterprise Edition
Microsoft Exchange
Server:
Microsoft® Exchange Server 2000 with
Service Pack 3 or later
Microsoft® Exchange Server 2003
Processor: Intel Pentium 4 2GHz or faster
CHAPTER 3 33
Installation

34
Memory: 1 GB
Disk space to install: 260 MB
Disk space for
processing:
SQL server (for
quarantine
database):
F-Secure Policy
Manager version:
10 GB or more. The required disk space
depends on the number of mailboxes, amount of
data traffic and the size of the Information Store.
Microsoft SQL Server 2000 (Enterprise,
Standard or Workgroup edition) with
Service Pack 4
Microsoft SQL Server 2000 Desktop
Engine (MSDE) with Service Pack 4
Microsoft SQL Server 2005 (Enterprise,
Standard, Workgroup or Express
edition)
For more information, see “Which SQL Server to
Use for the Quarantine Database?”, 35.
When centralized quarantine management is
used, the SQL server must be reachable from
the network and file sharing must be enabled.
F-Secure Policy Manager 6.0 or newer.
F-Secure Policy Manager is required only in
centrally managed environments.
For Microsoft Windows Server 2003 Service Pack 1 related support
information, see
http://support.f-secure.com/enu/corporate/w2003sp1/
The release notes document contains the latest information about
the product and might have changes to system requirements and
the installation procedure. It is highly recommended to read the
release notes before you proceed with the installation.

3.1.2 Which SQL Server to Use for the Quarantine Database?
Microsoft SQL Server
Desktop Engine and
SQL Server 2005
Express Edition
As a minimum requirement, the Quarantine database should have the
capacity to store information about all inbound and outbound mail to and
from your organization that would normally be sent during 2-3 days.
Take into account the following SQL server specific considerations when
deciding which SQL server to use:
When using Microsoft SQL Server Desktop Engine (MSDE), the
Quarantine database size is limited to 2 GB.
MSDE includes a concurrent workload governor that limits the
scalability of MSDE. For more information, see
http://msdn.microsoft.com/library/?url=/library/en-us/architec/
8_ar_sa2_0ciq.asp?frame=true.
It is not recommended to use MSDE or SQL Server 2005
Express Edition if you are planning to use centralized quarantine
management with multiple F-Secure Anti-Virus for Microsoft
Exchange installations.
MSDE is delivered together with F-Secure Anti-Virus for
Microsoft Exchange, and you can install it during the F-Secure
Internet Anti-Virus for Microsoft Exchange Setup. For more
information, see “Installation Overview”, 38.
CHAPTER 3 35
Installation

36
Microsoft SQL
Server 2000/2005
If your organization sends a large amount of e-mails, it is
recommended to use Microsoft SQL Server 2000/2005.
It is recommended to use Microsoft SQL Server 2000/2005 if you
are planning to use centralized quarantine management with
multiple F-Secure Anti-Virus for Microsoft Exchange installations.
For more information, see “Performance-Critical Installation”, 28.
Note that the product does not support Windows Authentication
when connecting to Microsoft SQL Server 2000/2005. The
Microsoft SQL Server 2000/2005 that the product will use for the
Quarantine database should be configured to use Mixed Mode
authentication.
If you plan to use Microsoft SQL Server 2005, you must
purchase it and obtain your own license before you start to
deploy F-Secure Anti-Virus for Microsoft Exchange. To
purchase Microsoft SQL Server 2005, contact your Microsoft
reseller.
3.1.3 Web Browser Software Requirements
In order to administer the product with F-Secure Anti-Virus for Microsoft
Exchange Web Console, one of the following web browsers is required:
Microsoft Internet Explorer 6.0 or later
Netscape Communicator 8.1 or later
Mozilla Firefox 1.5 or later
Opera 9.00 or later
Konqueror 3.5 or later
Any other web browser supporting HTTP 1.0, SSL, Java scripts and
cookies may be used as well. Microsoft Internet Explorer 5.5 or earlier
cannot be used to administer the product.

3.2 Improving Reliability and Performance
You can improve the system reliability and overall performance by
upgrading the following components.
Processor If the system load is high, a fast processor on the Microsoft Exchange
Server speeds up the e-mail message processing. As Microsoft
Exchange Server handles a large amount of data, a fast processor alone
is not enough to guarantee a fast operation of F-Secure Anti-Virus for
Microsoft Exchange.
Memory Memory consumption is directly proportional to the size of processed
mails - scanning a single mail may use memory in amounts up to three
times the size of the mail concerned. If the average size of mail messages
is big, or Microsoft Exchange Server has to process large messages
regularly, increasing the amount of physical memory increases the overall
performance.
If large messages are processed only now and then, it might be enough
to increase the size of the virtual memory. In this case, large messages
will slow the system down.
Hard Drive Hard drive size is an important reliability factor. Hard drive performance is
crucial for Microsoft Exchange Server to perform well. For best
performance, a RAID system is recommended; for servers with only
moderate load, SCSI hard disks are adequate. If your server has an IDE
hard disk, DMA access support is recommended.
Operating System It is highly recommended to have the latest service packs for the
operating system being used. These fixes make the platform more stable
and thus increase the reliability of the system.
CHAPTER 3 37
Installation

38
3.3 Centrally Administered or Stand-alone
Installation?
3.4 Installation Overview
F-Secure Anti-Virus for Microsoft Exchange can be managed either with
F-Secure Anti-Virus for Microsoft Exchange Web Console or F-Secure
Policy Manager Console. You can select the management method when
you install the product.
If you already use F-Secure Policy Manager to administer other F-Secure
products, it is recommended to install F-Secure Anti-Virus for Microsoft
Exchange in centralized administration mode.
The quarantined mails are managed using the F-Secure Anti-Virus for
Microsoft Exchange Web Console in both centrally administered and
stand-alone installations. In centrally managed environments all other
features are managed with F-Secure Policy Manager.
When installing in Microsoft Exchange cluster environment, the
product must be installed in centrally managed mode, so that you
can configure and manage the product with F-Secure Policy
Manager.
Before you start to install F-Secure Anti-Virus for Microsoft Exchange,
uninstall any potentially conflicting products, such as anti-virus, file
encryption, and disk encryption software that employ low-level device
drivers. Close all Windows applications before starting the installation.

F-Secure Anti-Virus for Microsoft Exchange can be installed to the same
computer that runs F-Secure Anti-Virus for Servers 5.50. You should
uninstall any potentially conflicting products, such as other anti-virus, file
encryption, and disk encryption software, which employ low-level device
drivers, before you install F-Secure Anti-Virus for Microsoft Exchange.
If you want to run F-Secure Anti-Virus for Servers 5.50 on the same
computer where you install F-Secure Anti-Virus for Microsoft
Exchange, make sure that F-Secure Anti-Virus for Servers 5.50 is
installed before you install F-Secure Anti-Virus for Microsoft
Exchange.
To administer F-Secure Anti-Virus for Microsoft Exchange in centralized
administration mode, you need to install F-Secure Policy Manager
Console and F-Secure Policy Manager Server. Detailed information on
F-Secure Policy Manager Console and F-Secure Policy Manager Server
is provided in the F-Secure Policy Manager Administrator's Guide.
Follow these steps to set up F-Secure Anti-Virus for Microsoft Exchange:
Centralized Administration mode:
1. Run F-Secure Policy Manager setup to set up F-Secure Policy
Manager Server. See F-Secure Policy Manager Administrator’s
Guide for instructions.
2. Install F-Secure Anti-Virus for Microsoft Exchange. For more
information, see “Installing F-Secure Anti-Virus for Microsoft
Exchange”, 40.
3. Import the product MIB files to F-Secure Policy Manager, if they
cannot be uploaded there during the installation. For more
information, see “Importing Product MIB files to F-Secure Policy
Manager Console”, 59.
4. Check that F-Secure Automatic Update Agent can retrieve the latest
virus definition databases. For more information, see “Updating Virus
and Spam Definition Databases”, 340.
CHAPTER 3 39
Installation

40
Stand-alone mode:
1. Install F-Secure Anti-Virus for Microsoft Exchange. For more
information, see “Installing F-Secure Anti-Virus for Microsoft
Exchange”, 40.
2. Check that F-Secure Automatic Update Agent can retrieve the latest
virus definition databases. For more information, see “Updating Virus
and Spam Definition Databases”, 340.
After the installation is complete, check and configure settings for
F-Secure Content Scanner Server, F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Management Agent.
3.5 Installing F-Secure Anti-Virus for Microsoft
Exchange
Follow these instructions to install F-Secure Content Scanner Server and
F-Secure Anti-Virus for Microsoft Exchange.
Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.
2. Select F-Secure Anti-Virus for Microsoft Exchange from the Install
Software menu.
Step 2. Read the information in the Welcome screen.

Click Next to continue.
Step 3. Read the licence agreement.
CHAPTER 3 41
Installation

42
If you accept the agreement, check the I accept the agreement
checkbox and click Next to continue.
Step 4. Enter the product keycode.
Click Next to continue.

Step 5. Choose the components to install.
If you want to install F-Secure Content Scanner Server and F-Secure
Anti-Virus for Microsoft Exchange on the Microsoft Exchange Server
computer, select all components. Click Next to continue.
When you install F-Secure Spam Control, or F-Secure Content
Scanner Server in stand-alone mode, F-Secure Automatic Update
Agent is automatically installed to provide virus definition database
updates. For more information, see “Automatic Updates with
F-Secure Automatic Update Agent”, 341.
CHAPTER 3 43
Installation

44
Step 6. Choose the destination folder for the installation.
Click Next to continue.

Step 7. Choose the administration method.
If you install F-Secure Anti-Virus for Microsoft Exchange in stand-alone
mode, you cannot configure settings and receive alerts and status
information in F-Secure Policy Manager Console. Click Next to continue.
If you selected the stand-alone installation, continue to Step 10. , 48.
If you select the stand-alone mode, use the F-Secure Anti-Virus for
Microsoft Exchange Web Console to change product settings and
statistics. For more information, see “Administration with Web
Console”, 216.
CHAPTER 3 45
Installation

46
Step 8. Enter the path to the public management key file admin.pub that was
created during F-Secure Policy Manager Console setup.
You can transfer the public key in various ways (use a shared folder on
the file server, a floppy disk, or send the key as an attachment in an
e-mail message). Click Next to continue.

Step 9. Enter the IP address or URL of the F-Secure Policy Manager Server you
installed earlier.
Click Next to continue.
If the product MIB files cannot be uploaded to F-Secure Policy
Manager during installation, you can import them manually.
For more information, see “Importing Product MIB files to F-Secure
Policy Manager Console”, 59.
CHAPTER 3 47
Installation

48
Step 10. Enter an SMTP address that will be used by F-Secure Anti-Virus for
Microsoft Exchange to send warning and informational messages to
end-users.
The SMTP address should be a valid, existing address that is allowed to
send messages. Click Next to continue.

Step 11. Select the user account that F-Secure Outbreak Manager should use.
Select either the local system account or enter the name and password
for the user account that F-Secure Outbreak Manager should use. The
account is used to run the outbreak handler scripts or programs.
If you do need to see the outbreak handler script running on the desktop
select Allow to interact with desktop. By default, the script or program
runs in the background.
For more information, see “Outbreak Management”, 156. Click Next to
continue.
If you want to use the default \SYSTEM account, do not enter any
password.
Make sure that the account has all the necessary privileges to run
the outbreak handler script.
CHAPTER 3 49
Installation

50
Step 12. Specify the Quarantine management method.
If you want to manage quarantines locally, select Local quarantine
management. Select Centralized quarantine management if you install
the product on multiple instances. For more information, see “Microsoft
Exchange Cluster Environment”, 30.
Click Next to continue.

Step 13. Specify the location of the Quarantine database.
If you want to install the Quarantine database on the same server as the
product installation, select (a) Install and use Microsoft SQL Server
Desktop Engine.
If you are using Microsoft SQL Server or Microsoft SQL Server Desktop
Engine already, select (b) Use the existing installation of MIcrosoft SQL
Server or MSDE.
Click Next to continue.
CHAPTER 3 51
Installation

52
a Specify the installation directory for Microsoft SQL Server
Desktop Engine and data files.
Enter the username and password for the server administrator
account. Click Next to continue.
b Specify the computer name of the SQL Server where you want to
create the Quarantine database.
Enter the username and password to log on to the server. Click
Next to continue.

If the server has a database with the same name, you can either
use the existing database, remove the existing database and
create a new one or keep the existing database and create a new
one with a new name.
CHAPTER 3 53
Installation

54
Step 14. Select whether you want to install the product with F-Secure World Map
Support.
The product can collect and send statistics about viruses and other
malware to the F-Secure World Map service. if you agree to send
statistics to F-Secure World Map, select Yes and click Next to continue.

Step 15. If you selected the centralized administration mode, the installation
program connects to specified F-Secure Policy Manager Server
automatically to install F-Secure Anti-Virus for Microsoft Exchange MIB
files. If the installation program cannot connect to F-Secure Policy
Manager Server, the following dialog opens.
Make sure that the computer where you are installing F-Secure Anti-Virus
for Microsoft Exchange is allowed to connect to the administration port on
F-Secure Policy Manager Server, or if you use proxy, make sure that the
connection is allowed from the proxy to the server. Check that any firewall
does not block the connection.
If you want to skip installing MIB files, click Cancel. You can install MIB
files later either manually or by running the Setup again.
CHAPTER 3 55
Installation

56
Step 16. The list of components that will be installed is displayed.
Click Start to install listed components.

Step 17. The installation status of the components is displayed.
Click Next to continue.
CHAPTER 3 57
Installation

58
Step 18. The installation is completed.
Click Finish to close the Setup wizard.
Step 19. If you are installing F-Secure Spam Control, the setup prompts you to
select whether to restart the Microsoft Exchange Information Store
service automatically to complete the installation. Click Yes to restart the
Information Store service automatically.

3.6 After the Installation
This section describes what you have to do after the installation. These
steps include:
Importing product MIBs to F-Secure Policy Manager (if that is
required), and
Initial configuration of the product.
3.6.1 Importing Product MIB files to F-Secure Policy Manager
Console
If you are using the product in centrally managed mode, there are cases
when the F-Secure Anti-Virus for Microsoft Exchange MIB JAR file cannot
be uploaded to F-Secure Policy Manager Server during the installation. In
these cases you will have to import the MIB files to F-Secure Policy
Manager. You will have to import the MIB files if:
F-Secure Anti-Virus for Microsoft Exchange is located in a
different network segment than F-Secure Policy Manager, and
there is a firewall between them blocking access to Policy
Manager’s administrative port (8080).
F-Secure Policy Manager Server has been configured so that
administrative connections from anywhere else than the localhost
are blocked.
The recommended way is to import the MIBs via F-Secure Policy
Manager Console Tools menu. You can do it as follows:
1. Open the Tools menu and select the Installation packages... option.
2. Click Import....
3. When the Import Installation Packages dialog opens, browse to
locate the fsavmse660.mib.jar file located under the Jars subdirectory
in the setup package. Then click Open.
4. After importing the new MIB files, restart F-Secure Policy Manager
Console.
CHAPTER 3 59
Installation

60
3.6.2 Configuring the Product
After the installation, F-Secure Anti-Virus for Microsoft Exchange is
functional, but it is using mostly default values. It is highly recommended
to go through all the settings of all installed components. You should also
retrieve the latest virus definition database updates.
Configure F-Secure Anti-Virus for Microsoft Exchange.
If F-Secure Anti-Virus for Microsoft Exchange has been installed
in the centralized administration mode, use F-Secure Policy
Manager Console to configure the settings for F-Secure Content
Scanner Server and F-Secure Anti-Virus for Microsoft Exchange
and distribute the policy. For more information, see “Centrally
Managed Administration”, 125.
If F-Secure Anti-Virus for Microsoft Exchange has been installed
in stand-alone mode, use the F-Secure Anti-Virus for Microsoft
Exchange Web Console to configure the settings of F-Secure
Anti-Virus for Microsoft Exchange. For more information, see
“Administration with Web Console”, 216.
Specify the domains which should be considered to be internal
domains. For more information, see “Internal Domains”, 159.
Retrieve virus definition database updates. For more information,
see “Updating Virus and Spam Definition Databases”, 340.
3.7 Upgrading the Previous Version
If you have a previous version of F-Secure Anti-Virus for Microsoft
Exchange installed on your computer, you can upgrade it easily. You do
not need to remove your previous version, F-Secure Setup uninstalls it
automatically.

During upgrade the setup will stop and restart Microsoft Exchange
Information Store, IIS Admin Service and all services that depend on
them:
Microsoft Exchange Information Store
World Wide Web Publishing Service
Simple Mail Transport Protocol (SMTP)
Microsoft Exchange Routing Engine
Microsoft Exchange POP3
Network News Transport Protocol (NNTP)
Microsoft Exchange MTA Stacks
Microsoft Exchange Information Store
Microsoft Exchange IMAP4
IIS Admin Service
CHAPTER 3 61
Installation

62
Follow these instructions to upgrade F-Secure Anti-Virus for
Microsoft Exchange:
1. Run the Setup program. For more information, see “Installing
F-Secure Anti-Virus for Microsoft Exchange”, 40.
2. Depending on the installed F-Secure products, F-Secure Setup will
suggest upgrading one or more components.
Select the components you want to upgrade.
3. The setup needs to stop and restart Microsoft Exchange Server
related services during the upgrade.
Click OK to continue.
4. After the Setup finishes, restart the computer if the Setup program
prompts you to do so.

5. Configure F-Secure Anti-Virus for Microsoft Exchange. For more
information, see “Centrally Managed Administration”, 125. If you
installed F-Secure Anti-Virus for Microsoft Exchange in stand-alone
mode, see “Administration with Web Console”, 216.
6. that F-Secure Automatic Update Agent can retrieve the latest virus
definition databases. For more information, see “Updating Virus and
Spam Definition Databases”, 340.
3.8 Upgrading the Evaluation Version
If you want to use F-Secure Anti-Virus for Microsoft Exchange after your
evaluation period expires, you need a new keycode. Contact your
software vendor or renew your license online.
After you have received the new keycode, you can either reinstall
F-Secure Anti-Virus for Microsoft Exchange with your new keycode (see
“Installing F-Secure Anti-Virus for Microsoft Exchange”, 40) or register the
new keycode from F-Secure Settings and Statistics.
To register the new keycode from F-Secure Settings and Statistics
1. Open F-Secure Settings and Statistics by double-clicking the
F-Secure icon in the Windows system tray and select F-Secure
Anti-Virus for Microsoft Exchange to open the evaluation screen.
2. Click Register Keycode... and enter the new keycode you have
received.
CHAPTER 3 63
Installation

64
If you do not want to continue to use F-Secure Anti-Virus for Microsoft
Exchange after your evaluation license expires, you should uninstall the
software.
3.9 Uninstalling F-Secure Anti-Virus for Microsoft
Exchange
To uninstall F-Secure Anti-Virus for Microsoft Exchange, select Add/
Remove Programs from the Windows Control Panel. To uninstall
F-Secure Anti-Virus for Microsoft Exchange completely, uninstall the
components in the following order:
1. F-Secure Anti-Virus for Microsoft Exchange
2. F-Secure SNMP Support (if it was installed)
3. F-Secure Spam Control
4. F-Secure Content Scanner Server
5. F-Secure Automatic Update Agent
IMPORTANT: If there is another F-Secure Anti-Virus product
installed on the same computer, check whether it uses F-Secure
Automatic Update Agent or F-Secure Policy Manager for getting
virus definition database updates. If the other product gets the
updates from F-Secure Policy Manager, you can uninstall F-Secure
Automatic Update Agent.

4
USING F-SECURE
ANTI-VIRUS FOR
MICROSOFT EXCHANGE
Overview..................................................................................... 66
Administering F-Secure Anti-Virus for Microsoft Exchange........ 66
Using the Web Console.............................................................. 67
Checking the Product Status...................................................... 70
Configuring the Web Console..................................................... 73
Using F-Secure Policy Manager Console................................... 74
Modifying Settings and Viewing Statistics .................................. 75
Manually Processing Mailboxes and Public Folders .................. 77
Configuring Alert Forwarding.................................................... 119
Viewing Alerts........................................................................... 123
65

66
4.1 Overview
F-Secure Anti-Virus for Microsoft Exchange can be used either in the
stand-alone mode, or in the centrally administered mode, based on your
selections during the installation and the initial setup.
4.2 Administering F-Secure Anti-Virus for Microsoft
Exchange
In the centralized administration mode, you can administer F-Secure
Anti-Virus for Microsoft Exchange and F-Secure Content Scanner
Servers with F-Secure Policy Manager. You can use the F-Secure
Anti-Virus for Microsoft Exchange Web Console to start and stop
F-Secure Anti-Virus for Microsoft Exchange, check its current status and
to connect to F-Secure Web Club for support, but you cannot change any
settings with it.
In the stand-alone mode, you use the F-Secure Anti-Virus for Microsoft
Exchange Web Console to start and stop F-Secure Anti-Virus for
Microsoft Exchange, modify its settings, edit scheduled tasks and start
manual processing.
To open the F-Secure Anti-Virus for Microsoft Exchange Web Console,
start it from F-Secure Settings and Statistics or select F-Secure Anti-Virus
for Microsoft Exchange from the Windows Start menu > Programs >
F-Secure Anti-Virus for Microsoft Exchange > F-Secure Anti-Virus for
Microsoft Exchange Web Console. You can open F-Secure Settings and
Statistics by double-clicking the F-Secure icon in the Windows system
tray.

4.3 Using the Web Console
CHAPTER 4 67
Using F-Secure Anti-Virus for Microsoft Exchange
In centrally managed installations of F-Secure Anti-Virus for Microsoft
Exchange, the F-Secure Anti-Virus for Microsoft Exchange Web Console
can be used for monitoring the system status and statistics. It can also be
used for viewing the settings currently in use and executing some
operations. However, in centrally managed installations it cannot be used
for configuring the system or scanning settings; use F-Secure Policy
Manager for this instead.
4.3.1 Logging in for the First Time
F-Secure Anti-Virus for Microsoft Exchange Web Console does not
support Microsoft Internet Explorer 5.5 or older.
Microsoft Internet Explorer 6.0 users:
The address of the F-Secure Anti-Virus for Microsoft Exchange Web
Console, https://127.0.0.1:25023/, should be added to the Trusted sites in
Internet Explorer 6.0 Security Options. This ensures that the F-Secure
Anti-Virus for Microsoft Exchange Web Console works properly in all
environments.
Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web
Console for the first time, check that Java script and cookies are enabled
in the browser you use.
When you log in for the first time, your browser will display a Security Alert
dialog window about the security certificate for F-Secure Anti-Virus for
Microsoft Exchange Web Console. You can create a security certificate
for F-Secure Anti-Virus for Microsoft Exchange Web Console before
logging in, and then install the certificate during the login process.
If your company has an established process for creating and
storing certificates, you can follow that process to create and store
the security certificate for F-Secure Anti-Virus for Microsoft
Exchange Web Console.

68
Step 1. Create the security certificate
1. Browse to the F-Secure Anti-Virus for Microsoft Exchange Web
Console installation directory, for example:
C:\Program Files\F-Secure\Web User Interface\bin\
2. Locate the certificate creation utility, makecert.bat, and double click it
to run the utility.
3. The utility creates a certificate that will be issued to all local IP
addresses, and restarts the F-Secure Anti-Virus for Microsoft
Exchange Web Console service to take the certificate into use. Wait
until the utility completes, and the window closes. Now you can
proceed to logging in.
Step 2. Log in and install the security certificate
1. Select Programs>F-Secure Anti-Virus for Microsoft
Exchange>F-Secure Anti-Virus for Microsoft Exchange Web Console,
or enter the address of the F-Secure Anti-Virus for Microsoft
Exchange and the port number in your web browser. Note, that the
protocol used is https. For example:
https://127.0.0.1:25023
2. The Security Alert about the F-Secure Anti-Virus for Microsoft
Exchange Web Console certificate is displayed. If you install the
certificate now, you will not see the Security Alert window again. Click
View Certificate to view the certificate information and to install the
certificate.
3. The Certificate window opens. Click Install Certificate to proceed to
the Certificate Import Wizard.
4. Follow the instructions in the Certificate Import Wizard. When the
wizard has completed, you are prompted to add the new certificate in
the Certificate Root Store. Click Yes.
5. If the Security Alert window is still displayed, click Yes to proceed.
6. When the login page opens, enter the user name and the password.
Note, that you must have administrator rights to the host. Then click
Log In.

CHAPTER 4 69
Using F-Secure Anti-Virus for Microsoft Exchange
Figure 4-1 F-Secure Anti-Virus for Microsoft Exchange Web Console Login
page
7. You will be forwarded to the home page, which displays a summary of
the system status.
Figure 4-2 F-Secure Anti-Virus for Microsoft Exchange Home page

70
4.4 Checking the Product Status
You can check the overall product status on the Home page. The Home
page displays an overview of each component status and most important
statistics of the installed F-Secure Anti-Virus for Microsoft Exchange
components. From the Home page you can also open the product logs
and proceed to configure the product components.
This section describes the statistics and operations available on the
Home page.
F-Secure Anti-Virus for Microsoft Exchange
The Home page displays the status the F-Secure Anti-Virus for Microsoft
Exchange as well as a summary of the F-Secure Anti-Virus for Microsoft
Exchange statistics.
Status indicator Displays the status of F-Secure Anti-Virus for
Microsoft Exchange.
Processed messages Displays the total number of messages that
have been processed.
Infected messages Displays the number of infected messages
found since the last reset of statistics.
Stripped attachments Displays the number of attachments that have
been stripped.
Click Configure to configure F-Secure Anti-Virus for Microsoft Exchange.
For more information, see “Overview”, 217.

F-Secure Content Scanner Server
CHAPTER 4 71
Using F-Secure Anti-Virus for Microsoft Exchange
The Home page displays the status the F-Secure Content Scanner
Server as well as a summary of the F-Secure Content Scanner Server
statistics.
Status indicator Displays the status of F-Secure Content
Scanner Server.
Last time virus definition
databases updated
Click Configure to configure F-Secure Content Scanner Server. For more
information, see “F-Secure Content Scanner Server Settings”, 275.
F-Secure Automatic Update Agent
Displays the last date and time when the
virus definition databases were updated.
Database update version Displays the version of the virus definition
database update.
The version is shown in YYYY-MM-DD_NN
format, where YYYY-MM-DD is the release
date of the update and NN is the number of
the update for that day.
Scanned files Displays the number of files the server has
scanned for viruses.
Last time infection found Displays the last infection detected by the
server.
Status indicator Displays the status of F-Secure Automatic
Update Agent.
Communication method Displays the currently used client protocol.
Last connection to the
server
Displays the last date and time when
F-Secure Automatic Update Agent polled the
F-Secure Automatic Update Server for new
updates.

72
Click Configure to configure F-Secure Automatic Update Agent. For
more information, see “Updating Virus and Spam Definition Databases”,
340.
F-Secure Management Agent
Status indicator Displays the status of F-Secure
Management Agent.
Management method Displays if the host is standalone (configured
locally) or networked (at least sometimes
connected through a network or a temporary
link).
Click Configure to configure the F-Secure Management Agent. For more
information, see “F-Secure Management Agent Settings”, 304.
Toolbar Buttons
Click Show F-Secure Log to view the F-Secure log file (LogFile.log) in a
new Internet browser window. Click Download to download and save the
LogFile.log for later use.
Click Export Settings to open a list of all F-Secure Anti-Virus for
Microsoft Exchange settings in a new Internet browser window. Select
File > Save As... to save the file for later use.
Click Export Statistics to open a list of all F-Secure Anti-Virus for
Microsoft Exchange statistics in a new Internet browser window. Select
File > Save As... to save or print the file for later use.
Click Configure Console to configure the F-Secure Anti-Virus for
Microsoft Exchange Web Console. For instructions, see “Configuring the
Web Console”, 73.
Click Help to open the online help.

4.5 Configuring the Web Console
CHAPTER 4 73
Using F-Secure Anti-Virus for Microsoft Exchange
On the F-Secure Anti-Virus for Microsoft Exchange Web Console
Configuration page you can specify settings for connections to the server.
You can also open the F-Secure Anti-Virus for Microsoft Exchange Web
Console access log from this page.
Limit session timeout Specify the length of time a client can be
connected to the server. When the session
expires, the F-Secure Anti-Virus for
Microsoft Exchange Web Console displays a
warning. The default value is 60 minutes.
Click Show Access Log to view the F-Secure Anti-Virus for Microsoft
Exchange Web Console access log. Note that the Web Console access
log differs from standard web server access logs, as it logs only the first
request per session.
Listen on address Specify the IP address of the F-Secure
Anti-Virus for Microsoft Exchange Web
Console Server.
Port Specify the port where the server listens for
connections. The default port is 25023.
Accept connections from
the following hosts
Specify a list of hosts which are allowed to
connect to F-Secure Anti-Virus for Microsoft
Exchange Web Console.
To add a new host in the list, click Add to add new a new line in the table
and then enter the IP address of the host.

74
4.6 Using F-Secure Policy Manager Console
In the centralized administration mode, you can open F-Secure Anti-Virus
for Microsoft Exchange components from the Windows Start menu >
Programs > F-Secure Policy Manager Console. When the Policy
Manager Console opens, go to the Advanced Mode user interface by
selecting View > Advanced Mode (this step is required in F-Secure Policy
Manager version 5.50 and later). Then select the Policy tab to view the
F-Secure Anti-Virus for Microsoft Exchange components.
F-Secure Policy Manager Console is used to create policies for F-Secure
Anti-Virus for Microsoft Exchange installations that are running on
selected hosts or groups of hosts. Policies are created by assigning
values to variables shown on the Policy tab of the Properties pane (the
middle pane) in F-Secure Policy Manager Console. To assign a value,
select a variable – marked by the leaf icon – in the Properties pane and
enter the value in the Editor pane (the right pane).
After a policy is created, it must be distributed to hosts by choosing
Distribute from the File menu.
After changing the settings and distributing the policy, you have to wait for
F-Secure Anti-Virus for Microsoft Exchange to poll the policy.
For testing purposes you may also want to change the polling
intervals. To do that, select the domain in F-Secure Policy Manager
console and set the Incoming Packages Polling Interval and
Outgoing Packages Update Interval variables to 30-45 seconds.
The variables are located under each of the two trees in the
F-Secure Management Agent / Settings / Communications branch.
Note that since the default polling interval is 10 minutes, it might
take up to 10 minutes for the new setting to take effect.
Alternatively, you can click Poll the server now in F-Secure
Management Agent.
For detailed information on installing and using F-Secure Policy Manager
console, see the F-Secure Policy Manager Administrator’s Guide.

4.7 Modifying Settings and Viewing Statistics
CHAPTER 4 75
Using F-Secure Anti-Virus for Microsoft Exchange
This section describes how you can modify product settings and view
product statistics in both centrally administered and stand-alone mode.
4.7.1 Centrally Administered Mode
To change F-Secure Anti-Virus for Microsoft Exchange settings in the
centrally administered mode, select F-Secure Anti-Virus for Microsoft
Exchange from the Properties pane. Make sure the Policy tab is selected
and assign values to variables under the Settings branch. Modify settings
by assigning new values to the basic leaf node variables (marked by the
leaf icons) shown in the Policy tab of the Properties pane. Initially, every
variable has a default value, which is displayed in gray. Select the
variable from the Properties pane and enter the new value in the Editor
pane to change it. You can either type the new value or select it from a list
box. If you enter an invalid value, it will be displayed in red in the
Properties pane. Click Clear to revert to the default value or Undo to
cancel the most recent change that has not been distributed. For detailed
explanations of all variables, see “F-Secure Anti-Virus for Microsoft
Exchange Settings”, 126.
Settings that are configured during the installation and the initial
setup require that you select the Final check box from the Product
View pane. These settings include Primary and Backup Content
Scanner Servers and Quarantine settings.
Select the Status tab of the Properties pane to view statistics and the
settings that were configured during the installation of F-Secure Content
Scanner Server and F-Secure Anti-Virus for Microsoft Exchange.
Statistics are updated periodically and can be reset by choosing Reset
Statistics on the Policy tab of the Properties pane. For more information,
see “F-Secure Anti-Virus for Microsoft Exchange Statistics”, 184.

76
Changing Settings That Have Been Modified During Installation
or Upgrade
4.7.2 Stand-alone Mode
If you want to change a setting that has been modified locally during
installation or upgrade, you need to mark the setting as Final in the
restriction editor. The settings descriptions in this manual indicate the
settings for which you need to use the Final restriction. You can also
check in F-Secure Policy Manager Console whether you need to use the
Final restriction for a setting. Do the following:
1. Select the Policy tab and then select the setting you want to check.
2. Now select the Status tab to see if the setting has been modified
locally.
If the setting is not shown in grayed font in the Status view, then
the product uses the setting from the base policy and therefore
the Final restriction is not needed.
If the setting is shown in normal black font, then the setting has
been modified locally. You must mark the setting as Final when
you change it.
To change F-Secure Anti-Virus for Microsoft Exchange settings in
stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange
Web Console and select the variables you want to change from the
options tree. For detailed explanations of all variables, see
“Administration with Web Console”, 216.
To view statistics for real-time scanning, select Summary on the options
tree. To reset all counters to zero, click Reset Statistics.
To view statistics for the latest manual scan, select Manual Scanning on
the options tree. The Manual Scanning property page displays the
following statistics: the number of processed mailboxes, the number of
processed Public Folders, the numbers of processed, infected, and
suspicious messages in mailboxes and in the Public Folders. Manual
scanning statistics are reset every time a new manual scan is performed.

CHAPTER 4 77
Using F-Secure Anti-Virus for Microsoft Exchange
4.8 Manually Processing Mailboxes and Public
Folders
You can scan mailboxes and Public Folders for viruses and strip
attachments manually at any time. You can also create scheduled scan
tasks to scan mailboxes and Public Folders periodically.
4.8.1 Centrally Administered Mode
You can perform virus scans and strip attachments manually by using
controls under the F-Secure Anti-Virus for Microsoft Exchange /
Operations branch.
To start a manual scan, select Start under F-Secure Anti-Virus for
Microsoft Exchange / Operations / Manual Scanning. Click Start
in the Editor pane. Choose Distribute from the File menu.
To stop a manual scan, select Stop under F-Secure Anti-Virus for
Microsoft Exchange / Operations / Manual Scanning. Click Stop
in the Editor pane. Choose Distribute for the File menu.
To view the scanning report - the total numbers of mailboxes and
Public Folders, and the numbers of processed mailboxes and
Public Folders, open the Reports tab.
For information how to configure options for manual scans, see
“Manual Processing”, 159.
Creating Scheduled Operation
Open F-Secure Anti-Virus for Microsoft Exchange > Settings > Scheduled
Processing settings branch and click Add to start the Scheduled
Operation Wizard.

78
Step 1. Enter the name for the new task and select how frequently you want the
operation to be performed.
Once - Only once at the specified time.
Daily - Every day at the specified time, starting from the specified
date.
Weekly - Every week at the specified time on the same day when
the first operation is scheduled to start.
Monthly - Every month at the specified time on the same date
when the first operation is scheduled to start.
Do not use any special characters in the task name.
Click Next to continue.
Step 2. Specify whether you want to process all messages or only those
messages that have not been processed previously during the manual
processing.

CHAPTER 4 79
Using F-Secure Anti-Virus for Microsoft Exchange
Specify how many concurrent transactions the scanner can have with
F-Secure Content Scanner Server.
Click Next to continue.

80
Step 3. Choose mailboxes that should be processed during the scheduled
operation.
Do not scan mailboxes - Do not process any mailboxes.
Scan all mailboxes - Process all mailboxes.
Scan only included mailboxes - Process all mailboxes specified in
the list.
Scan all except excluded mailboxes - Process all except those
mailboxes specified in the list.
Click Add to add a new mailbox to the list. Click Edit to edit a previously
created entry. Click Remove to remove the selected folder or Remove All
to remove all entries from the list.
By default, F-Secure Anti-Virus for Microsoft Exchange examines all
mailboxes.
Click Next to continue.

CHAPTER 4 81
Using F-Secure Anti-Virus for Microsoft Exchange
Step 4. Choose settings for virus scanning of mailboxes during the scheduled
operation, and Click Next to continue.
For settings descriptions, see “Virus Scanning”, 130.

82
Step 5. Choose settings for stripping attachments during the scheduled
operation, and click Next to continue.
For settings descriptions, see “Stripping Attachments”, 147.

CHAPTER 4 83
Using F-Secure Anti-Virus for Microsoft Exchange
Step 6. Select Public Folders that should be processed during the scheduled
operation.
Do not scan Public Folders - Do not process any Public Folders.
Scan all Public Folders - Process all notes posted to all Public
Folders.
Scan only included Public Folders - Process all notes posted to
Public Folders specified in the list.
Scan all except excluded Public Folders - Process all notes
posted to all Public Folders, except those specified in the list.
Click Add to add a new Public Folder to the list. Click Edit to edit a
previously created entry. Click Remove to remove the selected folder or
Remove All to remove all entries from the list.
By default, F-Secure Anti-Virus for Microsoft Exchange processes all
Public Folders.
Click Next to continue.

84
Step 7. Choose settings for virus scanning of Public Folders during the scheduled
operation, and click Next to continue.
For settings descriptions, see “Virus Scanning”, 130.

CHAPTER 4 85
Using F-Secure Anti-Virus for Microsoft Exchange
Step 8. Choose settings for stripping attachments during the scheduled
operation, and click Next to continue.

86
Step 9. The Scheduled Operation Wizard displays the summary of created
operation. Click Finish accept the new scheduled operation and to exit
the wizard.
4.8.2 Stand-alone Mode
Specify the manual scanning settings on the Manual Scanning property
pages. After you have specified the manual scanning settings, select the
Manual Processing and click Start.
Under Progress, you can view the progress of the manual scan - the total
numbers of mailboxes and Public Folders, and the numbers of processed
mailboxes and Public Folders. In the bottom of the property page, the
results of the previous manual scan are shown - the numbers of
processed, infected and suspicious messages in the mailboxes and in the
Public Folders.

4.8.3 Creating Scanning Operations
CHAPTER 4 87
Using F-Secure Anti-Virus for Microsoft Exchange
To process mailboxes manually, you need to set up a manual processing
task. For more information, see “Creating Manual Scanning Operation”,
87.
If you want to run scanning tasks frequently, you can set up scheduled
operations. For more information, see “Creating Scheduled Operation”,
102.
Creating Manual Scanning Operation
Start the Manual Scanning Wizard by clicking the Configure... button on
the Manual Scanning page.
Step 1. Specify Messages to Process
1. Specify whether you want to process all messages or only those
messages that have not been processed previously.
2. Specify how many concurrent transactions the scanner can have with
F-Secure Content Scanner Server.

88
3. Click Next to continue.
If F-Secure Anti-Virus for Microsoft Exchange is operating on a
system that has multiple processors or you are using a
high-performance computer, you can increase performance by
increasing the number of concurrent transactions.
If you want to use the default settings for most of the scanning
settings, click Last to proceed to the last page of the Manual
Scanning wizard where you can see a summary of the scanning
task settings.
Step 2. Select Mailboxes to Process
1. Choose mailboxes that should be processed during the manual
scanning operation.
Do not process mailboxes - Do not process any mailboxes.
Process all mailboxes - Process all mailboxes.
Process only these mailboxes - Process all specified mailboxes.
Process all except these mailboxes - Process all except specified
mailboxes.

CHAPTER 4 89
Using F-Secure Anti-Virus for Microsoft Exchange
Click Add... to add a new mailbox to the list. Click the checkbox in
the column to mark a mailbox to be removed. Click Clear
to remove all currently marked entries from the list.
By default, F-Secure Anti-Virus for Microsoft Exchange examines all
mailboxes.
2. Click Next to continue.
Step 3. Specify Virus Scanning Settings for Mailboxes

90
1. Choose settings for virus scanning of mailboxes.
Attachments to scan Specify which message attachments are
checked for viruses.
Scan mail message
body
Do not scan attachments for viruses - Process
messages without scanning any attachments for
viruses.
Scan all attachments - Scan all message
attachments regardless of filename extension.
Scan all attachments with these extensions -
Scan all attachments with specified filename
extensions.
Scan all attachments except with these
extensions - Scan all attachments except those
with specified filename extensions.
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.
Although scanning message bodies can slow
down the performance, it is recommended as a
virus can be carried inside a message body.

Enable File Type
Recognition
Action
Action on infected
attachments
CHAPTER 4 91
Using F-Secure Anti-Virus for Microsoft Exchange
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.
Specify whether infected attachments should be
disinfected or dropped.
Disinfect attachment - Try to disinfect the
infected attachment. If the disinfection
succeeds, the recipient receives the disinfected
file instead of the original one. If the disinfection
fails, the infected attachment is dropped, and it
is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver
infected attachments. All infected attachments
are dropped.

92
Quarantine infected
attachments
Send warning
message to mailbox
owner
2. Click Next to continue.
By default, F-Secure Anti-Virus for Microsoft
Exchange tries to disinfect infected attachments.
Specify whether infected attachments should be
placed in the Quarantine or not. For more
information, see “Quarantine Management”,
307.
Specify whether to send a message to the
mailbox owner when an infected attachment is
found. Click Edit... to edit the informational text
file that replaces the infected attachment if it is
dropped.
Step 4. Specify Attachment Stripping Settings for Mailboxes

1. Choose settings for stripping attachments.
CHAPTER 4 93
Using F-Secure Anti-Virus for Microsoft Exchange
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Enable File Type
Recognition
Action
Action on stripped
attachment
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments except these allowed - Strip
all except specified attachments.
Strip only these disallowed attachments - Strip
only specified attachments.
You can add new file types on the attachments
lists by typing the file extensions in the allowed
and disallowed attachments text boxes.
Separate the extensions by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine
Management”, 307.
Drop attachment - All stripped attachments are
deleted automatically.

94
Send informational
message to the
mailbox owner
2. Click Next to continue.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be sent to the owner of the mailbox when
an attachment is stripped. Click Edit to edit the
message.
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.

Step 5. Select Public Folders to Process
1. Select Public Folders that should be processed.
CHAPTER 4 95
Using F-Secure Anti-Virus for Microsoft Exchange
Do not process public folders - Do not process any Public
Folders.
Process all public folders - Process all notes posted to all Public
Folders.
Process only included public folders - Process all notes posted to
the listed Public Folders.
Process all except excluded public folders - Process all notes
posted to all Public Folders, except the listed ones.
The notes and attachments to be processed in the selected
folders are defined with the Attachments to Scan and Scan
Mail Message Body settings.
Click Add to add a new Public Folder to the list. Click Clear to
remove the selected folder or Clear All to remove all entries from the
list. By default, F-Secure Anti-Virus for Microsoft Exchange processes
all Public Folders.
2. Click Next to continue.

96
Step 6. Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders.
Attachments to scan Specify which message attachments are
checked for viruses.
Do not scan attachments for viruses - Do not
scan any attachments.
Scan all attachments - Scan all message
attachments.
Scan all attachments with these extensions -
Scan all attachments with specified filename
extensions.
Scan all attachments except with these
extensions - Scan all attachments except those
with specified filename extensions.

Scan mail message
body
Enable File Type
Recognition
Action
Action on infected
attachments
CHAPTER 4 97
Using F-Secure Anti-Virus for Microsoft Exchange
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.
Although scanning message bodies can slow
down the performance, it is recommended as a
virus can be carried inside a message body.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.
Specify whether infected attachments should be
disinfected or dropped.

98
Quarantine infected
attachments
Send warning
message to the
originator
2. Click Next to continue.
Disinfect attachment - Try to disinfect the
infected attachment. If the disinfection
succeeds, the recipient receives the disinfected
file instead of the original one. If the disinfection
fails, the infected attachment is dropped, and it
is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver
infected attachments. All infected attachments
are dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange tries to disinfect infected attachments.
Specify whether infected attachments should be
placed in the Quarantine or not. For more
information, see “Quarantine Management”,
307.
Specify whether to send a warning message to
the originator of the public folder message,
which contained an infected attachment. Click
Edit to edit the message.

CHAPTER 4 99
Using F-Secure Anti-Virus for Microsoft Exchange
Step 7. Specify Attachment Stripping Settings for Public
Folders
1. Choose settings for stripping attachments.
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments except these allowed - Strip
all except specified attachments.
Strip only these disallowed attachments - Strip
only specified attachments.

100
Enable File Type
Recognition
Action
Action on stripped
attachments
Send the
informational
message to the
originator
You can add new file types on the attachments
lists by typing the file extensions in the allowed
and disallowed attachments text boxes.
Separate the extensions by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine
Management”, 307.
Drop attachment - All stripped attachments are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be sent to the originator of the message
when an attachment is stripped. Click Edit to
edit the message.

2. Click Next to continue.
CHAPTER 4 101
Using F-Secure Anti-Virus for Microsoft Exchange
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.

102
Step 8. Finish
The Manual Scanning Wizard displays the summary of created operation.
Click Finish accept the new manual scanning operation and to exit the
wizard.
Creating Scheduled Operation
Start the Scheduled Operation Wizard by clicking Add Task...in the
Scheduled Processing window.

CHAPTER 4 103
Using F-Secure Anti-Virus for Microsoft Exchange
Step 1. Specify Scanning Task Name and Schedule
1. Enter the name for the new task and select how frequently you want
the operation to be performed.
Once - Only once at the specified time
Daily - Every day at the specified time, starting from the specified
date
Weekly - Every week at the specified time on the same day when
the first operation is scheduled to start.
Monthly - Every month at the specified time on the same date
when the first operation is scheduled to start.
2. Enter the start time of the task in hh:mm format.
3. Enter the start date of the task in mm/dd/yyyy format.
Do not use any special characters in the task name.
4. Click Next to continue.

104
Step 2. Specify Messages to Process
1. Specify whether you want to process all messages or only those
messages that have not been processed previously during the
scheduled processing.
2. Specify how many concurrent transactions the scanner can have with
F-Secure Content Scanner Server.
3. Click Next to continue.

Step 3. Select Mailboxes to Process
CHAPTER 4 105
Using F-Secure Anti-Virus for Microsoft Exchange
1. Choose mailboxes that should be processed during the scheduled
operation.
Do not process mailboxes - Do not process any mailboxes.
Process all mailboxes - Process all mailboxes.
Process only these mailboxes - Process all specified mailboxes.
Process all except these mailboxes - Process all except specified
mailboxes.
Click Add... to add a new mailbox to the list. Click the checkbox in
the column to mark a mailbox to be removed. Click Clear
to remove all currently marked entries from the list.
By default, F-Secure Anti-Virus for Microsoft Exchange examines all
mailboxes.
2. Click Next to continue.

106
Step 4. Specify Virus Scanning Settings for Mailboxes
1. Choose settings for virus scanning of mailboxes during the scheduled
operation.
Attachments to scan Specify which message attachments are
checked for viruses.
Do not scan attachments for viruses - Process
messages without scanning any attachments for
viruses.
Scan all attachments - Scan all message
attachments regardless of filename extension.
Scan all attachments with these extensions -
Scan all attachments with specified filename
extensions.

Scan mail message
body
Enable File Type
Recognition
CHAPTER 4 107
Using F-Secure Anti-Virus for Microsoft Exchange
Scan all attachments except with these
extensions - Scan all attachments except those
with specified filename extensions.
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.
Although scanning message bodies can slow
down the performance, it is recommended as a
virus can be carried inside a message body.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.

108
Action
Action on infected
attachments
Quarantine infected
attachments
Send warning
message to mailbox
owner
2. Click Next to continue.
Specify whether infected attachments should be
disinfected or dropped.
Disinfect attachment - Try to disinfect the
infected attachment. If the disinfection
succeeds, the recipient receives the disinfected
file instead of the original one. If the disinfection
fails, the infected attachment is dropped, and it
is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver
infected attachments. All infected attachments
are dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange tries to disinfect infected attachments.
Specify whether infected attachments should be
placed in the Quarantine or not. For more
information, see “Quarantine Management”,
307.
Specify whether to send a message to the
mailbox owner when an infected attachment is
found. Click Edit... to edit the informational text
file that replaces the infected attachment if it is
dropped.

CHAPTER 4 109
Using F-Secure Anti-Virus for Microsoft Exchange
Step 5. Specify Attachment Stripping Settings for Mailboxes
1. Choose settings for stripping attachments during the scheduled
operation.
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments except these allowed - Strip
all except specified attachments.
Strip only these disallowed attachments - Strip
only specified attachments.

110
Enable File Type
Recognition
Action
Action on stripped
attachment
Send the
informational
message to the
mailbox owner
You can add new file types on the attachments
lists by typing the file extensions in the allowed
and disallowed attachments text boxes.
Separate the extensions by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine
Management”, 307.
Drop attachment - All stripped attachments are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be sent to the owner of the mailbox when
an attachment is stripped. Click Edit to edit the
message.

2. Click Next to continue.
Step 6. Select Public Folders to Process
CHAPTER 4 111
Using F-Secure Anti-Virus for Microsoft Exchange
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.

112
1. Select Public Folders that should be processed during the scheduled
operation.
Do not process public folders - Do not process any Public
Folders.
Process all public folders - Process all notes posted to all Public
Folders.
Process only included public folders - Process all notes posted to
the listed Public Folders.
Process all except excluded public folders - Process all notes
posted to all Public Folders, except the listed ones.
The notes and attachments to be processed in the selected
folders are defined with the Attachments to Scan and Scan
Mail Message Body settings.
Click Add to add a new Public Folder to the list. Click Clear to
remove the selected folder or Clear All to remove all entries from the
list. By default, F-Secure Anti-Virus for Microsoft Exchange processes
all Public Folders.
2. Click Next to continue.

CHAPTER 4 113
Using F-Secure Anti-Virus for Microsoft Exchange
Step 7. Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders during the
scheduled operation.
Attachments to scan Specify which message attachments are
checked for viruses.
Do not scan attachments for viruses - Do not
scan any attachments.
Scan all attachments - Scan all message
attachments.
Scan all attachments with these extensions -
Scan all attachments with specified filename
extensions.
Scan all attachments except with these
extensions - Scan all attachments except those
with specified filename extensions.

114
Scan mail message
body
Enable File Type
Recognition
Action
Action on infected
attachments
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.
Although scanning message bodies can slow
down the performance, it is recommended as a
virus can be carried inside a message body.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.
Specify whether infected attachments should be
disinfected or dropped.

Quarantine infected
attachments
Send warning
message to the
originator
2. Click Next to continue.
CHAPTER 4 115
Using F-Secure Anti-Virus for Microsoft Exchange
Disinfect attachment - Try to disinfect the
infected attachment. If the disinfection
succeeds, the recipient receives the disinfected
file instead of the original one. If the disinfection
fails, the infected attachment is dropped, and it
is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver
infected attachments. All infected attachments
are dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange tries to disinfect infected attachments.
Specify whether infected attachments should be
placed in the Quarantine or not. For more
information, see “Quarantine Management”,
307.
Specify whether to send a warning message to
the originator of the public folder message,
which contained an infected attachment. Click
Edit to edit the message.

116
Step 8. Specify Attachment Stripping Settings for Public
Folders
1. Choose settings for stripping attachments during the scheduled
operation.
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments except these allowed - Strip
all except specified attachments.
Strip only these disallowed attachments - Strip
only specified attachments.

Enable File Type
Recognition
Action
Action on stripped
attachment
Send the
informational
message to the
originator
CHAPTER 4 117
Using F-Secure Anti-Virus for Microsoft Exchange
You can add new file types on the attachments
lists by typing the file extensions in the allowed
and disallowed attachments text boxes.
Separate the extensions by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine
Management”, 307.
Drop attachment - All stripped attachments are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be sent to the originator of the message
when an attachment is stripped. Click Edit to
edit the message.

118
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
2. Click Next to continue.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.

Step 9. Finish
CHAPTER 4 119
Using F-Secure Anti-Virus for Microsoft Exchange
The Scheduled Operation Wizard displays the summary of created
operation. Click Finish accept the new scheduled operation and to exit
the wizard.
4.9 Configuring Alert Forwarding
Alerts are sent if security has been compromised or a program wants to
notify about some specific events, such as starting/stopping modules, low
disk space, etc. Alerts are also sent when a program or operation has
encountered a problem.
4.9.1 Centrally Administered Mode
You can configure where F-Secure Anti-Virus for Microsoft Exchange
sends alerts by editing the Alert Forwarding table, which is located under
F-Secure Management Agent / Settings / Alerting / Alert Forwarding.

120
You can specify where an alert is sent according to its severity level. You
can send the alert to any of the following:
F-Secure Policy Manager Console
Windows Event Viewer
E-mail
SNMP.
All events are sent to the log file in addition to other
locations you choose.
Figure 4-3 The Alert Forwarding table in F-Secure Policy Manager
You should configure settings in the F-Secure Management Agent /
Settings / Alerting / Alerting Agents branch accordingly.
If you choose to forward alerts to e-mail, you will need to specify the
recipient’s e-mail address. This is done as follows:
1. Click Add to add a new row in the E-mail Address table.
2. Type the e-mail address on the new row.
3. Select the types of alerts that are to be sent to this address.
4. Click Apply.
If you choose to send alerts as e-mails to administrators using the SMTP
protocol, you will need to specify the e-mail address of the recipient as
shown below. This dialog opens once you have selected the e-mail
checkbox in the Alert Forwarding table.

Figure 4-4 The Addresses dialog for specifying alert recipients
CHAPTER 4 121
Using F-Secure Anti-Virus for Microsoft Exchange
By default, information-level and warning-level alerts are not sent to
F-Secure Policy Manager console and are not displayed for the user,
either. These lower priority alerts and notifications can be very useful for
troubleshooting, but enabling their alerting will substantially increase the
number of transmitted alerts. If you have a large domain structure,
specifying very strict alert-forwarding rules may flood F-Secure Policy
Manager console with alerts.
In addition, you can configure the alert target by setting the policy
variables under target-specific branches. For example, F-Secure
Management Agent / Settings / Alerting / F-Secure Policy Manager
Console / Retry Send Interval specifies how often a host will attempt to
send alerts to F-Secure Policy Manager console if previous attempts have
failed.
Since F-Secure Anti-Virus for Microsoft Exchange is a fundamental part of
the network, more alerts will probably be forwarded from it to F-Secure
Policy Manager than from other hosts.

122
4.9.2 Stand-Alone Mode
You can configure alert forwarding by editing the Alert Forwarding table in
the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can
access it from the Home page by clicking the Configure... button in the
F-Secure Management Agent section. When the F-Secure Management
Agent Configuration page opens, click the Alert Forwarding... button to
open the F-Secure Management Agent Configuration > Alert Forwarding
page.
Figure 4-5 F-Secure Management Agent Configuration > Alert Forwarding page
You can specify where an alert is sent according to its severity level. You
can send an alert to any of the following:
F-Secure Policy Manager Console
Windows Event Viewer
E-mail
SNMP.

CHAPTER 4 123
Using F-Secure Anti-Virus for Microsoft Exchange
To forward alerts to an e-mail, specify the e-mail address of the recipient.
Follow these instructions:
1. Click Add to add a new row in the E-mail Address table.
2. Type the e-mail address on the new row.
3. Select the types of alerts that are to be sent to this address.
4. Click Apply.
4.10 Viewing Alerts
Informational and warning-level alerts are not sent to F-Secure Policy
Manager Console by default. If you want to use centralized administration
mode, it is recommended to have all alerts sent to F-Secure Policy
Manager Console.
When F-Secure Anti-Virus for Microsoft Exchange has encountered a
problem, it sends an alert to the administrator. Alerts are also sent if
security has been compromised or a program wants to notify about some
specific events - the product has found a virus, there is not enough disk
space to do some operation, and so on.
Alerts are displayed on the Alerts tab of the Properties pane. When an
alert is received, Alert in the F-Secure Policy Manager Console toolbar
will light up. To view the alerts, click Alert. The Alerts tab in the Properties
pane will open.
Every received alert is displayed in the following format:
Ack Click Ack to acknowledge the alert. If all alerts are
acknowledged, Ack is grayed out.
Severity The severity of the alert. Each severity level has its own
icon:
Info Normal operating information from the
host

124
Warning Warning from the host
Error Recoverable error on the host
Fatal error Unrecoverable error on the host
Security
alert
Date/Time Date and time of the alert.
Description Description of the problem.
Virus or other security hazard detected
Host/User Name of the host and user where the alert originated.
Product The F-Secure product that sent the alert.
When an alert is selected from the list, the Editor pane displays more
specific information about the alert.
F-Secure Anti-Virus for Microsoft Exchange reports fatal errors, virus
alerts, and other events as configured in the Alert Forwarding table under
F-Secure Management Agent / Settings / Alerting branch.

5
CENTRALLY MANAGED
ADMINISTRATION
Overview................................................................................... 126
F-Secure Anti-Virus for Microsoft Exchange Settings .............. 126
F-Secure Anti-Virus for Microsoft Exchange Statistics ............. 184
F-Secure Content Scanner Server Settings ............................. 193
F-Secure Content Scanner Server Statistics............................ 208
F-Secure Automatic Update Agent Settings............................. 212
F-Secure Management Agent Settings .................................... 214
125

126
5.1 Overview
If F-Secure Anti-Virus for Microsoft Exchange is installed in the centrally
administered mode, F-Secure Anti-Virus for Microsoft Exchange is
managed centrally with F-Secure Policy Manager. In the centralized
administration mode, you can use the F-Secure Anti-Virus for Microsoft
Exchange Web Console to check the current status of F-Secure
Anti-Virus for Microsoft Exchange and to connect to F-Secure Web Club
for support, but you cannot change any settings with it.
5.2 F-Secure Anti-Virus for Microsoft Exchange
Settings
In the centralized administration mode, you can change settings and start
operations using F-Secure Policy Manager Console. For more
information, see “Using F-Secure Policy Manager Console”, 74.
Figure 5-1 F-Secure Anti-Virus for Microsoft Exchange setting categories
Settings
Language Defines the language used in reports,
alerting and warning messages, and in the
Quarantine information.
Currently the only supported language is
English.

CHAPTER 5 127
Centrally Managed Administration
Real-Time Processing Change real-time virus scanning, content
blocking and outbreak management
settings. F-Secure Anti-Virus for Microsoft
Exchange uses these settings while it is
processing mailboxes and Public Folders in
real-time. For more information, see
“Real-Time Processing”, 128.
If you have F-Secure Spam Control installed,
the Spam Control settings are displayed
under this branch. For settings descriptions,
see “Spam Control Settings in Centrally
Managed Environments”, 328.
Manual Processing Change manual processing settings.
F-Secure Anti-Virus for Microsoft Exchange
uses these settings when you manually
process mailboxes and Public Folders. For
more information, see “Manual Processing”,
159. For more information on how to start
the manual processing, see “Manually
Processing Mailboxes and Public Folders”,
77.
Scheduled Processing Change scheduled processing settings.
F-Secure Anti-Virus for Microsoft Exchange
can process mailboxes and Public Folders at
scheduled times. For more information, see
“Scheduled Processing”, 174.
Content Scanner Servers Change settings F-Secure Anti-Virus for
Microsoft Exchange uses to connect to
F-Secure Content Scanner Servers. For
more information, see “Content Scanner
Servers”, 175.
Quarantine Change Quarantine settings. All infected and
blocked messages and notes can be moved
to the Quarantine. For more information, see
“Quarantine”, 178.

128
5.2.1 Real-Time Processing
Reporting Change the address of the notification
sender. For more information, see
“Reporting”, 182.
Advanced Change mailbox and Public Folder polling
intervals. For more information, see
“Advanced”, 182.
Operations
Reset Statistics
Manual Scanning
You can change real-time virus scanning and content blocking settings
and make changes to the outbreak management settings from the
F-Secure Anti-Virus for Microsoft Exchange / Settings / Real-Time
Processing branch. You can also define domains that belong to the
internal network of the company.
Figure 5-2 Real-Time Processing settings
Use operations to reset F-Secure Anti-Virus
for Microsoft Exchange statistics or manually
scan mailboxes and Public Folders for
viruses. For more information, see “Manually
Processing Mailboxes and Public Folders”,
77.

CHAPTER 5 129
Centrally Managed Administration
Virus Scanning Change settings used when scanning
messages and attachments for viruses in
real-time. For more information, see “Virus
Scanning”, 130.
Content Blocking Change settings used when stripping
attachments in real-time. For more
information, see “Content Blocking”, 145.
Spam Control Change settings used when incoming
messages are scanned for spam. For more
information, see “Spam Control Settings in
Centrally Managed Environments”, 328.
The Spam Control settings branch is
displayed only if you have F-Secure Spam
Control installed.
Outbreak Management Change virus outbreak notification settings.
For more information, see “Outbreak
Management”, 156.
Internal Domains Define internal domains of the company
network. For more information, see “Internal
Domains”, 159.

130
Virus Scanning
F-Secure Anti-Virus can examine message bodies and attachments,
intercept them and send them to F-Secure Content Scanner Server,
which scans them for malicious code.
Figure 5-3 Real-Time Processing / Virus Scanning settings
Examine Attachments Specify which message attachments are
checked for viruses.
All Attachments - Scan all message attachments
in e-mail messages and public folder notes for
malicious code.
All Attachments with Included Extensions - Scan
all attachments with extensions specified in the
Included Extensions setting.

CHAPTER 5 131
Centrally Managed Administration
All Attachments except Excluded Extensions -
Scan all attachments, except for those with
extensions specified in the Excluded Extensions
setting.
Do not Scan - Do not scan any attachments in
e-mail messages and public folder notes.
By default, F-Secure Anti-Virus for Microsoft
Exchange examines all files with included
extensions.
Included Extensions Specify extensions of attachments to be
scanned if the Examine Attachments setting is
set to All Files with Included Extensions.
Excluded Extensions Specify extensions of files that are not scanned
if the Examine Attachments setting is set to All
Attachments except Excluded Extensions.
Action On Infected
Attachments
You can modify Included Extensions and
Excluded Extensions lists as needed. Separate
each extension by a space (‘ ‘). Wildcards * and
? can be used. To specify the files that have no
extension, type a dot ('.').
Specify whether infected attachments should be
disinfected or dropped.
Disinfect - Try to disinfect the infected
attachment. If the disinfection succeeds, the
recipient receives the disinfected file instead of
the original one. If the disinfection fails, the
infected attachment is dropped, and it is not
delivered to the recipient.
Drop - Do not disinfect or deliver infected
attachments. All infected attachments are
dropped.

132
Quarantine Infected
Attachments
Virus Informational
File Text
By default, F-Secure Anti-Virus for Microsoft
Exchange disinfects infected attachments.
Specify whether infected or suspicious
attachments should be quarantined.
Yes - All infected and suspicious attachments
are placed to the Quarantine. For more
information, see “Quarantine”, 178.
No - Infected and suspicious attachments are
not quarantined.
By default, F-Secure Anti-Virus for Microsoft
Exchange places all infected attachments to the
Quarantine.
If the infected attachment is dropped, F-Secure
Anti-Virus for Microsoft Exchange replaces it
with the Virus Informational File. Specify the text
of the replacement file. For more information
about the variables you can use in the text, see
“Variables in Warning Messages”, 364.
Scan Message Body Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans the message body.
Although scanning message bodies can slow
down the performance, it is recommended as
some viruses can be carried inside message
bodies.
Scan OLE Objects Specify whether linked and embedded OLE
objects in messages should be scanned for
malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans OLE objects.

Intelligent File Type
Recognition
CHAPTER 5 133
Centrally Managed Administration
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.

134
Inbound Mail
Figure 5-4 Real-Time Processing / Virus Scanning / Inbound Mail settings

CHAPTER 5 135
Centrally Managed Administration
Trusted Mailboxes Define users’ mailboxes that should be
excluded from real-time virus scanning.
Stop the Whole Message
if Infection Found
To add mailboxes to the table, click Add in
the Editor pane of F-Secure Policy Manager
Console. A new table row appears.
Double-click the Mailbox cell and enter the
name of the trusted mailbox.
It is not safe to use trusted mailboxes. You
should not send or copy messages from
trusted mailboxes to other mailboxes. Keep
all trusted mailboxes on a separate message
store, as messages are scanned always
when they are sent to another store.
Specify whether F-Secure Anti-Virus for
Microsoft Exchange should stop inbound
messages that contain malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not stop these messages.
Yes - Inbound messages with infected
attachment(s) will be stopped completely.
No - Infected attachments will be
automatically disinfected or dropped from
inbound messages.
In both cases, a warning message will be
sent to the sender if Send Warning Message
to Sender is set to Yes.

136
Add Warning Message Specify whether a virus warning message
should be added to the mail message which
had infected content and which goes to the
original message recipient. If you want to
add the warning message, the original
message is embedded in the virus warning
message without the infected attachment.
By default, F-Secure Anti-Virus for Microsoft
Exchange adds the virus warning message.
Warning Subject Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.
Warning Message Specify the text of the warning message. For
more information about the variables you
can use in the text, see “Variables in
Warning Messages”, 364.
Send Warning Message
To Sender
Warning Subject For
Sender
Specify whether a virus warning message
should be sent to the sender of the mail
message which had infected content. If you
want to add the warning message, the
original message is attached to the virus
warning message without the infected
attachment.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the virus warning
message to the sender.
Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.

Warning Message For
Sender
Proactive Virus Threat
Detection
CHAPTER 5 137
Centrally Managed Administration
Specify the text of the warning message. For
more information about the variables you
can use in the text, see “Variables in
Warning Messages”, 364.
The virus warning message will be sent to
the sender of the infected message only if
the sender belongs to an internal domain
that has been defined in the Internal
Domains settings. F-Secure Anti-Virus for
Microsoft Exchange does not send the
warning message outside the company
domain. For more information, see “Internal
Domains”, 159.
Specify whether proactive virus threat
detection is enabled or disabled.
Proactive virus threat detection can identify
new and unknown e-mail malware, including
viruses and worms.
When proactive virus threat detection is
enabled, the product analyzes inbound
e-mail messages for possible security
threats. All possibly harmful messages are
quarantined as unsafe.
Unsafe messages can be reprocessed
periodically, as antivirus updates may
confirm the unsafe message as safe or
infected.
When proactive virus threat detection is
disabled, inbound mails are only scanned by
antivirus engines.

138
Outbound
Figure 5-5 Real-Time Processing / Virus Scanning / Outbound Mail settings

Stop The Whole
Message If Infection
Found
CHAPTER 5 139
Centrally Managed Administration
Specify whether all outgoing messages that
have infected content should be stopped or
not.
Yes - Stop all outbound messages with
infected content completely.
No - Disinfect or drop the infected
attachment before sending the outbound
message.
In both cases a warning message is sent to
the sender if the Send Warning Message to
Sender setting is set to Yes.
By default, F-Secure Anti-Virus for Microsoft
Exchange stops the whole message.
A note about MAPI clients:
If you set F-Secure Anti-Virus for Microsoft Exchange to disinfect
infected files and to stop the whole message if an infection is
found, messages that are sent from MAPI clients are not stopped if
they can be disinfected. Messages are scanned and disinfected
when they are in the Outbox. When a message leaves the Outbox
folder, it does not contain malicious code anymore, so it is not
stopped.

140
Send Warning Message
To Sender
Specify whether a virus warning message
should be sent to the sender of the mail
message which had infected content. If you
want to add the warning message, the
original message is embedded in the virus
warning message.
The warning is sent only if the sender of the
message with the infected attachment is an
internal user. No warnings will be sent
outside the organization.
Warning Subject Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.
Warning Message Specify the text of the warning message. For
more information about the variables you
can use in the text, see “Variables in
Warning Messages”, 364.
If the sender sends an infected message to
internal and external recipients, the sender
can receive two warning messages about
the same infection.
Add Disclaimer Specify whether you want to add a
disclaimer to all outgoing messages.
By default, F-Secure Anti-Virus for Microsoft
Exchange adds a disclaimer.
Disclaimer Specify the disclaimer text.
Proactive Virus Threat
Detection
Specify whether proactive virus threat
detection is enabled or disabled.

Public Folders
CHAPTER 5 141
Centrally Managed Administration
Proactive virus threat detection can identify
new and unknown e-mail malware, including
viruses and worms.
When proactive virus threat detection is
enabled, the product analyzes inbound
e-mail messages for possible security
threats. All possibly harmful messages are
quarantined as unsafe.
Unsafe messages can be reprocessed
periodically, as antivirus updates may
confirm the unsafe message as safe or
infected.
When proactive virus threat detection is
disabled, inbound mails are only scanned by
antivirus engines.
The Real-Time Processing / Public Folders settings include real-time
scanning for viruses and real-time stripping of attachments. Real-time
scanning of Public Folders checks all notes posted to Public Folders for
malicious code. Real-time scanning for viruses removes infected
attachments from Public Folder notes.

142
Figure 5-6 Real-Time Processing / Virus Scanning / Public Folders settings

CHAPTER 5 143
Centrally Managed Administration
Examine Public Folders Specify Public Folders that should be
processed in real-time.
Process All Public Folders - Process all
notes posted to all Public Folders.
Process Only Included Folders - Process all
notes posted to the Public Folders specified
in the Included Folders setting.
Process All except Excluded Folders -
Process all notes posted to all Public
Folders, except those specified in the
Excluded Folders setting.
Do not Process Public Folders - Do not
process any Public Folders.
By default, F-Secure Anti-Virus for Microsoft
Exchange processes all Public Folders.
Included Folders Specify Public Folders to be scanned for
viruses if the Examine Public Folders setting
is set to Process Only Included Folders.
Excluded Folders Specify Public Folders to be excluded from
scanning if the Examine Public Folders
setting is set to Process All except Excluded
Folders.
To add Public Folders to Included Folders and Excluded Folders
table, click Add in the Editor pane of F-Secure Policy Manager
Console. Double-click the Folder Name cell in the new table row
and enter the name and path of the Public Folder. Double-click the
Include Subfolders cell and select Yes if you want to include or
exclude all subfolders of the folder you entered.
The folder name should start from the name of the Public folder
tree. You can use wildcards in folder names.
All infected messages which are sent to public folders with Outlook
WebAccess are disinfected or dropped regardless of the Examine
Public Folders setting.

144
Send Warning Message
To Originator
Specify whether a virus warning message
should be sent to the original writer of the
note which had infected content that was not
disinfected.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends the virus warning message
to the originator.
The warning will be sent only if the originator
of the note with the infected attachment
belongs to an internal domain. This means
that no warnings will be sent outside the
company.
Warning Subject Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.
Warning Message Specify the text of the warning message. For
more information about the variables you
can use in the text, “Variables in Warning
Messages”, 364.

Content Blocking
CHAPTER 5 145
Centrally Managed Administration
F-Secure Anti-Virus for Microsoft Exchange can strip unwanted
attachments and filter content from inbound and outbound messages
during the on-access scanning of mailboxes.
Figure 5-7 Content Blocking settings categories
On-Access Specify the settings used during the
on-access scanning of messages.
Inbound Mail Inbound mail includes all e-mail messages
coming into the Microsoft Exchange
Information Store from external sources
such as an SMTP server. It also includes all
internal mail that someone inside the
organization sends to another mailbox which
is inside the organization. For more
information, see “Internal Domains”, 159.
Inbound Mail settings consist of the following
settings:
Trusted Mailboxes - Define users’ mailboxes
that should be excluded from real-time
attachment stripping and content filtering.

146
It is not safe to use trusted mailboxes. You
should not send or copy messages from
trusted mailboxes to other mailboxes. Keep
all trusted mailboxes on a separate message
store, as messages are scanned always
when they are sent to another store.
If you are using F-Secure Anti-Virus for
Microsoft Exchange in centrally managed
mode and have multiple Microsoft Exchange
servers running under the same domain,
only those trusted mailboxes that belong to
the current server are trusted.
Stripping Attachments - Define attachments
that should be stripped from inbound
messages. For more information, see
“Stripping Attachments”, 147.
Content Filtering - Define how inbound
content should be filtered based on
keywords. For more information, see
“Content Filtering”, 151.
Outbound Mail Outbound mail includes all e-mail messages
which leave the Microsoft Exchange
Information Store and go out via SMTP.
Outbound Mail settings consist of the
following settings:
Stripping Attachments - Define attachments
that should be stripped from outbound
messages.For more information, see
“Stripping Attachments”, 147.
Content Filtering - Define how outbound
content should be filtered based on
keywords. For more information, see
“Content Filtering”, 151.

Stripping Attachments
CHAPTER 5 147
Centrally Managed Administration
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove
attachments in real-time from inbound and outbound messages and
during the on-access scanning by their file name or the file extension
even without scanning them for malicious code.
F-Secure Anti-Virus for Microsoft Exchange can strip attachments from
mailboxes and Public Folders when you run the manual scan. For more
information, see “Manual Processing”, 159. For more information on how
to run the manual scan, see “Manually Processing Mailboxes and Public
Folders”, 77.
Figure 5-8 The Stripping Attachments settings in On-Access, Inbound Mail and
Outbound Mail branches
Strip Attachments Specify which attachments should be
stripped from messages and Public Folder
notes.
Disabled - Do not strip any attachments.
All Files - Strip all attachments from all
messages and notes.

148
All Disallowed Attachments - Strip all
attachments specified in the Disallowed
Attachments setting.
All Attachments Except Allowed - Strip all
attachments except those specified in the
Allowed Attachments setting.
By default, F-Secure Anti-Virus for Microsoft
Exchange strips all disallowed attachments.
Allowed Attachments Specify attachments that should not be
stripped if the Strip Attachments setting is
set to All Attachments Except Allowed.
Disallowed Attachments Specify attachments that should be stripped
if the Strip Attachments setting is set to All
Disallowed Attachments.
Intelligent File Type
Recognition
You can modify Allowed Attachments and
Disallowed Attachments lists as needed.
Separate each extension by a comma (‘,‘).
Wildcards * and ? can be used. To specify
the files that have no extension, type a dot
('.').
Trojans and other malicious code can
disguise themselves with filename
extensions which are usually considered
safe to use. Intelligent File Type Recognition
can recognize the real file type of the
message attachment and use that while the
attachment is processed. Specify whether
you want to use Intelligent File Type
Recognition or not.
By default, the Intelligent File Type
Recognition is disabled during the real-time
processing and enabled during the manual
processing.

Action on Stripped
Attachments
Add Informational
Message
CHAPTER 5 149
Centrally Managed Administration
Specify whether stripped attachments should
be quarantined or dropped.
Quarantine - All stripped attachments are
placed in the Quarantine. For more
information, see “Quarantine”, 178.
Drop - All stripped attachments are deleted
automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be added to the mail message which
originally had the stripped attachment.
During the on-access scanning, the
informational message can be sent to the
mailbox owner or to the originator of an
infected message or an infected Public
Folder note.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not add the informational
message.
Informational Subject Specify the subject of the informational
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.
Informational Message Specify the text of the informational
message. For more information about the
variables you can use in the text, see
“Variables in Warning Messages”, 364.
The informational message cannot be added
to outbound messages.

150
Notify Administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for
Microsoft Exchange strips an attachment.
Send Informational
Message To Sender
Informational Subject For
Sender
Informational Message
For Sender
No Alerts - Do not send any notification to
the administrator.
Informational - Send an informational alert to
the administrator.
Warning - Send a warning alert to the
administrator.
Security - Send a security alert to the
administrator.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends an informational alert to the
administrator. For more information, see
“Configuring Alert Forwarding”, 119.
Specify whether an informational message
should be sent to the sender of the mail
message which had the stripped attachment.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send informational
message to the sender.
Specify the subject of the informational
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364.
Specify the text of the informational
message. For more information about the
variables you can use in the text, see
“Variables in Warning Messages”, 364.

Content Filtering
CHAPTER 5 151
Centrally Managed Administration
The informational message will be sent to the sender of the
stripped attachment only if the sender belongs to the internal
domain. F-Secure Anti-Virus for Microsoft Exchange does not send
the informational message outside the company domain. For more
information, see “Internal Domains”, 159.
If a message contains some stripped and some disinfected
content, the message is considered to be infected. In these cases,
the only message that is sent is the virus warning message, and no
informational messages about the stripped attachment is sent.
F-Secure Anti-Virus for Microsoft Exchange can be configured to filter
messages in real-time from inbound and outbound mail traffic based on a
list of keywords that have been defined as denied. You can specify a
separate list of keywords for message subjects and message text.

152
Figure 5-9 Real-Time Processing / Content Blocking / Inbound Mail / Content
Filtering settings

CHAPTER 5 153
Centrally Managed Administration
Filter content Specify whether keyword-based content
filtering should be enabled or disabled.
Disallowed Keywords in
Message Subject
Disallowed Keywords in
Message Text
Action on Disallowed
Content
By default keyword-based content filtering is
disabled.
Specify disallowed keywords in message
subject. When Content Filtering is enabled,
messages that have these keywords in their
subjects are filtered out. The action to take
on these messages depends on the Action
on Disallowed Content setting (see below).
Specify disallowed keywords in message
bodies. When Content Filtering is enabled,
messages that have these keywords in the
body text are filtered out.
Specify whether filtered messages should be
quarantined or dropped.
Quarantine - All filtered messages are
placed in the Quarantine. For more
information, see “Quarantine”, 178.
Drop - All filtered messages are deleted
automatically.

154
Send Informational
Message to Recipient
Informational Subject for
Recipient
Informational Message
for Recipient
Specify whether an informational message
should be sent to the recipient of the
disallowed content that was filtered. (This
setting exists in the Inbound Mail branch
only.)
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the informational
message.
The informational message will be sent only
if the recipient of the message with the
disallowed content is an internal user. This
means that no informational messages will
be sent outside the company.
Specify the subject of the informational
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364. (This
setting exists in the Inbound Mail branch
only.)
Specify the text of the informational
message. For more information about the
variables you can use in the text, “Variables
in Warning Messages”, 364. (This setting
exists in the Inbound Mail branch only.)

CHAPTER 5 155
Centrally Managed Administration
Notify Administrator Specify whether an alert should be sent to
the administrator when F-Secure Anti-Virus
for Microsoft Exchange filters a message,
and what type of an alert it should be.
Send Informational
Message to Sender
No Alerts - Do not send any notification to
the administrator.
Informational - Send an informational alert to
the administrator.
Warning - Send a warning alert to the
administrator.
Security - Send a security alert to the
administrator.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends an informational alert to the
administrator. For more information, see
“Configuring Alert Forwarding”, 119.
F-Secure Management Agent alert
forwarding table controls where alerts with
certain severity level will be sent.
Specify whether an informational message
should be sent to the sender of the
disallowed content which was dropped or
quarantined. (This setting exists in the
Outbound Mail branch only.)
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send informational
message to the sender.

156
Informational Subject for
Sender
Informational Message
for Sender
Outbreak Management
Specify the subject of the informational
message. For more information about the
variables you can use in the subject line, see
“Variables in Warning Messages”, 364. (This
setting exists in the Outbound Mail branch
only.)
Specify the text of the informational
message. For more information about the
variables you can use in the text, see
“Variables in Warning Messages”, 364. (This
setting exists in the Outbound Mail branch
only.)
The informational message will be sent to
the sender of the disallowed content only if
the sender belongs to the internal domain.
F-Secure Anti-Virus for Microsoft Exchange
does not send the informational message
outside the company domain. For more
information, see “Internal Domains”, 159.
F-Secure Anti-Virus for Microsoft Exchange can alert administrators when
the number of infections detected within a specified time frame exceeds a
specified value.

Figure 5-10 Real-Time Processing / Outbreak Management settings
Notify When Number Of
Infections Detected
Exceeds
Notify When Number Of
Infections Detected
Within
CHAPTER 5 157
Centrally Managed Administration
Specify the number of infected objects that
should be found within the time period
specified in the Notify When Number Of
Infections Detected Within setting, which
should be considered as a virus outbreak.
Use the value zero (0) to disable the
outbreak notification.
By default, the outbreak notification is
disabled (0).
Specifies the outbreak notification time
frame.
By default, the time frame is 30 minutes.

158
Send Security Alert Specify whether a security alert should be
sent to the administrator when a virus
outbreak is detected. For more information,
see “Configuring Alert Forwarding”, 119.-
Send Outbreak
Notification
By default, F-Secure Anti-Virus for Microsoft
Exchange sends the security alert.
Specify whether outbreak notification e-mail
should be sent to the notification addresses
specified in the Notification Addresses
setting when a virus outbreak is detected.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the outbreak
notification.
Notification Addresses Specify the e-mail addresses of the
recipients who should receive the outbreak
notification e-mail. Separate each address
with a comma (‘,’) or space (‘ ‘).
Notification Subject Specify the subject of the outbreak
notification e-mail message. For more
information about the variables you can use
in the subject line, see “Variables in Warning
Messages”, 364.
Notification Message Specify the text of the outbreak notification
e-mail message. For more information about
the variables you can use in the text, see
“Variables in Warning Messages”, 364.
Run Outbreak Handler
Script
Specify whether an outbreak handler script
should be run when a virus outbreak is
detected.

Internal Domains
5.2.2 Manual Processing
CHAPTER 5 159
Centrally Managed Administration
Outbreak Handler Script Specify the pathname and filename of an
external program or script that should be run
when a virus outbreak is detected. Use
quotation marks if the path or the filename
contains spaces, for example “C:\Program
Files\Example\Outbreak Detected.exe”.
You can use the following environment
variables in the script:
$INTERVAL-MINUTES - The outbreak
detection interval in minutes.
$INFECTIONS-LIMIT - The number of
infections that must be found within the
specified detection interval to trigger the
outbreak alert.
$INFECTIONS-FOUND - The actual number
of infections found within detection interval.
If you want to run a batch file, use the format
“cmd batch.bat”.
Specify the domains which should be considered to be internal domains.
All messages which are going to internal domains are considered to be
inbound messages. Separate each domain name with a space. You can
use * wildcard, for example, *example.com.
Variables located under F-Secure Anti-Virus for Microsoft Exchange /
Settings / Manual Processing / Common configure the options that are
common for manual scans of mailboxes and Public Folders. For
information how to manually process mailboxes and Public Folders, see
“Manually Processing Mailboxes and Public Folders”, 77.

160
Figure 5-11 Manual Processing settings categories
Common Specify whether you want to process all
messages every time you manually process
mailboxes and Public Folders, or just the
messages that have not been processed yet.
For more information, see “Common”, 161.
Mailboxes Specify manual mailbox processing settings.
For more information, see “Mailboxes”, 163.
Public Folders Specify manual Public Folder processing
settings. For more information, see “Public
Folders”, 169.

Common
Figure 5-12 Manual Processing / Common settings
CHAPTER 5 161
Centrally Managed Administration
Incremental Scanning Specify whether you want to process all
messages or only those messages that have
not been processed previously.
All Messages - Process all messages every
time you run a manual scan.
Only Recent Messages - Process only
recent messages, which have not been
processed previously.
By default, F-Secure Anti-Virus for Microsoft
Exchange processes only recent messages.
You can process all messages for example
after the F-Secure Anti-Virus for Microsoft
Exchange virus definition database has been
updated. For more information, see
“Updating Virus and Spam Definition
Databases” on page 70.

162
Number of Concurrent
Transactions
Specify how many concurrent transactions
the scanner can have with F-Secure Content
Scanner Server.
By default, F-Secure Anti-Virus for Microsoft
Exchange uses two concurrent transactions
with F-Secure Content Scanner Server.
You can increase the performance on a
multiprocessor system by increasing the
number of concurrent transactions.

Mailboxes
Figure 5-13 Manual Processing / Mailboxes settings
CHAPTER 5 163
Centrally Managed Administration
Examine Mailboxes Specify which mailboxes should be
processed during the manual scanning.
Process Only Included Mailboxes - Process
all mailboxes specified in the Included
Mailboxes setting.
Process All Except Excluded Mailboxes -
Process all mailboxes, except those
specified in the Excluded Mailboxes setting.
Process All Mailboxes - Process all
mailboxes.
Don't Process Mailboxes - Do not process
any mailboxes.

164
Examine Mailboxes By default, F-Secure Anti-Virus for Microsoft
Exchange examines all mailboxes.
Included Mailboxes Specify mailboxes that should be scanned if
the Examine Mailboxes setting is set to
Process Only Included Mailboxes.
Excluded Mailboxes Specify mailboxes that should not be
scanned if the Examine Mailboxes setting is
set to Process All Except Excluded
Mailboxes.
To add a new mailbox to Included and Excluded Mailboxes lists,
click Add in the Editor pane of F-Secure Policy Manager Console.
Then, double-click the Mailbox cell and enter the name of the
mailbox to be included.
Check the Inbox, Outbox, Sent Items and Deleted Items check
boxes to include or exclude them from the scan. The Others check
box contains all other folders of the selected mailbox. You can
change whether folders should be included or excluded from the
scan by double-clicking the cell and selecting either Yes or No.
Attachments To Scan Specify which attachments should be
scanned for viruses.
All Attachments with Included Extensions -
Scan all attachments with extensions
specified under the Included Extensions
setting.
All Attachments Except Excluded
Extensions - Scan all attachments, except
the ones with extensions specified under the
Excluded Extensions setting.
All Attachments - Scan all attachments.
None - Do not scan attachments.

CHAPTER 5 165
Centrally Managed Administration
By default, F-Secure Anti-Virus for Microsoft
Exchange scans all files.
Included Extensions Specify extensions of attachments to be
scanned if the Examine Mailboxes setting is
set to All Attachments with Included
Extensions.
Excluded Extensions Specify extensions of files that are not
scanned if the Examine Mailboxes setting is
set to All Attachments except Excluded
Extensions.
Intelligent File Type
Recognition
You can modify the default set of Included
and Excluded Extensions as needed.
Separate each extension by a space (‘ ‘).
Wildcards * and ? can be used. To specify
the files that have no extension, type a dot
('.').
Trojans and other malicious code can
disguise themselves with filename
extensions which are usually considered
safe to use. Intelligent File Type Recognition
can recognize the real file type of the
message attachment and use that while the
attachment is processed. Specify whether
you want to use Intelligent File Type
Recognition or not.
By default, the Intelligent File Type
Recognition is enabled during the manual
processing.

166
Action On Infected
Attachments
Send Warning Message
To Mailbox Owner
Specify whether infected attachments
should be disinfected or dropped.
Disinfect - Try to disinfect the infected
attachment. If the disinfection succeeds, the
recipient receives the disinfected file instead
of the original one. If the disinfection fails,
the infected attachment is dropped, and it is
not delivered to the recipient.
Drop - Do not disinfect or deliver infected
attachments. All infected attachments are
dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange disinfects infected attachments.
Specify whether a virus warning message
should be sent to the mailbox owner of the
mail message which had infected content. If
you want to add the warning message, the
original message is embedded in the virus
warning message.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends the warning message to
mailbox owner.
Warning Subject Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line,
see “Variables in Warning Messages”, 364.
Warning Message Specify the text of the warning message.
For more information about the variables
you can use in the text, see “Variables in
Warning Messages”, 364.

Quarantine Infected
Attachments
CHAPTER 5 167
Centrally Managed Administration
Specify whether infected attachments
should be placed in the Quarantine or not.
Yes - All infected and dropped attachments
are placed in the Quarantine. For more
information, “Quarantine”, 178.
No - All infected and dropped files are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange places infected attachments in
the Quarantine.
Scan Message Body Specify whether the body of the e-mail
message should be scanned for malicious
code. As some viruses can be carried inside
a message body, it is recommended to scan
them. Scanning message bodies can slow
down the performance.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message body.

168
Stripping Attachments
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove
attachments according to the file name or the file extension, without even
scanning them for malicious code. Using the variables under the Manual
Scanning / Mailboxes / Stripping Attachments branch you can configure
the options for stripping attachments during manual processing of the
mailboxes.
-
Figure 5-14 Manual Processing / Mailboxes / Stripping Attachments settings
For more information, see “Stripping Attachments”, 147.

Public Folders
CHAPTER 5 169
Centrally Managed Administration
Use the variables under Manual Scanning / Public Folders to configure
options for manual processing of Public Folders.
Figure 5-15 Manual Processing / Public Folders settings
Examine Public Folders Specify Public Folders that should be
scanned for viruses.
Process Only Included Folders - Process all
notes posted to the Public Folders specified
in the Included Folders setting.
Process All Except Excluded Folders -
Process all notes posted to all Public
Folders, except those specified in the
Excluded Folders setting.
Process All Public Folders - Process all
notes posted to all Public Folders.

170
Don't Process Public Folders - Do not
process any Public Folders for viruses.
The notes and attachments to be processed
in the selected folders are defined with the
Attachments to Scan and Scan Message
Body settings.
Examine Public Folders By default, F-Secure Anti-Virus for Microsoft
Exchange processes all Public Folders.
Included Folders Specify Public Folders to be scanned for
viruses if the Examine Public Folders setting
is set to Scan Only Included Folders.
Excluded Folders Specify Public Folders to be excluded from
scanning if the Examine Public Folders
setting is set to Scan All Except Excluded
Folders.
To add Public Folders to Included and
Excluded Folders tables, click Add in the
Editor pane of F-Secure Policy Manager
Console. Double-click the Folder Name cell
and enter the name and path of the Public
Folder. Double-click the Include Subfolders
cell and select Yes if you want to include or
exclude all subfolders of the folder you
entered.
You can use ‘\*’ to specify folders that have
not been specified otherwise.

CHAPTER 5 171
Centrally Managed Administration
Attachments To Scan Specify which attachments will be checked
for malicious code during the manual
processing of Public folders.
All Attachments - All attachments will be
checked for malicious code during the
manual processing.
All Attachments with Included Extensions -
Only attachments with extensions specified
in the Included Extensions setting will be
scanned.
All Attachments except Excluded
Extensions - All attachments will be
scanned, except files with the extensions
specified in the Excluded Extensions
setting.
None - Attachments will not be checked for
malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans all attachments.
Included Extensions Specify attachments that should be scanned
if the Attachments To Scan setting is set to
All Attachments with Included Extensions.
Excluded Extensions Specify extensions of files that are not
scanned if the Attachments To Scan setting
is set to All Attachments except Excluded
Extensions.
You can modify the default Included and
Excluded Extensions lists as needed.
Separate each extension by a space (‘ ‘).
Wildcards * and ? can be used. To specify
the files that have no extension, type a dot
('.').

172
Intelligent File Type
Recognition
Action On Infected
Attachments
Action On Infected
Attachments
Send Warning Message
To Originator
Trojans and other malicious code can
disguise themselves with filename
extensions which are usually considered
safe to use. Intelligent File Type Recognition
can recognize the real file type of the
message attachment and use that while the
attachment is processed. Specify whether
you want to use Intelligent File Type
Recognition or not.
By default, the Intelligent File Type
Recognition is enabled during the manual
processing.
Specify whether infected attachments
should be disinfected or dropped.
Disinfect - Try to disinfect the infected
attachment. If the disinfection succeeds, the
recipient receives the disinfected file instead
of the original one. If the disinfection fails,
the infected attachment is dropped, and it is
not delivered to the recipient.
Drop - Do not disinfect or deliver infected
attachments. All infected attachments are
dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange disinfects infected files.
Specify whether a virus warning message
should be sent to the original writer of the
note which had infected content.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the warning
message to the originator.

Stripping Attachments
For more information, see “Stripping Attachments”, 147.
CHAPTER 5 173
Centrally Managed Administration
Warning Subject Specify the subject of the virus warning
message. For more information about the
variables you can use in the subject line,
see “Variables in Warning Messages”, 364.
Warning Message Specify the text of the warning message.
For more information about the variables
you can use in the text, see “Variables in
Warning Messages”, 364.
Quarantine Infected
Attachments
Specify whether infected attachments
should be placed in the Quarantine or not.
Yes - All infected and dropped attachments
are placed in the Quarantine. For more
information, see “Quarantine”, 178.
No - All infected and dropped files are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange places infected attachments in
the Quarantine.
Scan Message Body Specify whether the body of the message
should be scanned for malicious code. As
some viruses can be carried inside a
message body, it is recommended to scan
message bodies. Scanning message bodies
can slow down the performance.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.

174
5.2.3 Scheduled Processing
Displays all scheduled tasks and date and time when the next scheduled
task occurs for the next time.
Deactivate scheduled tasks in the list by clearing the checkbox in front of
the task. Activate it again by checking the checkbox.
Click Add to start the Scheduled Operation Wizard. To duplicate a task,
select it from the list and click Copy. To edit a previously created task,
click Edit. To remove the selected task from the list, click Clear Row.
Click Clear Table to remove all tasks from the list.
Force Row enforces the current scheduled task to be active in all
subdomains and hosts. Force Table enforces all current scheduled tasks
to be active in all subdomains and hosts. For more information, see Policy
Manager 5 Administrator’s Guide.
For information how to create scheduled operations, see “Creating
Scheduled Operation”, 102.

5.2.4 Content Scanner Servers
Figure 5-16 Content Scanner Server settings
CHAPTER 5 175
Centrally Managed Administration
Primary Servers Specify all F-Secure Content Scanner
Servers where F-Secure Anti-Virus for
Microsoft Exchange should send files to be
processed. If you list more than one
F-Secure Content Scanner Server, F-Secure
Anti-Virus for Microsoft Exchange uses load
sharing between them.
IMPORTANT: This setting must be defined
as Final with the Restriction Editor before the
policies are distributed. Otherwise the
setting will not be changed in the product.

176
Backup Servers Specify F-Secure Content Scanner Servers
that act as backup servers from primary
servers. If F-Secure Anti-Virus for Microsoft
Exchange cannot contact primary F-Secure
Content Scanner Servers, it interacts with
backup servers.
IMPORTANT: This setting must be defined
as Final with the Restriction Editor before the
policies are distributed. Otherwise the
setting will not be changed in the product.
Local Interaction Mode This setting controls how F-Secure
Anti-Virus Agent interacts with a Content
Scanner Server running on the same host.
Max Size of Data
Processed in Memory
Enabled - Data are transferred via local
temporary files and/or shared memory,
which provides the best performance
possible.
Disabled - Data are transferred via data
stream sockets.
Usually, you do not need to change this
setting. It is recommended to use the local
interaction mode to obtain the optimum
performance.
Specifies the maximum size (in kilobytes) of
data to be transferred to the server via
shared memory in the local interaction
mode. When the amount of data exceeds
that, a local temporary file will be used for
data transfer.
If the option is set to zero (0), all data
transfers via shared memory are disabled.
The setting is ignored if the local interaction
mode is disabled.

CHAPTER 5 177
Centrally Managed Administration
Working Directory Specify the name and location of the working
directory, where temporary files are placed.
IMPORTANT: This setting must be defined
as Final with the Restriction Editor before the
policies are distributed. Otherwise the
setting will not be changed in the product.
During the installation, F-Secure Anti-Virus
for Microsoft Exchange automatically adjusts
the access rights so that only the operating
system and the local administrator can
access files in the Working directory. If you
change this setting after the installation,
make sure that the new folder has secure
access permissions.
Connection Timeout Specify the time interval (in seconds) how
long F-Secure Anti-Virus for Microsoft
Exchange should wait for a response from
F-Secure Content Scanner Server before it
stops attempting to send or receive data.
By default, the connection timeout is 900
seconds (15 minutes).

178
5.2.5 Quarantine
Figure 5-17 Quarantine settings

CHAPTER 5 179
Centrally Managed Administration
Quarantine Storage Specify the path to the Quarantine storage
where all quarantined mails and attachments
are placed.
Retain Items in
Quarantine
If you change the Quarantine Storage
setting, select the Final checkbox in the
Restriction Editor to override initial settings.
During the installation, F-Secure Anti-Virus
for Microsoft Exchange adjusts the access
rights to the Quarantine Storage so that only
the product, operating system and the local
administrator can access it. If you change
the Quarantine Storage setting, make sure
that the new location has secure access
permissions.
Specify how long quarantined e-mails are
stored in the Quarantine before they are
deleted automatically.
The setting defines the default retention
period for all Quarantine categories. To
change the retention period for different
categories, configure Quarantine Cleanup
Exceptions settings.
Delete Old Items Every Specify how often old items are deleted from
the Quarantine.
Quarantine Cleanup
Exceptions
The setting defines the default cleanup
interval for all Quarantine categories. To
change the cleanup interval for different
categories, configure Quarantine Cleanup
Exceptions settings.
Specify separate Quarantine retention
periods and cleanup intervals for each
Quarantine category.

180
Quarantine Size
Threshold
Quarantined Items
Threshold
Notify When Quarantine
Threshold is Reached
Specify the minimum amount of free disk
space (in megabytes) required on the disk
where the Quarantine storage resides. If the
specified value is reached, the product
sends a warning alert.
If the threshold is specified as zero (0), the
amount of free disk space is not checked.
Specify the critical number of items in the
Quarantine. When the Quarantine holds the
critical number of items, the product sends
an alert to the administrator.
If the threshold is specified as zero (0), the
amount of items is not checked.
Specify the level of the alert that is sent to
administrator when threshold levels are
reached.
Quarantine Worms Specify if the product should quarantine
mails infected with mass mail worms or
viruses such as Netsky or Bagle.
Quarantine Problematic
Mails
Released Quarantine
Message Subject
Released Quarantine
Message Body
Specify if mails that contain malformed or
broken attachments should be quarantined
for later analysis or recovery.
Specify the subject of the message released
from the Quarantine.
Specify the body of the message released
from the Quarantine.
The Released Quarantine Message is
generated only for items which have been
removed from the Microsoft Exchange store
and it is sent automatically when the
administrator releases the message to the
intended recipient.

Automatically Process
Unsafe Messages
Max Attempts to Process
Unsafe Messages
Final Action on Unsafe
Messages
CHAPTER 5 181
Centrally Managed Administration
Specify how often the product tries to
reprocess unsafe messages that are
retained in the Quarantine. Set the value to
Disabled to keep all unsafe to process
unsafe messages manually.
Specify how many times the product tries to
reprocess unsafe messages that are
retained in the Quarantine.
Use the Final Action on Unsafe Messages
setting to specify the action that takes place
if the message is retained in the Quarantine
after the maximum attempts.
Specify the action to unsafe messages after
the maximum number of reprocesses have
been attempted.
Leave in Quarantine - Leave messages in
the Quarantine and process them manually.
Release to Intended Recipients - Release
messages from the Quarantine and send
them to original recipients.
Quarantine Log Directory Specify the path to the directory where
Quarantine logfiles are placed.
Rotate Quarantine Logs
Every
Keep Rotated Quarantine
Logs
Specify how often the product rotates
Quarantine logfiles. At the end of each
rotation time a new log is created.
Specify how many rotated log flies should be
kept.

182
5.2.6 Reporting
5.2.7 Advanced
Figure 5-18 Reporting settings
Notification sender
address
Figure 5-19 Advanced settings
Specify the address used by F-Secure
Anti-Virus Agent for Microsoft Exchange for
sending warning and informational
messages to the end-users (for example,
recipients, senders and mailbox owners).

New Mailbox Polling
Interval
New Folder Polling
Interval
Max Levels of Nested
Messages
CHAPTER 5 183
Centrally Managed Administration
Specify how often (in seconds) F-Secure
Anti-Virus for Microsoft Exchange should
check for newly established mailboxes. You
can disable the new mailbox polling by using
the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft
Exchange polls new mailboxes every 1 hour.
Specify how often (in seconds) F-Secure
Anti-Virus for Microsoft Exchange should
check for newly established Public Folders.
You can disable the new mailbox polling by
using the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft
Exchange polls new folders every 1 hour.
Specify how many levels deep to scan in
nested e-mail messages. A nested e-mail
message is a message that includes one or
more e-mail messages as attachments. If
zero (0) is specified, the maximum nesting
level is not limited.
Note: It is not recommended to set the
maximum nesting level to unlimited as this
will make the product more vulnerable to
DoS (Denial-of-Service) attacks.

184
Action on Mails with
Exceeding Nesting
Levels
5.3 F-Secure Anti-Virus for Microsoft Exchange
Statistics
To view statistics, open the Status tab from the Properties pane and open
the Statistics subtree. It displays statistics for the host for each F-Secure
Anti-Virus for Microsoft Exchange installation. If a policy domain is
selected, the Status view displays the number of hosts in the domain and
which hosts are disconnected from F-Secure Policy Manager.
Resetting Statistics
Specify the action to take on inbound e-mail
messages with nesting levels exceeding the
upper level specified in the Max Levels of
Nested Messages setting.
Drop - E-mail messages with exceeding
nesting levels are not delivered to the
recipient(s).
The nested messages are quarantined if the
Quarantine Problematic Mails setting under
F-Secure Anti-Virus for Microsoft Exchange /
Settings / Real-Time Processing /
Quarantine is set to Yes.
Pass Through - Nested e-mail messages will
be scanned up to level specified in the Max
Levels of Nested Messages setting and then
delivered to the recipient(s).
You can reset statistics by using controls under the F-Secure Anti-Virus
for Microsoft Exchange / Operations branch.

5.3.1 Common
CHAPTER 5 185
Centrally Managed Administration
To reset real-time scanning statistics, use the variables under F-Secure
Anti-Virus for Microsoft Exchange / Operations / Reset Statistics. Select
Reset and click Start in the Editor pane. The Status above the button will
display "Operation still in progress" until the program reports that statistics
have been reset.
Figure 5-20 Common statistics
Version Displays the F-Secure Anti-Virus for
Microsoft Exchange version number.
Previous Reset of
Statistics
Displays the last date and time when the
statistics were reset.
MIB Version Displays the MIB version number.
Installation Directory Displays the complete path where F-Secure
Anti-Virus for Microsoft Exchange is
installed.
Build Displays the F-Secure Anti-Virus for
Microsoft Exchange build number.
Common Displays the product name and lists all
installed hotfixes.

186
5.3.2 Real-Time Processing
Status Displays whether F-Secure Anti-Virus for
Microsoft Exchange is running (started),
stopped, or whether the current status of the
agent is unknown.
Real-Time Processing Displays the number of mailboxes and
Public Folders that are protected in
real-time. For more information, see
“Real-Time Processing”, 186.
Manual Processing Displays the statistics of the last manual
scan and attachment stripping. For more
information, see “Manual Processing”, 189.
Real-time processing statistics displays the number of mailboxes and
Public Folders that are protected in real-time.
Figure 5-21 Real-Time Processing statistics

CHAPTER 5 187
Centrally Managed Administration
Protected Mailboxes Displays the number of currently protected
mailboxes.
Protected Public Folders Displays the number of currently protected
Public Folders.
Total Number of
Infections Found
Number of Infections
Found Within Outbreak
Interval
Displays the number of viruses F-Secure
Anti-Virus for Microsoft Exchange has
detected.
Displays the number of viruses F-Secure
Anti-Virus for Microsoft Exchange has
detected within the last outbreak interval. For
more information, see “Outbreak
Management”, 156.
Inbound Mail Displays the real-time inbound mail
processing statistics. See the following
section for more information.
Outbound Mail Displays the real-time outbound mail
processing statistics. See the following
section for more information.
Public Folders Displays the real-time Public Folder
processing statistics. See the following
section for more information.
Last Infection Found Displays the name of the last virus that was
found.
Last Time Infection
Found
Displays the time when the last virus was
found.

188
Inbound, Outbound Mail and Public Folders
Inbound, Outbound Mail and Public Folders Statistics display the statistics
of processed, infected, and suspicious mail messages.
Inbound Mail includes e-mail messages coming into Microsoft
Exchange Information Store from external sources such as SMTP
connector, and internal mail flowing inside organization.
Outbound Mail includes e-mail messages leaving Exchange
Information Store and going out via SMTP, NNTP or IMAP4.
Public Folders statistics display statistics for processed Public
Folder notes.
Figure 5-22 Inbound Mail, Outbound Mail and Public Folders statistics
Processed Messages Displays the total number of processed
messages.
Infected Messages Displays the total number of messages that
have been infected with malicious code.
Suspicious Messages Displays the number of messages that have
not been scanned reliably. The message is
considered to be suspicious if it is encrypted
or it has been compressed with unknown
algorithm, or there was a scanning problem
when the message was being scanned.
Stripped Attachments Displays the number attachments that have
been stripped from messages.

5.3.3 Manual Processing
Filtered Messages Displays the total number of inbound
messages that contained disallowed
keywords.
CHAPTER 5 189
Centrally Managed Administration
Last Infection Found Displays the name of the last virus found.
Last Time Infection
Found
Number of Spam
Messages
Manual processing statistics displays the statistics of the last manual
scan and attachment stripping.
Figure 5-23 Manual Processing statistics
Displays the date and time when the last
infection was found.
Displays the total number of inbound
messages found to be spam. (This setting
exists under the Inbound Mail branch only.)
Size of Spam Messages Displays the total size (in kilobytes) of the
inbound mail messages considered spam.
(This setting exists under the Inbound Mail
branch only.)

190
Total Amount of
Mailboxes
Displays the total number of mailboxes in the
Exchange Store that F-Secure Anti-Virus for
Microsoft Exchange processes during the
manual processing.
Scanned Mailboxes Displays the number of mailboxes that have
been scanned.
Total Amount of Public
Folders
Displays the total number of Public Folders
in the Exchange Store that F-Secure
Anti-Virus for Microsoft Exchange processes
during the manual processing.
Scanned Public Folders Displays the number of Public Folders that
have been scanned.
Estimated Time Left Displays the estimated time left to finish the
manual processing.
Elapsed Time Displays the time that has elapsed since the
manual processing was started.
Mailboxes Displays the manual mailbox processing
statistics. See the following section for more
information.
Public Folders Displays the manual Public Folders
processing statistics. See the following
section for more information.

Manual Processing of Mailboxes and Public Folders
CHAPTER 5 191
Centrally Managed Administration
Figure 5-24 Manual Processing / Mailboxes and Manual Processing / Public
Folders statistics
Previous Scanning Displays the date and time of the previous
processing.
Processed Messages Displays the total number of processed
messages.
Infected Messages Displays the total number of messages that
have been infected with malicious code.
Suspicious Messages Displays the number of messages that have
not been scanned reliably. The message is
considered to be suspicious if it is encrypted
or it has been compressed with an unknown
algorithm, or there was a scanning problem
when the message was being scanned.
Stripped Attachments Displays the number attachments that have
been stripped from messages.
Last Infection Found Displays the name of the last virus found.
Last Time Infection
Found
Displays the date and time when the last
infection was found.

192
5.3.4 Quarantine
Currently Processed
Mailbox
Currently Processed
Public Folder
Displays the name of the mailbox that was
the last one to be processed during manual
scan. (This setting exists under the
Mailboxes branch only.)
Displays the name of the public folder that
was the last one to be processed during
manual scan. (This setting exists under the
Public Folders branch only.)
Quarantine statistics displays the details of the items in Quarantine and
statistics by Quarantine categories.
Total Number of
Quarantined Items
Total Size of
Quarantine Storage
Displays the total number of items in the
Quarantine.
E-mail messages and infected, suspicious and
disallowed attachments are stored as separate
items in the Quarantine storage. For example, if
a message has 3 attachments and only one
attachment is infected, 2 items will be created in
the Quarantine storage, and both items have the
same Quarantine ID in the Quarantine database.
Displays the total size (in megabytes) of the
Quarantine storage.
Statistics by Category Displays the number and total size of
quarantined messages by category.

5.4 F-Secure Content Scanner Server Settings
CHAPTER 5 193
Centrally Managed Administration
Use the variables under the F-Secure Content Scanner Server / Settings
branch to define the settings for content providers and to change the
general content scanning options.
Figure 5-25 F-Secure Content Scanner Server Settings categories
Interface Specify how the server will interact with
clients.
Virus Scanning Specify the scanning engines to be used
when F-Secure Content Scanner Server
scans files for viruses, and the files that
should be scanned. For more information,
see “Virus Scanning”, 196.
Virus Statistics Specify the settings for the list of Most Active
Viruses. for more information, see “Virus
Statistics”, 199.
Database Updates Specify how you want to keep the virus
definition databases up-to-date. For more
information, see “Database Updates”, 201.
Spam Filtering Specify the number of Spam Scanner
instances to be created and used for spam
analysis. For more information, see “Spam
Filtering”, 202.

194
Threat Detection Engine Configure the virus outbreak and spam
threat detection. For more information, see
“Threat Detection Engine”, 204.
Proxy Configuration Specify proxy server parameters that
Content Scanner Server uses when it
connects to the threat detection center. For
more information, see “Proxy Configuration”,
205.
Advanced Specify the location and the minimum size of
the Working directory. For more information,
see “Advanced”, 206

5.4.1 Interface
Specify how the server will interact with clients.
Figure 5-26 Interface settings
CHAPTER 5 195
Centrally Managed Administration
IP Address Specifies the service listen address in case
of multiple network interface cards or
multiple IP addresses. If you do not assign
an IP address (0.0.0.0), the server responds
to all IP addresses assigned to the host.
TCP Port Specifies the TCP port that the server listens
for incoming requests. The default port
number is 18971. If you change this port
number, you must modify the connection
settings of the client accordingly, so that the
client sends requests to the same port.
Accept Connections Specifies a comma-separated list of IP
addresses the server accepts incoming
requests from. If the list is empty, the server
accepts connections from any host.

196
5.4.2 Virus Scanning
Max Connections Specifies the maximum number of
simultaneous connections the server can
accept. Value zero (0) means no limit.
Max Connections Per
Host
Specifies the maximum number of
simultaneous connections the server can
accept from a particular host. Value zero (0)
means no limit.
Send Content Timeout Specifies how long the server should wait
before it timeouts on sending data to the
client.
Receive Content Timeout Specifies how long the server should wait
before it timeouts when receiving data from
the client.
Keep Alive Timeout Specifies the length of time before the server
closes an inactive/idle connection. This
ensures that all connections are closed if the
protocol fails to close a connection.
Select the scanning engines to be used and the files that should be
excluded from the Scan Engines table.

Figure 5-27 Virus Scanning settings
CHAPTER 5 197
Centrally Managed Administration
Scan Engines Scan engines can be enabled or disabled. If
you want to disable the scanning just for
certain files, enter the appropriate file
extensions to Excluded extensions field and
separate each extension with a space. The
Excluded extensions field supports * and ?
wildcards.
Scan Inside Archives Specify whether files inside compressed
archive files should be scanned for viruses, if
they are not excluded from scanning.
Scanning inside archives takes time.
Disabling scanning inside archives improves
performance, but it also means that the
network users need to use up-to-date virus
protection on their workstations.

198
Max Levels in Nested
Archives
Suspect Max Nested
Archives
Suspect Password
Protected Archives
Acceptable Unpacked
Size Threshold
If Scan Inside Archives is enabled, F-Secure
Content Scanner Server can scan files
inside archives that may exist inside of other
archives. Furthermore, these nested
archives can contain other archives.
Specify the number of levels F-Secure
Content Scanner Server goes through
before the action selected in Suspect Max
Nested Archives takes place. The default
setting is 3.
Increasing the value increases the load on
the system and thus decreases the overall
system performance. This means that the
system becomes more vulnerable for denial
of service attacks.
If the amount of nested archives exceeds the
value specified in the Max Levels in Nested
Archives, the file is stopped if Treat as
Unsafe is selected. If Treat as Safe is
selected, the archive file is sent to the user.
Compressed archive files can be protected
with passwords. These archives can be
opened only with a valid password, so
F-Secure Content Scanner Server cannot
scan their content. Password protected
archives can be stopped by selecting Treat
as Unsafe. If Treat as Safe is selected,
password protected archives are delivered to
recipient.
Specify the acceptable unpacked size (in
kilobytes) for archive files. If the unpacked
size of an archive file exceeds this threshold,
the server will consider the archive
suspicious and corresponding action will be
taken.

5.4.3 Virus Statistics
Scan Extensions Inside
Archives
Extensions Allowed in
Password Protected
Archives
CHAPTER 5 199
Centrally Managed Administration
Enter all the extensions you want to scan
inside archives.
Define a space-separated list of the file
extensions allowed in password protected
archives. Wildcards (*, ?) can be used.
Example: "DO? *ML".
Max Scan Timeout Specify the maximum time that one scanning
task can last. The Max Scan Timeout is 10
minutes by default.
Select the number of most active viruses and the number of days to be
displayed on the Top 10 virus list.

200
Figure 5-28 Virus Statistics settings
Time Period Specify the time period for the most active
viruses list. The product shows statistics
about most active viruses detected during
the specified time period. The possible value
range is from 1 hour to 90 days.
Viruses to Show Specify the number of most active viruses to
be displayed for the time period specified in
the 'Time Period' setting. The possible
values are Top 5, Top 10 and Top 30.
Send Statistics to
F-Secure World Map
The product can collect and send statistics
about viruses and other malware to the
F-Secure World Map service.
When the F-Secure World Map support is
enabled, the product sends encrypted e-mail
reports periodically to the service. These
reports list only the name and the amount of
found malware and they do not contain any
sensitive information such as IP or e-mail
addresses or user names.
You can also forward unencrypted reports to
a configurable e-mail address and use the
same statistics for your own internal
purposes.

5.4.4 Database Updates
Figure 5-29 Database Updates settings
CHAPTER 5 201
Centrally Managed Administration
Mail Server Address Specify the IP address of mail transfer agent
where you want to send the unencrypted
report.
Mail Server Port Specify the port of the mail transfer agent.
E-mail Addresses for
Unencrypted Reports
Verify Integrity of
Downloaded Databases
Specify e-mail addresses where the
unencrypted report is sent.
Specify whether the product should verify
that the downloaded virus definition
databases are the original databases
published by F-Secure Corporation and that
they have not been altered or corrupted in
any way before taking them to use.

202
5.4.5 Spam Filtering
Notify When Databases
Become Old
Notify When Databases
Older Than
Figure 5-30 Spam Filtering settings
Specify whether F-Secure Content Scanner
Server should notify the administrator if virus
definition databases have not been updated
recently.
Specify the time (in days) how old virus
definition databases can be before F-Secure
Content Scanner Server sends the
notification to the administrator.

CHAPTER 5 203
Centrally Managed Administration
The number of spam scanner instances can be configured in F-Secure
Content Scanner Server / Settings / Spam Filtering.
Number of spam scanner
instances
Specify the number of Spam Scanner
instances to be created and used for spam
analysis. As one instance of the spam
scanner is capable of processing one mail
message at a time, this setting defines how
many messages will undergo spam analysis
simultaneously. The default value is 3.
You might need to modify this setting if you
enable Realtime Blackhole Lists (DNSBL/
RBL) for spam filtering. For more
information, see “Enabling Realtime
Blackhole Lists”, 238 and “Optimizing
F-Secure Spam Control Performance”, 240.
The server must be restarted after this
setting has been changed.
IMPORTANT: Spam analysis is a
processor-intensive operation and each
spam scanner instance takes approximately
25MB of memory (process fsavsd.exe). Do
not increase the number of instances unless
the product is running on a powerful
computer.

204
5.4.6 Threat Detection Engine
Figure 5-31 Threat Detection Engine settings
The virus outbreak and spam threat detection can be configured in
F-Secure Content Scanner Server / Settings / Threat Detection Engine.
VOD Cache Size Specify the maximum number of patterns to
cache for the virus outbreak detection service.
By default, the cache size is 10000 cached
patterns.
Class Cache Size Specify the maximum number of patterns to
cache for spam detection service. By default, the
cache size is 10000 cached patterns.
Action on Connection
Failure
Increasing cache sizes may increase the threat
detection performance but it requires more disk
space and may degrade the threat detection
rate. Cache sizes can be disabled (set the size
to 0) for troubleshooting purposes.
Specify the action for messages when the threat
detection center cannot be contacted and the
threat detection engine cannot classify the
message.
Pass through - The message is passed through
without scanning it for spam.

5.4.7 Proxy Configuration
Figure 5-32 Proxy configuration
CHAPTER 5 205
Centrally Managed Administration
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam
heuristics.
Trusted Networks Specify networks and hosts in the mail relay
network which can be trusted not to be operated
by spammers and do not have open relays or
open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’
wildcard to match any number and ‘-’ to define a
range of numbers (172.16.*.1, 172.16.4.10-110).

206
5.4.8 Advanced
Specify proxy server parameters that Content Scanner Server uses when
it connects to the threat detection center.
Use Proxy Server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to
the threat detection center.
Proxy Server Address Specify the address of the proxy server.
Proxy Server Port Specify the port number of the proxy server.
Figure 5-33 Advanced settings

CHAPTER 5 207
Centrally Managed Administration
Working Directory Specify where temporary files are stored.
The Working directory should be on a local
hard disk for the best performance. Make
sure that there is enough free disk space for
temporary files.
Working Directory Clean
Interval
IMPORTANT: This setting must be defined
as Final with the Restriction Editor before the
policies are distributed. Otherwise the
setting will not be changed in the product.
During the setup, access rights are adjusted
so that only the operating system and the
local administrator can access files in the
Working directory. If you make changes to
Working Directory settings, make sure that
the new directory has the same rights.
Specify the time after which the inactive
temporary files in the Working directory are
deleted. The default clean interval is 15
minutes.
Free Space Threshold Specify when F-Secure Content Scanner
Server should send a low disk space alert to
the administrator. The default setting is 100
megabytes.
Max Number of
Concurrent Transactions
Specifies the maximum number of
transactions the server processes
simultaneously.

208
5.5 F-Secure Content Scanner Server Statistics
5.5.1 Server
Figure 5-34 F-Secure Content Scanner Server Statistics
The Statistics branch in the F-Secure Content Scanner Server tree
displays the version of F-Secure Content Scanner Server that is currently
installed on the selected host, the MIB version and the location of
F-Secure Content Scanner Server installation directory.
The Server branch contains the following information:
Version The version of the F-Secure Content
Scanner Server daemon.
Status The status of F-Secure Content Scanner
Server, whether it has been started and it is
running or it is stopped.
Start Time The date and time when the server was
started.
Previous Reset of
Statistics
Number of Active
Processors
The date and time of the last reset of
statistics.
The number of currently active processors.

5.5.2 Scan Engines
The Scan Engines table displays the scan engine statistics and
information.
CHAPTER 5 209
Centrally Managed Administration
Number of Scanned Files The number of files that have been scanned.
Last Database Update The last date and time when virus definition
database was updated.
Last Infection Found The name of the last infection that was
encountered.
Last Time Infection
Found
The date and time when the last infection
was found.
Name The name of the scan engine.
Version The version number of the scan engine.
Status The status of the scan engine, whether it has
been loaded and enabled, is loaded but
disabled, has not been loaded at all, or is
malfunctioning.
Last Database Update The last date and time when virus definition
database was taken into use for this scan
engine.
Database Date The date the virus signature database for
this scan engine was created.
Last Infection Found Displays the last infection found by this scan
engine.
Last Time Infection
Found
Displays the date and time of the last
infection found by this scan engine.

210
5.5.3 Common
5.5.4 Spam Control
Processed Files Displays the number of files processed by
this scan engine.
Infected Files Displays the number of infected files found
by this scan engine.
Disinfected Files Displays the number of files successfully
disinfected by this scan engine.
The Common statistics branch displays the list of installed product
hotfixes.
The Spam Control branch displays the following information:
Spam Scanner Version Displays the version and build number of the
Spam Scanner.
Status Displays the status of the Spam Scanner.
Previous Reset of
Statistics
Displays when the Spam Scanner statistics
were reset last time.
Database Version Displays the version of the database
currently used by the Spam Scanner.
Last Database Update Displays the date and time when the Spam
Scanner database was last updated.

5.5.5 Virus Statistics
Number of Processed
Messages
The Virus Statistics branch displays the following information:
Figure 5-35 F-Secure Content Scanner Server Statistics / Virus Statistics
CHAPTER 5 211
Centrally Managed Administration
Displays the total number of e-mail
messages that have been analyzed for
spam.
Total Spam Statistics These statistics show how many mail
messages have been identified with each
spam confidence level rating.
Last Updated Displays the date and time when the virus
statistics were updated last time.
Most Active Viruses Displays the list of most active viruses.

212
5.6 F-Secure Automatic Update Agent Settings
Figure 5-36 F-Secure Automatic Update Agent Communications settings
To edit F-Secure Automatic Update Agent Settings, go to F-Secure
Automatic Update Agent > Settings > Communications.
Automatic updates Enable and disable the automatic virus definition
updates. By default, automatic updates are
enabled.
Internet connection
checking
Specify whether the product should check for a
usable Internet connection before trying to
connect to the Update Server.
HTTP settings Configure HTTP proxy settings. If you use HTTP
proxy, all connections to the Update Server or
F-Secure Policy Manager Proxy go through the
proxy. If the HTTP proxy cannot be reached, the
product connects directly to the Update Server.
Use download
schedule
Specify whether you want to limit automatic
updates to certain time periods.
PM Proxies Policy Manager Proxy can be used to reduce the
load on the server by caching Policy Manager
content in the proxy.

Intermediate Server
failover time
Intermediate Server
polling interval
Allow fetching
updates from
F-Secure Update
Server
CHAPTER 5 213
Centrally Managed Administration
You can set Policy Manager Proxies in priority
order. Updates are downloaded from the primary
sources first, secondary update sources can be
used as a backup.
The product connects to the Update Server
through any configured Policy Manager Proxies.
If the product cannot connect to Policy Manger
Proxy, it connects directly to the Update Server
Define the failover time to connect to specified
update servers.
If the product cannot connect to update servers
during the specified time, it retrieves the latest
virus definition updates from F-Secure Update
Server if Allow fetching updates from F-Secure
Update Server is enabled.
Define how often the product checks the virus
definition database update sources for new
updates.
Enable the product to download virus definition
updates from F-Secure Update Server when it
cannot connect to specified update servers.

214
5.7 F-Secure Management Agent Settings
Communications
If the F-Secure Anti-Virus for Microsoft Exchange is working in centrally
administered mode, you have to make sure F-Secure Anti-Virus for
Microsoft Exchange sends and receives data from F-Secure Policy
Manager Server. To do this, change communications settings from
F-Secure Management Agent.
For detailed information on F-Secure Management Agent, see the
F-Secure Policy Manager Administrator's Guide.
Host Configuration Mode Shows whether the host is stand-alone or
centrally administered.
Active Protocol Sets the active protocol.
Protocols A subdirectory containing the settings for the
File Sharing and the HTTP protocol. These
settings should be carefully checked before
distribution. Errors can result in problems
with communicating with the hosts.
Slow Connection
Definition
This setting can be used to disallow
F-Secure Management Agent from
downloading large remote installation
packages over slow network connections.
F-Secure Management Agent measures the
speed of the network link to F-Secure Policy
Manager Server and stops the download if
the minimum speed specified by this setting
is not met.

HTTP
Management Server
Address
Incoming Packages
Polling Interval
Outgoing Packages
Update Interval
CHAPTER 5 215
Centrally Managed Administration
URL of the F-Secure Policy Manager Server.
The URL should not have a slash at the end.
For example:
“http://fsms.example.com”.
Defines how often the host tries to fetch
incoming packages (such as Base Policy
files or new virus signature databases) from
the F-Secure Policy Manager Server.
Defines how often the host tries to transmit
to the administrator information that is
periodically updated (such as statistics).
Spool Time Limit The maximum time the host will store the
information it is unable to transmit.

6
ADMINISTRATION WITH
WEB CONSOLE
Overview................................................................................... 217
F-Secure Anti-Virus for Microsoft Exchange Settings .............. 218
F-Secure Content Scanner Server Settings ............................. 275
F-Secure Automatic Update Agent Settings............................. 298
F-Secure Management Agent Settings .................................... 304
216

6.1 Overview
CHAPTER 6 217
Administration with Web Console
This section describes how to use Web Console to administer F-Secure
Anti-Virus for Microsoft Exchange.
If F-Secure Anti-Virus for Microsoft Exchange is installed in the
stand-alone mode, it can be administered with F-Secure Anti-Virus for
Microsoft Exchange Web Console. The Web Console is installed with
F-Secure Anti-Virus for Microsoft Exchange.
To open the Web Console, double-click the F-Secure Settings and
Statistics icon in the Windows system tray and double-click F-Secure
Anti-Virus for Microsoft Exchange, or select it from the Start menu >
Programs > F-Secure Anti-Virus for Microsoft Exchange.

218
6.2 F-Secure Anti-Virus for Microsoft Exchange
Settings
6.2.1 Summary
You can use the F-Secure Anti-Virus for Microsoft Exchange Web
Console to start and stop F-Secure Anti-Virus for Microsoft Exchange,
modify its settings, edit scheduled tasks and start manual processing.
The Summary page displays the current status of the product and a
summary of the most important product statistics.
Figure 6-1 Summary page

CHAPTER 6 219
Administration with Web Console
Status
Status The current status of F-Secure Anti-Virus for
Microsoft Exchange. F-Secure Anti-Virus for
Microsoft Exchange is Started when it is
Running and Stopped when it has been stopped
or disabled.
Version The version and the build number of installed
F-Secure Anti-Virus for Microsoft Exchange.
Protected mailboxes Displays the number of currently protected
mailboxes.
Protected public
folders
Displays the number of currently protected
Public Folders.
Infections found Displays the number of infections found.
Infections found within
outbreak interval
Last time infection
found
Displays the number of infections that have
been found within the currently defined
outbreak interval.
Displays the date and time when the last
infection was found.
Last infection found Displays the name of the last infection that was
found.
Click Start to start the product and Stop to stop it.
Click Reset Statistics to reset the statistics displayed on this page.

220
6.2.2 Virus Scanning
Virus Scanning settings are used to specify how inbound and outbound
messages and Public Folder notes that are sent to F-Secure Content
Scanner Server are to be checked for malicious code.
Figure 6-2 Virus Scanning / Statistics page
Statistics
Infections found Displays the total number of infections found.
Infections found within
outbreak interval
Last time infection
found
Displays the number of infections that have
been found during the currently defined outbreak
interval.
Displays the date and time when the last
infection was found.

CHAPTER 6 221
Administration with Web Console
Last infection found Displays the name of the last infection that was
found.
Processed Displays the number of processed message
bodies and attachments.
Infected Displays the number of attachments that have
been infected with malicious code.
Suspicious Displays the number of stripped messages and
messages that have not been scanned reliably.
The message is considered to be suspicious if it
is encrypted or it has been compressed with an
unknown algorithm, or there was a scanning
problem when the message was being scanned.

222
Common
Edit the Virus Scanning / Common settings to specify which messages
should be scanned for malicious code.
Note that you may have to scroll the page to view all the settings.
Figure 6-3 Virus Scanning / Common settings

Scan mail and public folders for viruses
Scan mail and public
folders for viruses
Scan mail message
body
CHAPTER 6 223
Administration with Web Console
Specify which message attachments are
checked for viruses.
Do not scan - Do not scan any attachments
Scan all - Scan all message attachments
Scan all attachments with these extensions -
Scan all attachments with specified filename
extensions.
Scan all attachments except with these
extensions - Scan all attachments except those
with specified filename extensions.
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Specify whether the body of the e-mail message
should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans message bodies.
Although scanning message bodies can slow
down the performance, it is recommended as a
virus can be carried inside a message body.
Scan OLE objects Specify whether linked and embedded OLE
objects in messages should be scanned for
malicious code.
By default, F-Secure Anti-Virus for Microsoft
Exchange scans OLE objects.

224
Enable File Type
Recognition
Max level of nested
messages
Action
Action on infected
attachments
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, Intelligent File Type Recognition is
disabled during the real-time processing.
Intelligent File Type Recognition strengthens the
security - you can block unsafe content that has
a safe filename extension (for example, a
Microsoft Word document using the ‘rtf’ filename
extension) and you do not accidentally block
safe content that has unsafe filename extension
(for example, a text file using the ‘doc’ filename
extension). Intelligent File Type Recognition can
degrade the system performance.
Set the maximum number of levels of messages
inside messages that F-Secure Anti-Virus for
Microsoft Exchange should scan.
If the number of levels exceeds the specified
limit, F-Secure Anti-Virus for Microsoft Exchange
performs the action specified in the Action on
messages with exceeding nesting levels setting.
Specify whether infected attachments should be
disinfected or dropped.
Disinfect attachment - Try to disinfect the
infected attachment. If the disinfection
succeeds, the recipient receives the disinfected
file instead of the original one. If the disinfection
fails, the infected attachment is dropped, and it
is not delivered to the recipient.

Action on messages
with exceeding nesting
levels
Quarantine infected
attachments
Virus informational text
file
Reporting
Notification sender
address
CHAPTER 6 225
Administration with Web Console
Drop attachment - Do not disinfect or deliver
infected attachments. All infected attachments
are dropped.
By default, F-Secure Anti-Virus for Microsoft
Exchange tries to disinfect infected attachments.
Specify the action to take on e-mail messages
with nesting levels exceeding the upper level
specified in the Max Levels of Nested Messages
setting.
Drop - E-mail messages with exceeding nesting
levels are not delivered to the recipient(s). The
nested messages are quarantined if the
Quarantine Problematic Mails setting on the
General / Quarantine page is set to Yes.
Pass Through - Nested e-mail messages will be
scanned up to level specified in the Max Levels
of Nested Messages setting and then delivered
to the recipient(s).
Specify whether infected attachments should be
placed in the Quarantine or not. For more
information, see “Quarantine”, 257.
Edit the informational text file that replaces the
infected attachment if it is dropped.
Define the SMTP address to use when sending
notifications to end-users. The SMTP address
should be a valid, existing address that is
allowed to send messages.

226
Inbound Mail
Edit Virus Scanning / Inbound Mail settings to define whether the whole
message should be stopped if an infection is found and to specify the
trusted mailboxes and the warning messages for infected, inbound mails.
These settings are specific to the mails that are destined to the internal
domains defined under the General / Internal Domains branch. For more
information, see “Internal Domains”, 273.
Figure 6-4 Real-Time Scanning / Inbound Mail settings

Processing options
Stop the whole
message if infection
found
CHAPTER 6 227
Administration with Web Console
Specify whether F-Secure Anti-Virus for
Microsoft Exchange should stop inbound
messages that contain malicious code.
When this setting is enabled, inbound messages
with infected attachment(s) will be stopped
completely.
When this setting is disabled, infected
attachments will be disinfected automatically or
dropped from inbound messages.
In both cases, a warning message will be sent to
the sender if the Send Warning Message to
Sender setting enabled.
When this setting is enabled, all messages are
scanned when they enter the system. The clean
messages will be delivered to the mailbox
server, where they will be scanned again. On the
other hand, enabling this setting reduces internal
network traffic, because infected messages are
stopped before they enter the system.
Trusted mailboxes
Trusted mailboxes Define users’ mailboxes that should be excluded
from real-time virus scanning.
Trusted mailbox feature works only for
messages that are sent directly to an address
defined as trusted mailbox. If the message has
multiple recipients, and some of them are
defined on the Trusted mailboxes list but some
are not, the message will be scanned.

228
Editing Trusted Mailboxes List
Click Specify to open a dialog box where you can add new trusted
mailboxes, or remove trusted mailboxes from the list.
To add new mailbox to the list, click Add. Select mailboxes from
the list and click OK.
To delete a address from the list, click on column to select
mailboxes that you want to delete. Click Clear to delete the
currently marked mailboxes from the trusted mailboxes list.
It is not safe to use trusted mailboxes. You should not send or copy
messages from trusted mailboxes to other mailboxes. Keep all
trusted mailboxes on a separate message store, as messages are
scanned always when they are sent to another store.
Notification message options
Add warning message
to the original message
Send warning
message to sender
Specify whether a virus warning message
should be added to the mail message which had
infected content and which goes to the original
message recipient. If you want to add the
warning message, the original message is
embedded in the virus warning message without
the infected attachment.
Click Edit to edit the warning message that is
added to the mail message.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not add the virus warning
message.
Specify whether a virus warning message
should be sent to the sender of the mail
message which had infected content. If you want
to add the warning message, the original
message is embedded in the virus warning
message without the infected attachment.

CHAPTER 6 229
Administration with Web Console
Click Edit to Edit the warning message that is
sent to the sender of the mail message which
had infected content.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the virus warning
message to the sender.
The virus warning message will be sent to the
sender of the infected message only if the
sender belongs to the internal domain. F-Secure
Anti-Virus for Microsoft Exchange does not send
the warning message outside the company
domain.

230
Outbound Mail
Edit Virus Scanning / Outbound Mail real-time processing settings to
define what should be done to infected outbound messages and set
warning messages to infected, outbound mails.
Figure 6-5 Virus Scanning / Outbound Mail settings

Processing options
Stop the whole
message if infection
found
Notifications
Send warning
message to sender
CHAPTER 6 231
Administration with Web Console
Specify whether all outgoing messages that
have infected content should be stopped or not.
Check the checkbox to stop all outbound
messages with infected content completely. The
original message will be attached to the warning
and bounced back to the sender with disinfected
content. Clear the checkbox to disinfect or drop
the infected attachment before sending the
outbound message. By default, F-Secure
Anti-Virus for Microsoft Exchange stops the
whole message.
If you set F-Secure Anti-Virus for Microsoft
Exchange to disinfect infected files and stop the
whole message if an infection is found,
messages are not stopped if they are send from
a MAPI client if they can be disinfected.
Messages are scanned and disinfected when
they are in the Outbox. When a message leaves
the Outbox folder, it does not contain malicious
code anymore, so it is not stopped.
Specify whether a virus warning message
should be sent to the sender of the mail
message which had infected content. If you want
to add the warning message, the original
message is embedded in the virus warning
message.
Click Edit to edit the warning message.
If the sender sends an infected message to
internal and external recipients, the sender can
receive two warning messages about the same
infection.

232
Public Folders
Add disclaimer to all
outgoing messages
Edit Public Folders real-time processing settings to define which Public
Folders should be scanned for malicious code and to set warning
messages to infected Public Folder notes.
Figure 6-6 Virus Scanning / Public Folders settings
Specify whether you want to add a disclaimer to
all outgoing messages.
Click Edit to edit the disclaimer text.
By default, F-Secure Anti-Virus for Microsoft
Exchange adds a disclaimer.

Editing Public Folders
Click Specify to open a dialog box where you can add new Public
Folders, or remove Public Folders from the list.
CHAPTER 6 233
Administration with Web Console
Examine public folders
Examine public folders Specify public folders that should be scanned for
viruses.
Do not scan public folders - Do not process any
Public Folders.
Scan all public folders - Process all notes posted
to all Public Folders.
Scan only included public folders - Process all
notes posted to the listed Public Folders.
Scan all except excluded public folders -
Process all notes posted to all Public Folders,
except to the ones in the list.
By default, F-Secure Anti-Virus for Microsoft
Exchange processes all Public Folders.
To add new Public Folder to the list, click Add. Select Public
Folders from the list and click OK.
To select all subfolders of the Public Folder in the list, check the
checkbox in column.
To delete a Public Folder from the list, click on column to
select Public Folders that you want to delete. Click Clear
delete the currently marked Public Folders from the list.
to
All infected messages which are sent to public folders with Outlook
WebAccess are disinfected or dropped regardless of the Examine
Public Folders setting.

234
Notifications
Send warning
message to originator
Outbreak Detection
Specify whether a virus warning message
should be sent to the original writer of the note
which had infected content that could not be
disinfected.
Click Edit to edit the warning message.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends the virus warning message to
the originator.
F-Secure Anti-Virus for Microsoft Exchange can alert administrators when
the number of infections detected within a specified time frame exceeds a
specified value.

Figure 6-7 Virus Scanning / Outbreak Detection settings
Condition
Notify when number of
infections detected
exceed
Action
Send security alert to
the administrator
CHAPTER 6 235
Administration with Web Console
Specify the number of infected objects that
should be found within a specified time period,
for it to be considered as a virus outbreak. Use
the value zero (0) to disable the outbreak
notification.
By default, the outbreak notification is disabled
(0).
Specify whether a security alert should be sent
to the administrator when a virus outbreak is
detected.

236
Send outbreak
notification message
Run outbreak handler
script
6.2.3 Stripping Attachments
Specify whether outbreak notification e-mail
should be sent to the notification addresses
specified in the Notification Addresses setting
when a virus outbreak is detected.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send the outbreak
notification.
Click Edit to edit the outbreak notification
message.
Specify an external program that should be run
when a virus outbreak is detected. The external
program is run using the user account defined
during the installation.
F-Secure Anti-Virus for Microsoft Exchange can be configured to remove
attachments in real-time from inbound and outbound messages by their
file name or the file extension even without scanning them for malicious
code. The Statistics page displays the number of attachments stripped
from inbound and outbound mail and public folders.

On-Access
Figure 6-8 Stripping Attachments / Statistics page
CHAPTER 6 237
Administration with Web Console
Statistics
Attachments stripped Displays the number of stripped attachments in
inbound mail, outbound mail and public folders.
Edit On-Access stripping attachments settings to set which attachments
should be stripped during the on-access scanning.
Note that you have to scroll the page to view all the settings.

238
Figure 6-9 Content Blocking / On-Access / Stripping Attachments settings
Strip attachments
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments except these allowed - Strip
all except specified attachments.
Strip only these disallowed attachments - Strip
only specified attachments.

Enable File Type
Recognition
Action on stripped attachment
Action on stripped
attachment
Add informational
message
CHAPTER 6 239
Administration with Web Console
You can add new file types on the attachments
lists by typing the file extensions in the allowed
and disallowed attachments text boxes.
Separate the extensions by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine”, 257.
Drop attachment - All stripped attachments are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.
Specify whether an informational message
should be added to the mail message which
originally had the stripped attachment. During
the on-access scanning, the informational
message can be sent to the mailbox owner or to
the originator of an infected message or an
infected Public Folder note.
Click Edit to edit the message that is added to
the message which contained the stripped
attachment.

240
Send the informational
message to sender
By default, F-Secure Anti-Virus for Microsoft
Exchange does not add the informational
message.
Specify whether an informational message
should be sent to the sender of the mail
message which had the stripped attachment.
Click Edit to edit the message that is sent to the
sender of the mail message which contained the
stripped attachment.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send an informational
message to the sender.
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends an informational alert to the
administrator.

Inbound Mail
Edit Stripping Attachments / Inbound Mail settings to specify which
attachments should be stripped from the inbound mail. For settings
descriptions, see below.
Figure 6-10 Stripping Attachments / Inbound Mail settings
CHAPTER 6 241
Administration with Web Console
Note that you may have to scroll the page to view all the settings.

242
Strip attachments
Strip attachments Specify which attachments should be stripped
from messages and public folder notes.
Enable File Type
Recognition
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from
all messages and notes.
Strip all attachments with these extensions -
Strip all except specified attachments.
Strip all attachments except with these
extensions - Strip only specified attachments.
You can add new file types on the extensions
lists by typing the file extensions in the file
extensions text boxes. Separate the extensions
by spaces.
Trojans and other malicious code can disguise
themselves with filename extensions which are
usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type
of the message attachment and use that while
the attachment is processed. Specify whether
you want to use Intelligent File Type Recognition
or not.
By default, the Intelligent File Type Recognition
is disabled during the real-time processing and
enabled during the manual processing.

Editing Trusted Mailboxes List
Click Specify to open a dialog box where you can add new trusted
mailboxes, or remove trusted mailboxes from the list.
CHAPTER 6 243
Administration with Web Console
Trusted mailboxes
Trusted mailboxes Define users’ mailboxes that should be excluded
from real-time content filtering and attachment
stripping.
Trusted mailbox feature works only for
messages that are sent directly to an address
defined as trusted mailbox. If the message has
multiple recipients, and some of them are
defined on the Trusted mailboxes list but some
are not, the message will be scanned.
To add new mailbox to the list, click Add. Select mailboxes from
the list and click OK.
To delete a address from the list, click on column to select
mailboxes that you want to delete. Click Clear to delete the
currently marked mailboxes from the trusted mailboxes list.
Action on stripped attachment
Action on stripped
attachment
Specify whether stripped attachments should be
quarantined or dropped.
Quarantine attachment - All stripped
attachments are placed in the Quarantine. For
more information, see “Quarantine”, 257.
Drop attachment - All stripped attachments are
deleted automatically.
By default, F-Secure Anti-Virus for Microsoft
Exchange quarantines stripped attachments.

244
Add informational
message
Send informational
message to sender
Specify whether an informational message
should be added to the mail message which
originally had the stripped attachment. During
on-access scanning, the informational message
can be sent to the mailbox owner or to the
originator of an infected message or an infected
Public Folder note.
Click Edit to edit the warning message that is
added to the mail message.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not add the informational
message.
Specify whether an informational message
should be sent to the sender of the mail
message which had the stripped attachment.
Click Edit to edit the warning message that is
sent to the sender of the mail message which
contained the stripped attachment.
By default, F-Secure Anti-Virus for Microsoft
Exchange does not send an informational
message to the sender.
Notify administrator Specify whether the administrator should be
notified when F-Secure Anti-Virus for Microsoft
Exchange strips an attachment.
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.

Outbound Mail
CHAPTER 6 245
Administration with Web Console
Send security alert - Send a security alert to the
administrator.
By default, F-Secure Anti-Virus for Microsoft
Exchange sends an informational alert to the
administrator. For more information, see
“Configuring Alert Forwarding”, 119.
F-Secure Management Agent alert forwarding
table controls where alerts with certain severity
level will be sent.
Edit Stripping Attachments / Outbound Mail attachment stripping settings
to set which attachments should be stripped from the outbound mail. For
settings descriptions, see “Inbound Mail”, 241.
Note that you have to scroll the page to view all the settings.

246
6.2.4 Content Filtering
Figure 6-11 Stripping Attachments / Outbound Mail settings
The Content Filtering settings specify how content should be filtered
based on keywords found in message subject and content. The Spam
Control settings are also located under the Content Filtering branch, but
they are displayed only if you have installed F-Secure Spam Control with
the product.

Figure 6-12 Content Filtering / Statistics page
CHAPTER 6 247
Administration with Web Console
Statistics
Spam messages Displays the total number of spam messages
that have been found.
Size of spam
messages
Filtered inbound
messages
Filtered outbound
messages
Displays the total size of spam messages that
have been found.
Displays the total number of inbound messages
that have been filtered.
Displays the total number of outbound
messages that have been filtered.

248
Spam Control
Inbound Mail
For information on F-secure Spam Control settings, see “Spam Control
Settings in Web Console”, 331.
Edit Content Filtering / Inbound Mail settings to define how content should
be filtered in the inbound mail based on keywords in message subjects
and text. For settings descriptions, see below.

Figure 6-13 Content Filtering / Inbound Mail settings
CHAPTER 6 249
Administration with Web Console
Processing options
Enable content filtering Specify whether the content of inbound
messages is filtered based on the subjects and
texts of the messages as defined on this tab.
List of disallowed
keywords in message
subject
List of disallowed
keywords in message
text
Lists the keywords that are not allowed in
message subject and that are used as filtering
criteria.
Lists the keywords that are not allowed in
message text and that are used as filtering
criteria.

250
Editing Keyword Lists
Click Edit to open a dialog box where you can
add new disallowed keywords, or remove
keywords from the list.
Select the checkbox in the column to mark
the entries that you want to remove.
Click Clear to remove the selected entries
from the list.
Click Edit to open a dialog box where you can add new disallowed
keywords, or remove keywords from the list.
To add new keyword to the list, click Add.
To add multiple entries at once, click Import.
To delete a keyword from the list, click on column to select
keywords that you want to delete. Click Clear to delete the
currently marked keywords from the list.
Trusted mailboxes
Trusted mailboxes Define users’ mailboxes that should be excluded
from real-time content filtering and attachment
stripping.
Trusted mailbox feature works only for
messages that are sent directly to an address
defined as trusted mailbox. If the message has
multiple recipients, and some of them are
defined on the Trusted mailboxes list but some
are not, the message content will be filtered and
attachments stripped.

Editing Trusted Mailboxes List
Click Specify to open a dialog box where you can add new trusted
mailboxes, or remove trusted mailboxes from the list.
CHAPTER 6 251
Administration with Web Console
To add new mailbox to the list, click Add. Select mailboxes from
the list and click OK.
To delete a address from the list, click on column to select
mailboxes that you want to delete. Click Clear to delete the
currently marked mailboxes from the trusted mailboxes list.
Action on message with disallowed content
Action Specify the action to take on a message with
disallowed content.
Send informational
message to recipient
Quarantine message - The filtered message is
placed in the Quarantine.
Drop message - The filtered message will be
deleted automatically.
Specify whether a warning message will be sent
to the recipient of the disallowed content that
has been filtered.
The warning message will be sent only if the
recipient of the message with the disallowed
content is a user belonging to an internal domain
(for more information, see “Internal Domains”,
273). This means that no informational
messages will be sent outside the company.
Click Edit to edit the warning message text.
Notify administrator Specify whether an alert will be sent to the
administrator when an attachment is stripped
from a message and what type of an alert it
should be.

252
Outbound Mail
Do not notify - Do not send any notification to the
administrator.
Send informational alert - Send an informational
alert to the administrator.
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.
F-Secure Management Agent alert forwarding
table controls where alerts with certain severity
level will be sent.
Edit Outbound Mail content blocking settings to set which attachments
should be stripped from the outbound mail and how messages should be
blocked based on keywords found in the message subjects and text. For
settings descriptions, see “Inbound Mail”, 248.

6.2.5 Manual Scanning
Figure 6-14 Content Filtering / Outbound Mail settings
CHAPTER 6 253
Administration with Web Console
You can process mailboxes and public folders manually as needed.

254
Figure 6-15 Manual Processing page

Processing Mailboxes Manually
The Status field displays the current status of the manual process.
CHAPTER 6 255
Administration with Web Console
To start processing mailboxes manually, click Start. Click Stop to
terminate the currently running manual scan
Click Configure... to set up a new manual processing task. For
more information, see “Creating Manual Scanning Operation”,
87.
Click Show Report to view the report of the last manual
processing task.
Progress
Estimated time Displays the estimated time that is left of the
manual processing.
Elapsed time Displays the time that has elapsed since the
manual processing was started.
Processed number
mailboxes
Last processed
mailbox
Processed number
public folders
Last processed public
folder
Messages in
Mailboxes
Messages in Public
Folders
Displays the number of mailboxes that have
been processed out of the total number of
mailboxes.
Displays the mailbox that is currently being
processed.
Displays the number of public folders that have
been processed out of the total number of public
folders.
Displays the public folder that is currently being
processed.
Displays the number of processed, infected and
suspicious messages in mailboxes.
Displays the number of processed, infected and
suspicious messages in Public Folders.

256
Scheduled Scan Tasks
Figure 6-16 Scheduled Processing page
Editing Scheduled Tasks
The Scheduled tasks table displays all scheduled tasks and the date and
time when the next scheduled task occurs for the next time.

6.2.6 Quarantine
CHAPTER 6 257
Administration with Web Console
Clear the checkbox in front of the task to deactivate a scheduled. Check
the checkbox to activate it again.
When the scheduled scanning task is complete, column
reports completed scheduled scanning tasks. you can view the
report by clicking the Report... link displayed in this column.
Click the Edit... link displayed in
task
column to edit a scanning
Click Show Latest Report to display a report of performed
scheduled tasks.
Click Add Task... to start the Scheduled Operation Wizard. For
more information, see “Creating Scheduled Operation”, 102.
To delete a scheduled tasks from the list, click on column to
select scheduled tasks that you want to delete. Click Clear to
delete the currently marked scheduled tasks from the list.
Quarantine in F-Secure Anti-Virus for Microsoft Exchange is handled
through a SQL database. The product is able to quarantine e-mails and
attachments which contain malicious or otherwise unwanted content,
such as spam messages.
The Quarantine management is divided into two different parts:
Quarantine-related configuration, and
the management of the quarantined content, for example
searching for and deleting quarantined content.
In stand-alone installations, quarantine-related settings are configured
and the quarantined files managed through the Web Console.
The Quarantine Query page in Web Console is used for searching the
quarantined content.
When the product places content to the Quarantine, it saves the content
as separate files into the Quarantine Storage (a directory specified in the
Quarantine settings) and inserts an entry to the Quarantine Database with
information about the quarantined content. For more information, see
“Quarantine Management”, 248.

258
Quarantine Thresholds
Figure 6-17 Quarantine thresholds settings

Quarantine thresholds
Quarantined items
threshold
CHAPTER 6 259
Administration with Web Console
Specify the critical number of items in the
Quarantine storage. If the specified value is
reached or exceeded, the product sends an
alert. If zero (0) is specified, the number of
items in the Quarantine storage is not
checked. The default value is 100000 items.
E-mail messages and infected, suspicious
and disallowed attachments are stored and
counted as separate items in the Quarantine
storage. For example, if a message has
three attachments and only one of them has
been found infected, two items will be
created in the Quarantine storage. These
items still have the same Quarantine ID in
the Quarantine database.
Quarantine size threshold Specify the critical size (in megabytes) of the
quarantine folder. If the specified value is
reached, the product sends an alert. The
default value is 200. If zero (0) is specified,
the size of the Quarantine is not checked.
The allowed value range is from 0 to 10240.

260
Notify when quarantine
threshold is reached
Quarantine Reprocess, Retention and Cleanup
Specify how the administrator should be
notified when the Quarantine Size Threshold
and/or Quarantined Items Threshold are
reached. No alert is sent if both thresholds
are set to zero (0). The options available are:
When quarantined content is reprocessed, it is scanned again, and if it is
found clean, it is sent to the intended recipients. For more information,
see “Reprocessing the Quarantined Content”, 318.

Figure 6-18 Quarantine cleanup settings
Reprocess unsafe messages
Automatically reprocess
unsafe messages
Max attempts to process
unsafe messages
CHAPTER 6 261
Administration with Web Console
Specify how often the product tries to
reprocess unsafe messages that are
retained in the Quarantine. Set the value to
Disabled to keep all unsafe to process
unsafe messages manually.
Specify how many times the product tries to
reprocess unsafe messages that are
retained in the Quarantine.
Use the Final Action on Unsafe Messages
setting to specify the action that takes place
if the message is retained in the Quarantine
after the maximum attempts.

262
Final action on unsafe
messages
Specify the action to unsafe messages after
the maximum number of reprocesses have
been attempted.
Leave in Quarantine - Leave messages in
the Quarantine and process them manually.
Release to Intended Recipients - Release
messages from the Quarantine and send
them to original recipients.
Quarantine retention and cleanup
Retain items in
quarantine
Specify how long quarantined items should
be retained in the Quarantine before they are
deleted.
Use the Quarantine Cleanup Exceptions
table to change the retention period for a
particular Quarantine category.
Delete old items every Specify how often the storage should be
cleaned of old quarantined items.
Use the Quarantine Cleanup Exceptions
table to change the cleanup interval for a
particular Quarantine category.
Exceptions Specify separate quarantine retention period
and cleanup interval for each Quarantine
category. If retention period and cleanup
interval for a category are not defined in this
table, then the default ones (specified
above) are used.
Active -Enable or disable the selected entry
in the table.
Quarantine category - Select a category the
retention period or cleanup interval of which
you want to modify. The categories are:

CHAPTER 6 263
Administration with Web Console
Infected
Disallowed
Suspicious
Spam
Scan failure
Unsafe
Retention period - Specify an exception to
the default retention period for the selected
Quarantine category.
Cleanup interval - Specify an exception to
the default cleanup interval for the selected
Quarantine category.
Send informational alert
Send warning alert
Send error alert
Send security alert

264
Quarantine Logging
Figure 6-19 Quarantine logging settings
Logging
Quarantine log
directory
Rotate quarantine
logs
Keep rotated
quarantine logs
Specify the path for Quarantine log files.
Specify how often the product rotates
Quarantine log files. At the end of each rotation
time a new log file is created.
Specify how many rotated log flies should be
stored in the Quarantine.

Quarantine Options
CHAPTER 6 265
Administration with Web Console
Quarantine Options
Quarantine worms Specify whether the product should
Quarantine files infected with mass worms or
mail viruses such as Sobig or Bagle.
Quarantine problematic
messages
Specify if messages that contain malformed
or broken attachments should be
quarantined for later analysis or recovery.
This setting works together with the Security
Options/Action on Malformed Mails setting in
the inbound and outbound mail settings.

266
Quarantine Database
Figure 6-20 Quarantine database settings
You can specify the database where information about quarantined
e-mails is stored and from which it is retrieved.
Quarantine database
SQL server name The name of the SQL server where the
database is located.
Database name The name of the Quarantine database. The
default name is FSMSE_Quarantine.
User name The user name the product uses when
accessing the database.
Password The password the product uses when accessing
the database.

Quarantine Storage
6.2.7 Advanced
CHAPTER 6 267
Administration with Web Console
Quarantine storage Specify the location of the Quarantine
Storage where quarantined e-mails and
attachments are placed.
WARNING: During the setup, access
rights are adjusted so that only the
operating system, the product itself and
the local administrator can access files in
the Quarantine. If you make changes to
the Quarantine storage settings, make
sure that the new directory has the same
rights.
IMPORTANT: This setting must be defined
as Final with the Restriction Editor before the
policies are distributed. Otherwise the
setting will not be changed in the product.
Make sure that F-Secure Anti-Virus for Microsoft Exchange service
has write access to this directory. Adjust the access rights to the
directory so that only the F-Secure Anti-Virus for Microsoft
Exchange service and the local administrator can access files in
the Quarantine.
Advanced settings control mail delivery and scanning timeout settings
and polling intervals for new mailboxes and Public Folders.
IMPORTANT: These settings control the Virus Scanning interface
of Microsoft Exchange Server and modifying them may seriously
affect system performance. Use them with caution.

268
Figure 6-21 Advanced settings
Mail Delivery Settings
Mail opening timeout Specify the number of seconds to try to open a
message.
Max mail sending
retries
Specify the number of times to try to send a
message if sending it fails.
Mail sending timeout Specify the number of seconds to wait to try
sending a message.
Scanning Interface Parameters
Number of scanning
threads
Specify the maximum number of scans to be run
simultaneously. When the upper limit of
simultaneous scanning threads is reached,
messages are queued until a thread is finished.

Advanced
New mailbox polling
interval
New Public Folder
polling interval
CHAPTER 6 269
Administration with Web Console
Specify how often F-Secure Anti-Virus for
Microsoft Exchange should check for newly
established mailboxes. You can disable the new
mailbox polling by using the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft
Exchange polls new mailboxes every 60
minutes.
Specify how often F-Secure Anti-Virus for
Microsoft Exchange should check for newly
established Public Folders. You can disable the
new mailbox polling by using the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft
Exchange polls new folders every 60 minutes.
Message scan timeout Specify the maximum time to wait (in seconds)
to scan a message.

270
Scanning Servers
Edit the Servers settings to configure the connection between F-Secure
Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server.
Note that you may have to scroll the page to view all the settings.
Figure 6-22 Advanced / Scanning Servers settings

Scanning servers
Primary Content
Scanner Servers
Backup Content
Scanner Servers
Editing F-Secure Content Scanner Server Addresses
CHAPTER 6 271
Administration with Web Console
Specify all F-Secure Content Scanner Servers
where F-Secure Anti-Virus for Microsoft
Exchange should send files to be processed. If
you list more than one F-Secure Content
Scanner Server, F-Secure Anti-Virus for
Microsoft Exchange uses load sharing between
them.
Specify F-Secure Content Scanner Servers that
act as backup servers for primary servers. If
F-Secure Anti-Virus for Microsoft Exchange
cannot contact primary F-Secure Content
Scanner Servers, it interacts with backup
servers.
To add new F-Secure Content Scanner Server IP addresses or
host names to the list, click Add.
To delete a address from the list, click on column to select
addresses that you want to delete. Click Clear to delete the
currently marked addresses permanently.
Connection timeout Enter the time interval (in seconds) that
specifies how long F-Secure Anti-Virus for
Microsoft Exchange should wait for a response
from F-Secure Content Scanner Server before
stopping attempts to send or receive data.
Restore connection
interval
Enter the time interval (in seconds) that
specifies how long F-Secure Anti-Virus for
Microsoft Exchange will wait before attempting
a new connection with the primary F-Secure
Content Scanner Servers, in case the previous
connection attempt failed or a connection with
the server was lost.

272
Use local interaction
mode
Maximum shared
memory data size
Specify whether the product should interact with
F-Secure Content Scanner Server in the local
interaction mode.
When F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Content Scanner
Server are installed on the same host and the
local interaction mode is enabled, data are
transferred via local temporary files and/or
shared memory. This provides the best possible
performance.
If local interaction mode is disabled, data is
transferred via data stream sockets.
It is recommended to use the local interaction
mode to obtain the optimum performance.
Specify the maximum size of data to be
transferred between the Anti-Virus Agent and
the F-Secure Content Scanner Server via
shared memory.
By default, the maximum size is 1024 kilobytes.
When the amount of data exceeds the
maximum size, a local temporary file will be
used for data transfer.
If the option is set to zero (0), all data transfers
via shared memory are disabled.
This setting is ignored if local interaction mode
is disabled.

6.2.8 Internal Domains
CHAPTER 6 273
Administration with Web Console
Working directory Specify the name and location of the Working
directory, where temporary files are placed.
During the installation, F-Secure Anti-Virus for
Microsoft Exchange automatically adjusts the
access rights so that only the operating system
and the local administrator can access files in
the Working directory. If you change this setting
after the installation, make sure that the new
folder has secure access permissions.
Specify the domains which should be considered to be internal domains.
All messages which are going to internal domains are considered to be
inbound messages. Separate each domain name with a space. You can
use * wildcard, for example, *example.com.

274
Figure 6-23 Internal Domains settings
You can define how the mails destined for the internal domains are
processed by configuring the Virus Scanning / Inbound Mail, Stripping
Attachments / Inbound Mail and Content Filtering / Inbound Mail settings.
Editing Internal Domain Addresses
To add a new domain name to the list, click Add. You can use ‘*’
wildcard. For example, *example.com.
To import a list of domain addresses from a CSV file, click
Import....
To delete a domain name from the list, click on column to
select addresses that you want to delete. Click Clear
delete the currently marked addresses permanently.
to

6.3 F-Secure Content Scanner Server Settings
6.3.1 Summary
Status
CHAPTER 6 275
Administration with Web Console
F-Secure Content Scanner Server can be administered with the F-Secure
Anti-Virus for Microsoft Exchange Web Console. You can check the
system status, check statistics and modify the settings of F-Secure
Content Scanner Server on the computer where the product is installed
and running. Note that if the product is installed in the centralized
administration mode, you cannot change any settings from the F-Secure
Anti-Virus for Microsoft Exchange Web Console and should use F-Secure
Policy Manager Console instead.
You can see the current status of the F-Secure Content Scanner Server,
and virus and spam scanner statistics under the Summary branch.
You can see the statistics of all virus scans on the Status page of
F-Secure Content Scanner Server. The statistics display the number of
scanned files, the last database update, the last virus found and the last
time a virus was found.

276
Figure 6-24 Summary page
Status
Status Displays whether F-Secure Content Scanner
Server is currently running or not.
Version Displays the current version number and build of
F-Secure Content Scanner Server.
Start time Displays the start date and time of F-Secure
Content Scanner Server.
Scanned files Displays how many files have been scanned
since the last reset.
Last database update Displays the last date and time when virus
definition databases were updated.

Virus Statistics
Database Update
Version
CHAPTER 6 277
Administration with Web Console
Displays the version of the virus definition
database update.
The version is shown in YYYY-MM-DD_NN
format, where YYYY-MM-DD is the release date
of the update and NN is the number of the
update for that day.
Last infection found Displays the name of the last virus that was
found.
Last time infection
found
Displays the date and time the last virus was
found.
Click Start to start F-Secure Content Scanner Server and Stop to stop
F-Secure Content Scanner Server.
Click Reset Statistics to reset the statistics in this window.
You can see the list of most active viruses on the Summary > Virus
Statistics page in F-Secure Anti-Virus for Microsoft Exchange Web
Console.

278
Figure 6-25 Summary / Virus Statistics settings
Most active viruses
Most active viruses
table
This table displays a list of the 5, 10 or 30 most
often found viruses during the specified time
period. It also displays the number of times each
virus has been found and the percentage that
each virus represents of the total number of
viruses encountered.
Click Configure to specify the statistics you
want to view.
Time period - Specify the number of days from
which the virus information is displayed.

Spam Scanner Statistics
CHAPTER 6 279
Administration with Web Console
Viruses to show - Specify the number of most
active viruses to show in the Virus Statistics
table. The options available are Top 5, Top 10
and Top 30.
F-Secure World Map
The product can collect and send statistics about viruses and other
malware to the F-Secure World Map service.
When the F-Secure World Map support is enabled, the product sends
encrypted e-mail reports periodically to the service. These reports list only
the name and the amount of found malware and they do not contain any
sensitive information such as IP or e-mail addresses or user names.
You can also forward unencrypted reports to a configurable e-mail
address and use the same statistics for your own internal purposes.
MTA IP address Specify the IP address of mail transfer agent
where you want to send the unencrypted report.
MTA port Specify the port of the mail transfer agent.
Recipients Specify e-mail addresses where the
unencrypted report is sent.
This page is displayed only if you have installed F-Secure Spam
Control.
On the Spam Control page you can see the status of F-Secure Spam
Control, spam definition databases and the spam scanning statistics.

280
Figure 6-26 Summary / Spam Scanner Statistics page
Spam Control statistics
Version Shows the version and build number of the
F-Secure Spam Scanner.
Status Shows the status of the F-Secure Spam
Scanner. The possible statuses are:
Unknown or not installed - This status might be
displayed right after installation when the
product statistics are not yet updated, or if the
F-Secure Spam Scanner is not installed.

Click Reset Statistics to reset the statistics in this window.
CHAPTER 6 281
Administration with Web Console
Not loaded - This status is displayed when the
F-Secure Content Scanner Server failed to load
the scan engine for some reason. You should
check the logfile.log for the reason of the failure.
It might be, for example, that one or more
database files are missing or corrupted.
Loaded but disabled - This status is displayed
when the engine is loaded but disabled by the
administrator. It means that the disabled scan
engine will not be used on scanning. A scan
engine should be disabled for troubleshooting
purposes only.
Loaded and enabled - This status is normally
shown for the scan engine. It means that the
engine has been loaded and will be used for
scanning.
Database version Shows the version of the database currently
used by the F-Secure Spam Scanner.
Last database update Shows the date and time when the F-Secure
Spam Scanner database was last updated.
Number of processed
files
Shows the total number of files that have been
analyzed for spam.
Total spam statistics table:
Confidence level rating Shows the confidence levels used in the spam
scanning. The scale used is from 1 to 9.
Number of messages Shows the number of messages that have
received a certain spam confidence level when
scanned by F-secure Spam Scanner.

282
6.3.2 Database Updates
F-Secure Content Scanner Server can notify the administrator if it detects
that virus and/or spam definition databases are outdated. You can change
the notification and other database updates settings on the Updates
page. For more information about virus definition database updates, see
“Updating Virus and Spam Definition Databases”, 340.

Figure 6-27 Database Updates settings
‘
Database updates
Verify integrity of
downloaded databases
Notify when databases
become old
CHAPTER 6 283
Administration with Web Console
Specify whether the product verifies that the
downloaded virus definition databases are the
original databases published by F-Secure
Corporation and that they have not been altered
or corrupted in any way before taking them to
use.
Specify what kind of an alert F-Secure Content
Scanner Server should send to the administrator
when virus definition databases are not
up-to-date.
Send informational alert - Send an informational
alert to the administrator.

284
6.3.3 Scan Engines
Notify when databases
older than
Send warning alert - Send a warning alert to the
administrator.
Send security alert - Send a security alert to the
administrator.
Do not notify - Do not send any notification to the
administrator.
Specify when virus definition databases are
outdated. If databases are older than the
specified amount of days, F-Secure Content
Scanner Server sends an alert to the
administrator.
F-Secure Content Scanner Server uses multiple top quality scanning
engines to ensure the highest possible detection rate and disinfection
capability. You can view an overview of the engine statuses and updates
on the Scan Engines page.

Figure 6-28 Virus Scanning page
Scan engines
Scan Engine Displays the name of the scan engine.
CHAPTER 6 285
Administration with Web Console
Version Displays the version number of the scan engine.
Database Date Displays the date of the currently used virus
definition database.
Last Updated Displays the last date when the virus definition
database was updated.

286
Properties
You can view the detailed statistics and statuses of the scan engines on
the Scan Engines > Properties page.
Note that you have to scroll the page to view all the settings.
Figure 6-29 Scan Engines > Properties page
Scan engine
Number of processed
files
Number of files found
infected
Displays the number of files the selected scan
engine has scanned.
Displays the number of infected files the
selected scan engine has found.

Threat Detection
Number of disinfected
files
Displays the number of infected files the
selected scan engine has successfully
disinfected.
CHAPTER 6 287
Administration with Web Console
Database date Displays the date of the currently used virus
definition database for the selected scan engine.
Last database update Displays the last date when the virus definition
database was updated.
Last infection found Displays the name of the latest infection that
was found with the selected scan engine.
Last time infection
found
Engine excluded
extensions
Displays the date and time of the last infection.
Specify a space-separated list of file extensions
excluded from scanning by the engine. You can
also use wildcards: ‘?’ matches exactly one
character, ‘*’ matches any number of characters,
including zero (0) characters. For example:
“PP?, PDF, X*”.
Click Reset Statistics to reset the statistics for a scan engine.
Select the scan engine and click Enable to turn it on or Disable to turn it
off.
You can configure the virus outbreak and spam threat detection on the
Scan Engines > Threat Detection page.

288
Figure 6-30 Scan Engines > Threat Detection page
Cache
VOD cache size Specify the maximum number of patterns to
cache for the virus outbreak detection service.
By default, the cache size is 10000 cached
patterns.
Class cache size Specify the maximum number of patterns to
cache for spam detection service. By default, the
cache size is 10000 cached patterns.
Advanced
Action on connection
failure
Increasing cache sizes may increase the threat
detection performance but it requires more disk
space and may degrade the threat detection
rate. Cache sizes can be disabled (set the size
to 0) for troubleshooting purposes.
Specify the action for messages when the threat
detection center cannot be contacted and the
threat detection engine cannot classify the
message.

6.3.4 Proxy Configuration
CHAPTER 6 289
Administration with Web Console
Pass through - The message is passed through
without scanning it for spam.
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam
heuristics.
Trusted networks Specify networks and hosts in the mail relay
network which can be trusted not to be operated
by spammers and do not have open relays or
open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’
wildcard to match any number and ‘-’ to define a
range of numbers (172.16.*.1, 172.16.4.10-110).
You can specify proxy server parameters that Content Scanner Server
uses when it connects to the threat detection center on the Proxy
Configuration page.

290
Figure 6-31 Proxy Configuration page
Proxy Configuration
Use proxy server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to
the threat detection center.
Proxy server address Specify the address of the proxy server.
Proxy server port Specify the port number of the proxy server.
Authentication
method
Specify the authentication method to use to
authenticate to the proxy server.
NoAuth - The proxy server does not require
authentication.
Basic - The proxy uses the basic authentication
scheme.
NTLM - The proxy uses NTLM authentication
scheme.

User name Specify the user name for the proxy server
authentication.
Password Specify the password for the proxy server
authentication.
CHAPTER 6 291
Administration with Web Console
Domain Specify the domain name for the proxy server
authentication.

292
6.3.5 Archive Scanning
F-Secure Content Scanner Server can scan files inside archives. You can
change the archive scanning and other advanced settings in the Virus
Scanning / Archive Scanning page.
Figure 6-32 Archive Scanning settings page

CHAPTER 6 293
Administration with Web Console
Virus scanning
Scan inside archives Select whether F-Secure Content Scanner
Server should scan files inside the archives for
possible infections.
Max levels in nested
archives
Suspect max nested
archives
Suspect password
protected archives
Set the number of levels of archives inside
archives that F-Secure Content Scanner Server
should scan. Note that nested archives can be
used in denial-of-service attacks, so it is not
recommended to set the maximum value very
high.
Specify whether F-Secure Content Scanner
Server should treat archives with more nested
levels than you have set above as safe or
unsafe.
Treat as safe - Archives are scanned to the
specified level and allowed through if no
infections are found.
Treat as unsafe - Archives with exceeding
nested levels are always quarantined.
Password protected archives cannot be
scanned. Select whether to treat them as safe or
unsafe. As password protected archives cannot
be inspected without knowing the password, the
user who receives the password protected
archive should have up-to-date virus protection
on the workstation if they are treated as safe.
Treat as safe - Password protected archives are
allowed to go through.
Treat as unsafe - Password protected archives
are quarantined.

294
Acceptable unpacked
size threshold
Scan these extensions
in archive files
Extensions allowed in
password protected
archives
Specify the acceptable unpacked size (in
kilobytes) for archive files. If the unpacked size
of an archive file exceeds this threshold, the
server will consider the archive suspicious and
corresponding action will be taken.
Specify files that are scanned inside archives.
Click Modify to edit the list of extensions you
want to scan inside archives.
Specify a space-separated list of the file
extensions allowed in password protected
archives. Wildcards (*, ?) can be used. Example:
"DO? *ML".

6.3.6 Advanced
CHAPTER 6 295
Administration with Web Console
You can change the Working Directory settings from the Advanced page.
The Working directory specifies where temporary files are stored.
Figure 6-33 Advanced settings
Advanced
Working directory Specify the working directory. Enter the
complete path to the field or click Browse to
browse to the path you want to set as the new
working directory.
Working directory
clean interval
Specify how often the working directory is
cleaned of all files that may be left there. By
default, files are cleaned every 30 minutes.

296
Free space threshold Set the free space threshold of the working
directory. F-Secure Content Scanner Server
sends an alert to the administrator when the
drive has less than the specified amount of
space left.
Max number of
concurrent
transactions
Specify how many files F-Secure Content
Scanner Server should process simultaneously.
Max scan timeout Specify how long a scan task can be carried out
before it is automatically cancelled.
Number of spam
scanner instances
Specify the number of Spam Scanner instances
to be created and used for spam analysis. As
one instance of the spam scanner is capable of
processing one mail message at a time, this
setting defines how many messages will
undergo spam analysis simultaneously. The
default value is 3.
You might need to modify this setting if you
enable Realtime Blackhole Lists (DNSBL/ RBL)
for spam filtering.
The server must be restarted after this setting
has been changed.
IMPORTANT: Spam analysis is a
processor-intensive operation and each spam
scanner instance takes approximately 25MB of
memory (process fsavsd.exe). Do not increase
the number of instances unless the product is
running on a powerful computer.

6.3.7 Interface
CHAPTER 6 297
Administration with Web Console
You can specify how F-Secure Content Scanner Server should interact
with F-Secure Anti-Virus Agent for Microsoft Exchange.
Figure 6-34 Interface settings
Service connections
IP address Specify the IP address that F-Secure Content
Scanner Server listens to. If you do not assign
any IP address (0.0.0.0), F-Secure Content
Scanner Server responds to all connections.
TCP port Specify the port number that F-Secure Content
Scanner Server listens for incoming
connections. By default, the port number is
18971.

298
Accept connections Specify the hosts that are allowed to connect to
F-Secure Content Scanner Server. If you do not
specify any clients, F-Secure Content Scanner
Server accepts connections from all clients.
Limit max connections
to
Limit max connections
per host to
Specify the maximum number of simultaneous
connections that F-Secure Content Scanner
Server accepts. If you do not want to limit the
number of connections, set the value to 0.
Specify the maximum number of simultaneous
connections per client that F-Secure Content
Scanner Server accepts. If you do not want to
limit the number of connections per client, set
the value to 0.
Send content timeout Specify how long F-Secure Content Scanner
Server tries to send data to a client before it
stops sending it.
Receive content
timeout
Specify how long F-Secure Content Scanner
Server waits to receive data from a client before
it stops listening.
Keep alive timeout Specify how long F-Secure Content Scanner
Server keeps an inactive connection open.
6.4 F-Secure Automatic Update Agent Settings
With F-Secure Automatic Update Agent, virus and spam definition
database updates are retrieved automatically when they are published.
When a new virus is found, F-Secure provides a new virus definition
database update.

6.4.1 Summary
Status Displays the current status of F-Secure
Automatic Update Agent.
CHAPTER 6 299
Administration with Web Console
Version Displays the version number of F-Secure
Automatic Update Agent.
Channel name Displays the channel from where the
updates are downloaded.
Channel address Displays the address of the Automatic
Updates Server.
Latest installed update Displays the version and name of the latest
installed update.
Last check time Displays the date and time when the last
update check was done.
Last check result Displays the result of the last update check.

300
Downloads
Next check time Displays the date and time for the next
update check.
Last successful check
time
Available Packages
Displays the date and time when the last
successful update check was done.
Current HTTP proxy Displays the address of the HTTP proxy that
is currently used.
Current Policy Manager
proxy
Displays the address of the F-Secure Policy
Manager proxy that is currently used.
Title Displays the title of the downloaded package.
Download time Displays the download date and time.
Size Displays the size of the downloaded package.

Installed Packages
6.4.2 Automatic Updates
You can configure the Download options on the Downloads page.
Updates
CHAPTER 6 301
Administration with Web Console
TItle Displays the title of the downloaded package.
Installation time Displays the date and time when the update was
installed.
Result Displays the installation status.
Enable automatic
updates
Select whether automatic updates are
enabled or disabled.

302
HTTP Settings
Internet connection
checking
Use ‘Detect connection’, unless you
experience problems with that setting. The
options available are:
Assume always connected - Assume that
the computer is always connected to the
Internet.
Detect connections - Detect when the
computer is connected to the Internet.
Detect traffic - Assume that there is an
Internet connection when the product
detects any traffic.
Use HTTP proxy Select whether HTTP proxy should be used.
No - HTTP proxy is not used.
From browser settings - Use the same HTTP
proxy settings as the web browser.
User defined - Define the HTTP proxy.
User defined proxy Define the HTTP proxy address.

6.4.3 PM Proxies
CHAPTER 6 303
Administration with Web Console
Active Enable or disable the F-Secure Policy Manager
Proxy.
Address Specify the address of F-Secure Policy Manager
Proxy.
Server failover time Define (in hours) the failover time to connect to
specified update servers.
Server polling interval Define (in minutes) how often the product
checks F-Secure Policy Manager Proxies for
new updates.
Allow fetching
updates from
F-Secure Update
Server
Enable the product to download virus definition
updates from F-Secure Update Server when it
cannot connect to specified update servers.

304
6.5 F-Secure Management Agent Settings
F-Secure Management Agent enforces the security policies set by the
administrator. It handles all management functions on the local
workstations and provides a common interface for all F-Secure
applications. and operates within the policy-based management
infrastructure.
You can access F-Secure Management Agent settings from F-Secure
Anti-Virus for Microsoft Exchange Web Console Home page by clicking
the Configure... button in the F-Secure Management Agent section.
Note that you may have to scroll the page to view all the settings.

Figure 6-35 F-Secure Management Agent Configuration page
Status
CHAPTER 6 305
Administration with Web Console
The Status section displays detailed information on the host, for
example the DNS and WINS names and the IP address. In addition, it
displays the date and time when the policy file that is currently in use
was issued and the date and time when the host connected to the
server last time.

306
Communication method
F-Secure Policy Manager
Server
Network communication
directory
If you use F-Secure Policy Manager Server,
specify the URL of F-Secure Policy Manager
Server. Do not add a slash at the end of the
URL.
For example: “http://fsms.example.com”.
If you use the network communication
directory, Specify the path to the
Communication directory hierarchy. This
must be specified as a UNC path (for
example, \\server\commdir). Do not use
mapped drive letters (for example,
S:\commdir).
User account - The user account that is used
for accessing the shared directory.
Password - The password of the account
that is used for accessing the shared
directory.
Stand-alone Select Stand-alone if you have use F-Secure
Anti-Virus for Exchange Web Console to
administer the product.
Advanced
Maximum size of
F-Secure log file
Specify the maximum size for F-Secure log
file. The default value is 5000 KB.

7
QUARANTINE
MANAGEMENT
Introduction............................................................................... 308
Configuring Quarantine Options............................................... 309
Searching the Quarantined Content......................................... 310
Query Results Page ................................................................. 314
Viewing Details of a Quarantined Message.............................. 316
Reprocessing the Quarantined Content ................................... 318
Releasing the Quarantined Content ......................................... 319
Removing the Quarantined Content......................................... 321
Deleting Old Quarantined Content Automatically..................... 321
Quarantine Logging.................................................................. 322
Quarantine Statistics ................................................................ 323
Moving the Quarantine Storage................................................ 324
307

308
7.1 Introduction
You can manage and search quarantined mails with the F-Secure
Anti-Virus for Microsoft Exchange Web Console. You can search for
quarantined content by using different search criteria, including the
quarantine ID, recipient and sender address, the time period during which
the message was quarantined, and so on. You can reprocess and delete
messages, and specify storage and automatic deletion times based on
the reason for quarantining the message.
If you have multiple F-Secure Anti-Virus for Microsoft Exchange
installations, you can manage the quarantined content on all of them from
one single F-Secure Anti-Virus for Microsoft Exchange Web Console. For
more information, see “Performance-Critical Installation”, 28 and
“Microsoft Exchange Cluster Environment”, 30.
The quarantine consists of:
Quarantine database
Quarantine storage.
Quarantine Database
The quarantine database contains information about the quarantined
messages. If there are several F-Secure Anti-Virus for Microsoft
Exchange installations in the network, they can either have their own
quarantine databases, or they can use a common quarantine database.
An SQL database server is required for the quarantine database.
The following SQL databases can be used for storing information about
the quarantined content:
Microsoft SQL Server 2000 Desktop Engine (MSDE)
Microsoft SQL Server 2000
Microsoft SQL Server 2005
MSDE is delivered together with the product. If you want to use another
database (Microsoft SQL Server 2000), you must buy it and get your own
license before you start to deploy F-Secure Anti-Virus for Microsoft
Exchange.

For more information on the SQL servers recommended for different
environments, see “Which SQL Server to Use for the Quarantine
Database?”, 35.
Quarantine Storage
CHAPTER 7 309
Quarantine Management
The quarantine storage where the quarantined messages are stored is
located on the server where F-Secure Anti-Virus for Microsoft Exchange
is installed. If there are several F-Secure Anti-Virus for Microsoft
Exchange installations in the network, they all have their own storages.
The storages are accessible from a single F-Secure Anti-Virus for
Microsoft Exchange Web Console.
Quarantine Reasons
The quarantine storage can store:
Messages and attachments that are infected and cannot be
automatically disinfected. (Infected)
Suspicious content, for example password-protected archives,
nested archives and malformed messages. (Suspicious)
Messages and attachments that have been blocked by their
filename or filename extension. (Disallowed)
Messages that are considered spam. (Spam)
Files that could not be scanned, for example severely corrupted
files. (Scan failure)
Messages that have been identified as unsafe; messages that
contain patterns that can be assumed to be a part of a spam or
virus outbreak. (Unsafe)
7.2 Configuring Quarantine Options
In stand-alone installations, all the quarantine settings can be configured
on the Quarantine page in F-Secure Anti-Virus for Microsoft Exchange
Web Console. For more information on the settings, see “Quarantine”,
257.

310
In centrally managed installations, the quarantine settings are configured
with F-secure Policy Manager in the F-Secure Anti-Virus for Microsoft
Exchange / Settings / Quarantine branch. For more information, see
“Quarantine”, 178.
The actual quarantine management is done through F-Secure Anti-Virus
for Microsoft Exchange Web Console.
7.3 Searching the Quarantined Content
You can search the quarantined content on the F-Secure Anti-Virus for
Microsoft Exchange > Quarantine page in the Web Console.
Figure 7-1 Quarantine query options

You can use the following search criteria:
CHAPTER 7 311
Quarantine Management
Quarantine ID Enter the quarantine ID of a quarantined
message. The quarantine ID is displayed in the
notification sent to the user about the
quarantined message.
Object type Select the type of the quarantined content.
Attachment - Search for quarantined
attachments. You can also specify the Name of
the attachment and the Location of the mailbox
or public folder where the quarantined
attachment was found.
Mail - Search for quarantined mails. You can
also specify the Message ID and the Sender
host of the quarantined mail.
Mails and attachments - Search for both
quarantined mails and attachments.
Reason Select the quarantining reason from the
drop-down menu. For more information, see
“Quarantine Reasons”, 309.
Reason details Specify details about the scanning or processing
results that caused the message to be
quarantined. For Example:
The message is classified as spam - the field
displays the spam confidence level rating and a
list of spam tests that triggered the spam level.
The message is infected - the field displays the
name of the infection found.
Sender Enter the e-mail sender address. You can only
search for one address at a time, but you can
widen the search by using the wildcards.

312
Recipients Enter the e-mail recipient address.
Subject Enter the message subject to be used as search
criteria.
Show only You can use this option to view the current
status of messages that you have set to be
reprocessed, released or deleted. Because
processing a large number of e-mails may take
time, you can use this option to monitor how the
operation is progressing.
The options available are:
Unprocessed e-mails - Displays only e-mails
that the administrator has not set to be released,
reprocessed or deleted.
E-mails to be released - Displays only e-mails
that are currently set to be released, but have
not been released yet.
E-mails to be reprocessed - Displays only
e-mails that are currently set to be reprocessed,
but have not been reprocessed yet.
E-mails to be reprocessed and released -
Displays e-mails that are currently set to be
reprocessed or released, but have not been
reprocessed or released yet.

Click Query to start the search. The Quarantine Query Results page is
displayed once the query is completed.
If you want to clear all the fields on the Query page, click Reset.
Using Wildcards
You can use the following SQL wildcards in the quarantine queries:
CHAPTER 7 313
Quarantine Management
Search period Select the time period when the data has been
quarantined. Select Exact start and end dates to
specify the date and time (year, month, day,
hour, minute) when the data has been
quarantined.
Sort Results Specify how the search results are sorted by
selecting one of the options in the Sort Results
by: drop-down menu: based on Date, Sender,
Recipients, Subject or Reason.
Display Select how many items you want to view per
page.
Wildcard Explanation
% Any string of zero or more characters.
_ (underscore) Any single character.
[ ] Any single character within the specified
range ([a-f]) or set ([abcdef]).
[^] Any single character not within the specified
range ([^a-f]) or set ([^abcdef]).
If you want to search for '%', '_' and '[' as regular symbols in one of
the fields, you must enclose them into square brackets: '[%]', '[_]',
'[[]'

314
7.4 Query Results Page
Figure 7-2 Quarantine Query Results Page
The Quarantine Query Results page displays a list of mails and
attachments that were found in the query. To view detailed information
about a quarantined content, click the Quarantine ID (QID) number link in
the QID column. For more information, see “Viewing Details of a
Quarantined Message”, 316.
The Query Results page displays status icons of the content that was
found in the search:
Icon E-mail status
Quarantined e-mail. The administrator has not specified any
actions to be taken on this e-mail.
Quarantined e-mail with attachments. The administrator has
not specified any actions to be taken on this e-mail.
Quarantined e-mail that the administrator has set to be
released. The release operation has not been completed yet.

Icon E-mail status
Quarantined e-mail that the administrator has set to be
reprocessed. The reprocessing operation has not been
completed yet.
Quarantined e-mail that the administrator has set to be
deleted. The deletion operation has not been completed yet.
Quarantined e-mail set to be released, which failed.
Quarantined e-mail set to be reprocessed, which failed.
Quarantined Mail Operations
CHAPTER 7 315
Quarantine Management
You can select an operation to perform on the messages that were found
in the query:
Click Reprocess to scan the currently selected e-mail again, or
click Reprocess All to scan all e-mail messages that were found.
For more information, see “Reprocessing the Quarantined
Content”, 318.
Click Release to deliver the currently selected e-mail without
further processing, or click Release All to deliver all e-mail
messages that were found. For more information, see “Releasing
the Quarantined Content”, 319.
WARNING: Releasing quarantined content entails a
security risk, because the content is delivered to the
recipient without being scanned.
Click Delete to delete the currently selected e-mail from the
quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “Removing the
Quarantined Content”, 321.

316
Quarantined Attachment Operations
You can select an operation to perform on the attachments that were
found in the query:
Click Send to deliver the currently selected attachment without
further processing, or click Send All to deliver all attachments
that were found. For more information, see “Releasing the
Quarantined Content”, 319.
WARNING: Releasing quarantined content entails a
security risk, because the content is delivered to the
recipient without being scanned.
Click Delete to delete the currently selected e-mail from the
quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “Removing the
Quarantined Content”, 321.
7.5 Viewing Details of a Quarantined Message
To view the details of a quarantined message, do the following:
1. On the Query Search Results page, click the Quarantine ID (QID)
number link in the QID column.
2. The Quarantined Content Details page opens.

Figure 7-3 Quarantined Content Details page
The Quarantined Content Details page displays the following
information about the quarantined mails:
QID - Quarantine ID.
CHAPTER 7 317
Quarantine Management
Submit date - The date and time when the item was placed in the
quarantine.
Processing server - The F-Secure Anti-Virus for Microsoft
Exchange server that processed the message.
Sender - The address of the message sender.
Recipients - The addresses of all the message recipients.
Sender host - The address of the sender mail server or client.
Subject - The message subject.
Message size - The size of the quarantined message.
Quarantine reason - The reason why the content was
quarantined.
Click the Show... link to access the content of the quarantined message.

318
Click Download to download the quarantined message to your computer
to check it.
WARNING: In many countries, it is illegal to read other
people’s messages.
The Quarantined Content Details page displays the following
information about the quarantined attachments:
QID - Quarantine ID.
Submit date - The date and time when the item was placed in the
quarantine.
Sender - The address of the attachment sender.
Recipients - The addresses of all the attachment recipients.
Location - The location of the mailbox or public folder where the
quarantined attachment was found.
Subject - The message subject.
Attachment name - The name of the attachment.
Attachment size - The size of the attachment file.
Quarantine reason - The reason why the content was
quarantined.
Click Download to download the quarantined attachment to your
computer to check it.
WARNING: In many countries, it is illegal to read other
people’s messages.
7.6 Reprocessing the Quarantined Content
When quarantined content is reprocessed, it is scanned again, and if it is
found clean, it is sent to the intended recipients.
For example, if some content was placed in the quarantine because of an
error situation, you can use the time period when the error occurred as
search criteria, and then reprocess the content. This is done as follows:

CHAPTER 7 319
Quarantine Management
1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the
Quarantine page.
2. Select the start and end dates and times of the quarantining period
from the Start time: and End Time: drop-down menus.
3. If you want to specify how the search results are sorted, select the
sorting criteria and order from the Sort results by: and order:
drop-down menus.
4. Select the number of items to be displayed on a results page from the
Display: drop-down menu.
5. Click the Query button.
6. When the query is finished, the query results page is displayed. Click
the Reprocess All button to reprocess the displayed quarantined
content.
7. The e-mails that have been reprocessed and found clean are
delivered to the intended recipients. They are also automatically
deleted from the quarantine. The progress of the reprocessing
operation is displayed in the Web Console.
7.7 Releasing the Quarantined Content
When quarantined content is released, it is sent to the intended recipients
without any further processing. You might need to do this, for example, to
deliver a password-protected archive from the quarantine to the recipient.
In the example below the quarantined message is searched for by using
the Quarantine ID as the search criteria. The Quarantine ID is included in
the notification message delivered to the user.
WARNING: Releasing quarantined content entails a security
risk, because the content is delivered to the recipient without
being scanned.
If you need to release a quarantined message, it is done as follows:

320
1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the
Quarantine page.
2. Enter the Quarantine ID of the message in the Quarantine ID field.
3. Click Query.
4. When the query is finished, the query results page is displayed. Click
the Release button to release the displayed quarantined content. The
Release Quarantined Content dialog opens.
5. Specify whether you want to release the content to the original
recipient or specify an address where the content is to be forwarded.
It may not be legal to forward the e-mail to anybody else than
the original recipient.
6. Specify what happens to the quarantined content after it has been
released by selecting one of the Action after release options:
Leave in the quarantine
Delete from quarantine
7. Click Release. The content is now delivered to the recipient.

7.8 Removing the Quarantined Content
CHAPTER 7 321
Quarantine Management
Quarantined messages are removed from the quarantine based on the
currently configured quarantine retention and cleanup settings. For an
example on how to configure those settings, see “Deleting Old
Quarantined Content Automatically”, 321.
If you want to remove a large amount of quarantined messages at once,
for example all the messages that have been categorized as spam, do the
following:
1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the
Quarantine page in the Web Console.
2. Select the quarantining reason, Spam, from the Reason: drop-down
menu.
3. Click Query.
4. When the query is finished, the query results page is displays all
quarantined messages that have been classified as spam. Click the
Delete All button to delete all the displayed quarantined content.
5. You are prompted to confirm the deletion. Click OK. The content is
now removed from the quarantine.
7.9 Deleting Old Quarantined Content Automatically
Quarantined content is deleted automatically based on the Quarantine
Retention and Cleanup settings on the Quarantine > Options page. By
default all types of quarantined content are stored in quarantine for one
month, and quarantine clean-up task is executed once an hour.
You can specify exceptions to the default retention and clean-up times in
the Exceptions table. These exceptions are based on the quarantine
category. If you want, for example, to have infected messages deleted
sooner, you can specify an exception rule for them as follows:
1. Go to the Quarantine > Options page.
2. Click the Add button below the Exceptions table. A new row is added
in the table.

322
3. Select the category for which you want to specify the exception, for
example Infected, from the Quarantine Category drop-down menu.
4. Specify a retention period that is shorter than the default value, for
example 1 day, in the Retention Period column.
5. Specify a cleanup interval that is shorter than the default value, for
example 30 minutes, in the Cleanup Interval column.
6. Enable the exception you just created by selecting the Enabled check
box.
7. Click Apply.
7.10 Quarantine Logging
To view the Quarantine Log, open the F-Secure Anti-Virus for Microsoft
Exchange tab in the Web Console, and go to the Quarantine page. Then
click the Show Log File button.

7.11 Quarantine Statistics
CHAPTER 7 323
Quarantine Management
The Quarantine statistics page displays the number of quarantined items
in each quarantine category, and the total size of the quarantine.
Figure 7-4 Quarantine > Statistics page
E-mail messages and infected, suspicious and disallowed
attachments are stored and counted as separate items in the
quarantine storage. For example, if a message has three
attachments and only one of them has been found infected, two
items will be created in the quarantine storage. These items still
have the same quarantine ID in the quarantine database.

324
7.12 Moving the Quarantine Storage
When you want to change the Quarantine storage location either using
the F-Secure Policy Manager Console or F-Secure Anti-Virus for
Microsoft Exchange Web Console, note that the product does not create
the new directory automatically. Before you change the Quarantine
storage directory, make sure that the directory exists and it has proper
security permissions.
You can use the xcopy command to create and change the Quarantine
storage directory by copying the existing directory with the current
ownership and ACL information. In the following example, the Quarantine
storage is moved from C:\Program Files\F-Secure\Quarantine
Manager\quarantine to D:\Quarantine:
1. Stop F-Secure Quarantine Manager service to prevent any
quarantine operations while you move the location of the Quarantine
storage. Run the following command from the command prompt:
net stop "F-Secure Quarantine Manager"
2. Run the following command from the command prompt to copy the
current content to the new location:
xcopy "C:\Program Files\F-Secure\Quarantine
Manager\quarantine" D:\Quarantine\ /O /X /E
Note the use of backslashes in the source and destination directory
paths.
3. Change the path for FSMSEQS$ shared folder. If the product is
installed in the local quarantine management made, you can skip this
step.

CHAPTER 7 325
Quarantine Management
To change the FSMSEQS$ path, follow these steps:
a. Open Windows Control Panel > Administrative Tools > Computer
Management.
b. Open System Tools > Shared Folders > Shares. and find
FSMSEQS$ there.
c. Right-click FSMSEQS$ and select Stop Sharing. Confirm that you
want to stop sharing FSMSEQS$.
d. Right-click FSMSEQS$ again and select New Share.
e. Follow Share a Folder Wizard instructions to create FSMSEQS$
shared folder.
i. Specify the new directory (in this example, D:\Quarantine) as
the folder path, FSMSEQS$ as the share name and F-Secure
Quarantine Storage as the description.
ii. On the Permissions page, select Administrators have full
access; other users have read-only access. Note that the
Quarantine storage has file/directory security permissions set
only for the SYSTEM and Administrators group.
f. Click Finish.
4. Change the location of the Quarantine storage from the F-Secure
Policy Manager Console (F-Secure Anti-Virus for Exchange/Settings/
Quarantine/Quarantine Storage) or F-Secure Anti-Virus for Microsoft
Exchange Web Console (Anti-Virus for Microsoft Exchange >
Quarantine > Options > Quarantine Storage).
5. Make sure that the product has received new settings.
6. Restart F-Secure Quarantine Manager service. Run the following
command from the command prompt:
net start "F-Secure Quarantine Manager"
For more information about the xcopy command and options, refer
to MS Windows Help and Support.

8
ADMINISTERING
F-SECURE SPAM
CONTROL
Overview................................................................................... 327
Spam Control Settings in Centrally Managed Environments.... 328
Spam Control Settings in Web Console ................................... 331
Realtime Blackhole List Configuration...................................... 336
326

8.1 Overview
CHAPTER 8 327
Administering F-Secure Spam Control
When F-Secure Spam Control is enabled, incoming messages that are
considered spam are marked automatically by adding an X-header with
the spam flag or predefined text in the message header. The end users
can then create filtering rules that direct the messages marked with the
spam flag header into a junk mail folder.
F-Secure Spam Control databases can be updated with F-Secure
Automatic Update Agent. In order to update the databases, F-Secure
Automatic Update Agent must be installed on the same computer as
F-Secure Spam Control. Database updates are digitally signed for
maximum security, and you can use only these updates for updating the
F-Secure Spam Control spam definition databases.
F-Secure Spam Control databases are needed for the heuristic
spam scanning only.
In Microsoft Exchange 2003 environment, the Microsoft Exchange server
can move messages to the Junk mail folder based on the spam
confidence level value. This feature is available immediately after the
product has been installed, if the end user has activated this functionality.
For more information about how to configure this functionality at the end
user’s computer, see the Microsoft Outlook 2003 or Microsoft Outlook
Web Access online help.

328
8.2 Spam Control Settings in Centrally Managed
Environments
Change the settings in F-Secure Anti-Virus for Microsoft Exchange/
Settings / Real-time Processing / Spam Control to configure how
F-Secure Anti-Virus for Microsoft Exchange scans incoming mail for
spam.
These settings are used only if F-Secure Spam Control is installed with
the product. Otherwise they will be ignored.
Figure 8-1 Spam Control settings in a centrally managed environment
Spam filtering Specify whether inbound mails should be
scanned for spam.
Heuristic Spam
Analysis
Realtime Blackhole List (RBL) spam filtering is
not enabled by default even if you enable spam
filtering from the settings. For information on
configuring Realtime Blackhole Lists, see
“Realtime Blackhole List Configuration”, 336.
Specify whether heuristic spam analysis is used
to filter inbound mails for spam.

CHAPTER 8 329
Administering F-Secure Spam Control
When the heuristic spam analysis is enabled, all
messages that the threat detection engine does
not classify as spam are further analyzed for
spam.
When the heuristic spam analysis is disabled,
only the threat detection engine scans inbound
mails for spam.
Heuristic spam analysis slows down the
performance but improves the spam detection
rate.
Spam filtering level Specify the spam filtering level. Decreasing the
level allows less spam to pass, but more regular
mails may be falsely identified as spam.
Increasing the level allows more spam to pass,
but a smaller number of regular e-mail messages
are falsely identified as spam.
Action on Spam
Message
For example, if the spam filtering level is set to 3,
more spam is filtered, but also more regular
mails may be falsely identified as spam. If the
spam filtering level is set to 7, more spam may
pass undetected, but a smaller number of
regular mails will be falsely identified as spam.
The allowed values are from 1 to 9.
Specify the action to take with a message
considered spam.
Pass through - The product allows the message
to pass through.
Quarantine - The product places the message
into the quarantine folder.
Drop - The message is deleted.

330
Add X-Header with
Spam flag
Add X-Header with
summary
Specifies if the spam flag will be added to the
mail as a X-Spam-Flag header in the following
format:
X-Spam-Flag:
where is either "YES" or "NO".
YES - the mail is considered spam.
NO - the mail is not considered spam.
Example: X-Spam-Flag: YES
Specify if the summary of triggered hits will be
added to the mail as X-Spam-Status header in
the following format:
X-Spam-Status: , hits=
required= tests=
where
is Yes or No,
is the spam confidence rating
returned by the spam scanner,
is the current spam filtering level,
is the comma-separated list of
tests run against the mail.
Example:
X-Spam-Status: Yes, hits=8 required=5
tests=DATE_IN_FUTURE_03_06,DATE_SPAMWAR
E_Y2K,FORGED_MUA_THEBAT_BOUN,MISSING_MI
MEOLE,MISSING_OUTLOOK_NAME

Modify spam message
subject
Add this text to spam
message subject
8.3 Spam Control Settings in Web Console
CHAPTER 8 331
Administering F-Secure Spam Control
Specify if the product modifies the subject of mail
messages considered spam.
Specifies the text that will be added in the
beginning of the subject of an e-mail considered
spam.
Max message size Specify the maximum size of mail messages to
be scanned for spam. If the size of a mail
message exceeds the specified maximum size,
spam filtering for this mail will be omitted.
Since all spam messages are relatively small in size, it is
recommended to use the default value.
You can configure the spam control settings on the Spam Control page of
the F-Secure Anti-Virus for Microsoft Exchange Web Console. These
settings are used only if F-Secure Spam Control is installed with the
product, otherwise they are be ignored.

332
Figure 8-2 Spam Control settings in a locally managed environment
Check messages for
spam
Enable heuristic
spam analysis
Specify whether inbound mails should be
scanned for spam.
Realtime Blackhole List (RBL) spam filtering is
not enabled by default even if you enable spam
filtering from the settings. For information on
configuring Realtime Blackhole Lists, see
“Realtime Blackhole List Configuration”, 336.
Specify whether heuristic spam analysis is used
to filter inbound mails for spam.
When the heuristic spam analysis is enabled, all
messages that the threat detection engine does
not classify as spam are further analyzed for
spam.

CHAPTER 8 333
Administering F-Secure Spam Control
When the heuristic spam analysis is disabled,
only the threat detection engine scans inbound
mails for spam.
Heuristic spam analysis slows down the
performance but improves the spam detection
rate.
Spam filtering level Specify the spam filtering level. Decreasing the
level allows less spam to pass, but more regular
mails may be falsely identified as spam.
Increasing the level allows more spam to pass,
but a smaller number of regular e-mail
messages are falsely identified as spam.
Action on spam
message
For example, if the spam filtering level is set to 3,
more spam is filtered, but also more regular
mails may be falsely identified as spam. If the
spam filtering level is set to 7, more spam will
pass undetected, but a smaller number of
regular mails will be falsely identified as spam.
The allowed values are from 1 to 9.
The spam levels are determined by calculating
points for each e-mail. The spam scanning
involves a large number of different rules, which
give each e-mail different points depending on
the mail content and header information. These
points are then calculated to a number between
1 and 9, which defines the likelihood of the
message being spam.
Specify the action to take with a message
considered spam.
Let message pass through - The product allows
the message to pass through.
Quarantine message - The product places the
message into the quarantine folder.

334
Add X-Header with
Spam flag
Add X-Header with
summary
Drop message - The message is deleted.
Specifies if the spam flag will be added to the
mail as a X-Spam-Flag header in the following
format:
X-Spam-Flag:
where is either "YES" or "NO".
YES - the mail is considered spam.
NO - the mail is not considered spam.
Example: X-Spam-Flag: YES
Specify if the summary of triggered hits will be
added to the mail as X-Spam-Status header in
the following format:
X-Spam-Status: , hits=
required= tests=
where
is Yes or No,
is the spam confidence rating
returned by the spam scanner,
is the current spam filtering level,
is the comma-separated list of
tests run against the mail.

Add this text to spam
message subject
Maximum message
size to process for
spam
CHAPTER 8 335
Administering F-Secure Spam Control
Example: X-Spam-Status: Yes, hits=8
required=5 tests=DATE_IN_FUTURE_03_06,
DATE_SPAMWARE_Y2K,FORGED_MUA_THEBAT_BOUN,
MISSING_MIMEOLE,MISSING_OUTLOOK_NAME
Specify the text that will be added in the
beginning of the subject of an e-mail considered
spam.
Specify the maximum size of mail messages to
be scanned for spam. If the size of a mail
message exceeds the specified maximum size,
spam filtering for this mail will be omitted.
Since all spam messages are relatively small in
size, it is recommended to use the default value.

336
8.4 Realtime Blackhole List Configuration
This section describes how to enable and disable Realtime Blackhole
Lists, how to optimize F-Secure Spam Control performance, and how to
specify blocked and safe recipients and senders by using black- and
whitelisting.
8.4.1 Enabling Realtime Blackhole Lists
The product supports DNS Blackhole List (DNSBL), also known as
Realtime Blackhole List (RBL), functionality in spam filtering. The
functionality is disabled by default.
To enable DNSBL/RBL:
1. Make sure you have a working DNS server configured in Windows
Server networking. The primary DNS server should be configured to
allow recursive DNS queries. DNS protocol is used to make the
DNSBL/RBL queries.
2. Make sure you do not have a firewall preventing DNS access from
the host where F-Secure Spam Control is running.
3. Test the DNS functionality by running the nslookup command at
Microsoft Windows command prompt on the host running F-Secure
Spam Control.
An example:
C:\>nslookup 2.0.0.127.sbl-xbl.spamhaus.org.
Server:
Non-authoritative answer:
Name: 2.0.0.127.sbl-xbl.spamhaus.org
Addresses: 127.0.0.2, 127.0.0.4, 127.0.0.6
4. If the test is successful, continue with these instructions. If the test is
not successful, you should double-check your DNS and firewall
configuration.

CHAPTER 8 337
Administering F-Secure Spam Control
5. Find the sample configuration file fssc_example.cfg in F-Secure
Spam Control installation directory:
\Spam Control\fssc_example.cfg
6. Copy the file to the same directory with the name fssc.cfg
7. Open fssc.cfg in a text editor (like Windows Notepad).
8. The configuration file has instructions inside. For typical use, you can
leave the settings like they are. However, it is recommended to
configure at least the trusted_networks setting to identify the public
IP address(es) of your network. For more information, see the
instructions in fssc_example.cfg.
9. When the configuration file is ready, restart F-Secure Content
Scanner Server through F-Secure Anti-Virus for Microsoft Exchange
Web Console.
To verify that DNSBL/RBL is working correctly:
1. If DNSBL/RBL is operating correctly, you should see this kind of
headers in messages classified as spam:
X-Spam-Status: YES, database-version=2005-04-06_1 hits=9
required=5 tests=RCVD_IN_DSBL, RCVD_IN_NJABL_PROXY,
RCVD_IN_SORBS_DUL
Tests like RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_SORBS,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_XBL indicate that
DNSBL/RBL was successfully used to classify the mail.
2. If DNS functionality is not operating correctly, you may see a
significant decrease in the product throughput. In that case, disable
the DNSBL/RBL functionality by changing the dns_available setting
in fssc.cfg to:
dns_available no
and restarting F-Secure Content Scanner Server through F-Secure
Anti-Virus for Microsoft Exchange Web Console.
You can force F-Secure Spam Control to use a specific DNS server (not
necessarily configured in Microsoft Windows networking) by adding a new
system environment variable as described in the instructions below.
However, this should be needed only in troubleshooting situations.
Normally it is best to use the Windows networking settings.

338
To force F-Secure Spam Control to use a specific DNS server, do the
following:
1. Right-click the My Computer icon and select Properties.
2. Select Advanced and click the Environment Variables.. button.
3. In the System variables panel click New...
4. In the New System Variable dialog specify the new variable as
follows:
Variable Name: RES_NAMESERVERS
Variable Value:
5. Click OK.
6. Restart the computer to take the new system environment variable
into use.
8.4.2 Optimizing F-Secure Spam Control Performance
Due to the nature of DNSBL/RBL, processing time for each mail
increases when DNS queries are made. If needed, the performance can
be improved by increasing the number of mails being processed
concurrently by F-Secure Spam Control.
By default, the product processes a maximum of three e-mails at the
same time, because there can be three Spam Scanner engine instances
running simultaneously. The number of Spam Scanner instances can be
controlled by using a command-line switch for F-Secure Content Scanner
Server.
To change the value to 5, so that a maximum five mails can be processed
at the same time, type: fsavsd.exe --spam-scanner-instances=x (x is the
value you want to take into use), for example:
C:\Program Files\F-Secure\Content Scanner Server>
fsavsd.exe --spam-scanner-instances=5
F-Secure Content Scanner Server Daemon, 6.42.162
Copyright (c) 1998-2005 F-Secure Corporation

CHAPTER 8 339
Administering F-Secure Spam Control
'spam-scanner-instances' (oid=1.3.6.1.4.1.2213.18.1.35.500)
has been set to 5.
To take the new setting into use, restart F-Secure Content Scanner
Server.
IMPORTANT: Each additional instance of the Spam Scanner takes
approximately 25Mb of memory (process fsavsd.exe). Typically
you should not need more than 5 instances.

9
UPDATING VIRUS AND
SPAM DEFINITION
DATABASES
Overview................................................................................... 341
Automatic Updates with F-Secure Automatic Update Agent.... 341
Configuring Automatic Updates................................................ 342
Manual Updates ....................................................................... 342
340

9.1 Overview
CHAPTER 9 341
Updating Virus and Spam Definition Databases
It is of the utmost importance that virus definition databases are kept
up-to-date. F-Secure Anti-Virus for Microsoft Exchange takes care of this
task automatically. This section describes how the automatic updates
work, how you can configure them and how you can update the virus
definitions manually.
Information about the latest virus database update can be found at:
http://www.F-Secure.com/download-purchase/updates.shtml
9.2 Automatic Updates with F-Secure Automatic
Update Agent
With F-Secure Automatic Update Agent, virus and spam definition
database updates are retrieved automatically when they are published.
When a new virus is found, F-Secure provides a new virus definition
database update. F-Secure Automatic Update Agent uses HTTP protocol
to fetch this update. Virus and spam definition updates are digitally signed
for maximum security.
In order to update the spam definition databases F-Secure Automatic
Update Agent must be installed on the same computer as F-Secure Spam
Control.
You may install and use F-Secure Automatic Update Agent in conjunction
with licensed F-Secure's antivirus and security products. F-Secure
Automatic Update Agent shall be used only for receiving updates and
related information on F-Secure's antivirus and security products.
F-Secure Automatic Update Agent may not be used for any other purpose
or service.

342
9.3 Configuring Automatic Updates
9.4 Manual Updates
9.4.1 Using FSUPDATE
F-Secure Automatic Update Agent user interface provides information
about downloaded virus and spam definition updates. To access the
F-Secure Automatic Update Agent user interface, open the F-Secure
Anti-Virus for Microsoft Exchange Web Console, and select the F-Secure
Automatic Update Agent tab. For more information, see “F-Secure
Automatic Update Agent Settings”, 298.
In centrally managed installations, you can use the F-Secure Anti-Virus
for Microsoft Exchange Web Console for monitoring the F-Secure
Automatic Update Agent settings. To change these settings, use
F-Secure Policy Manager Console. For more information, see “F-Secure
Automatic Update Agent Settings”, 212.
If you do not want to use F-Secure Automatic Update Agent to
automatically update your virus definition database, you can do it
manually with a program called FSUPDATE or by downloading the
LATEST.ZIP file.
FSUPDATE is a program that automatically updates the virus definition
database. FSUPDATE can be downloaded from:
http://www.f-secure.com/download-purchase/updates.shtml
Run FSUPDATE.exe on the computer where you installed F-Secure
Content Scanner Server. The update process takes approximately one
minute.

CHAPTER 9 343
Updating Virus and Spam Definition Databases
9.4.2 Updating the Virus Definition Database Remotely Using
LATEST.ZIP
You can update the virus definition database remotely by using F-Secure
Policy Manager and downloading the LATEST.ZIP archive as follows:
1. Download the LATEST.ZIP archive from:
http://www.f-secure.com/download-purchase/updates.shtml
2. Run F-Secure Policy Manager console.
3. Open the Tools menu and select Update Virus Definitions on the
Server....
4. Browse to the location where you saved the LATEST.ZIP file and click
Open.

A
APPENDIX:
Deploying the Product
on a Cluster
System and Network Recommendations ................................. 345
Installation Overview ................................................................ 347
Creating Quarantine Storage.................................................... 348
Installing the Product................................................................ 356
Administering the Cluster Installation with F-Secure Policy
Manager ................................................................................... 360
Using the Quarantine in the Cluster Installation ....................... 363
Troubleshooting........................................................................ 363
344

A.1 System and Network Recommendations
APPENDIX A 345
Deploying the Product on a Cluster
F-Secure Policy Manager
When F-Secure Anti-Virus for Microsoft Exchange is installed on
a cluster, you have to use F-Secure Policy Manager to administer
it. F-Secure Policy Manager must be installed on a separate
server, it cannot be installed on the cluster. It is recommended to
use F-Secure Policy Manager version 6.01 or later.
Microsoft SQL Server
Microsoft SQL Server is required for the quarantine database.
Microsoft SQL Server must be installed on a separate computer.
It is recommended to use Microsoft SQL Server 2000 or 2005
(Standard or Enterprise Edition). Microsoft SQL Server 2005
Express Edition can be used, but is not recommended if your
organization sends and receives a large amount of e-mail
messages. Microsoft SQL Server 2000 Desktop Edition (MSDE)
cannot be used with the product installed on a cluster.
Server for the quarantine storage
if you plan to deploy the product on an active-active cluster, the
quarantine storage requires a dedicated server. The server must
belong in the same domain with Microsoft Exchange Servers. If
you plan to install the product on an active-passive cluster, you
can have the quarantine storage on the cluster or on a dedicated
server.
The quarantine storage can be created on the same server
running Microsoft SQL Server or F-Secure Policy Manager
Server as long as it belongs to the same domain as your
Microsoft Exchange Servers and it has sufficient disk
space.
Sample Active-Passive Cluster Deployment
The following diagram displays how the product can be deployed and
used on the active-passive cluster environment.

346
Sample Active-Active Cluster Deployment
The following diagram displays how the product can be deployed and
used on the active-active cluster environment.

A.2 Installation Overview
APPENDIX A 347
Deploying the Product on a Cluster
Follow these steps to deploy and use F-Secure Anti-Virus for Microsoft
Exchange on a cluster.
1. Install F-Secure Policy Manager on a dedicated server. If you already
have F-Secure Policy Manager installed in the network, you can use it
to administer F-Secure Anti-Virus for Microsoft Exchange. For more
information, see F-Secure Policy Manager Administrator’s Guide.
2. Install Microsoft SQL Server 2000 or 2005 on a dedicated server.
Microsoft SQL Server must be installed with the mixed authentication
mode (Windows Authentication and SQL Server Authentication).
After the installation, make sure that Named Pipes and TCP/IP
protocols are enabled in SQL Server network configuration.
3. Create the quarantine storage for quarantined e-mail messages and
attachments.
If you plan to install the product on an active-passive cluster, see
“Quarantine Storage in Active-Passive Cluster”, 348. If you plan to install
the product on an active-active cluster, see “Quarantine Storage in
Active-Active Cluster”, 353.
4. Install the product on each node.
If you plan to install the product on an active-passive cluster, see
“Installing on Active-Passive Cluster”, 356. If you plan to install the
product on an active-active cluster, see “Installing on Active-Passive
Cluster”, 356.
IMPORTANT: Install the product completely on one node before
you install it on another node.
5. Create a policy domain for the cluster in F-Secure Policy Manager
and import cluster nodes there. For more information, see
“Administering the Cluster Installation with F-Secure Policy Manager”, 360.
6. Log on each node and configure the F-Secure Anti-Virus for Microsoft
Exchange Web Console to accept connections from authorized hosts.

348
A.3 Creating Quarantine Storage
Follow instructions in this section to create the Quarantine Storage.
A.3.1 Quarantine Storage in Active-Passive Cluster
1. Log on to the active node of the cluster with thedomain administrator
account.
2. Create a directory for the quarantine storage on the physical disk
shared by the cluster nodes. You can create it on the same disk with
MIcrosoft Exchange Server storage and log files. For example, create
Quarantine directory on disk D:.
3. Go to Windows Start menu > All Programs > Administrative Tools and
select Cluster Administrator.
4. Under Groups, right-click Exchange Virtual Server and select New >
Resource.

Enter the following information:
Name: F-Secure Quarantine Storage
Resource Type: File Share
APPENDIX A 349
Deploying the Product on a Cluster
Group: make sure that your Exchange Virtual Server is selected.
Click Next.
5. Possible Owners dialog opens.
6. Verify that all nodes that are running Exchange Server are listed
under Possible owners and click Next.
7. Dependencies dialog opens.

350
In Available resources, select the Exchange Server Network Name
and the disk with the quarantine storage directory and click Add to
add them to Resource dependencies. Click Next.
8. File Share Parameters dialog opens.

APPENDIX A 351
Deploying the Product on a Cluster
Type FSAVMSEQS$ as Share name. (Note: the dollar ($)
character at the end of the share name makes the share hidden
when you view network resources of the cluster with Windows
Explorer.) E
Enter the directory name you created on step 2 as Path (for
example, D:\Quarantine).
In the Comment box, type F-Secure Quarantine Storage.
Make sure that User limit is set to Maximum allowed.
Click Permissions
9. Permissions dialog opens.

352
Add Administrator, Exchange Domain Servers and SYSTEM to the
Group or user names. Remove Everyone account. Grant Change and
Read permissions for Exchange Domain Servers and SYSTEM, and
Full Control, Change and Read permissions for Administrator
account. Click OK.
10. In File Share Parameters dialog, click Advanced.
Make sure that Normal share is selected in Advanced File Share
Properties. Click OK.
11. In File Share Parameters dialog, click Finish to create F-Secure
Quarantine Storage resource.

APPENDIX A 353
Deploying the Product on a Cluster
12. Right-click the F-Secure Quarantine Storage resource and click Bring
Online.
A.3.2 Quarantine Storage in Active-Active Cluster
For an active-active cluster installation, the quarantine storage must be
set on a dedicated computer. This computer should be the member of the
same domain as your Exchange Servers.
1. Log on to the server where you plan to create the quarantine storage
(for example, APPSERVER) with a domain administrator account.
2. Create a directory (for example, C:\Quarantine) for the quarantine
storage on the local hard disk.
3. Right-click the directory in the Windows Explorer and select Sharing
and Security.
4. The Sharing tab opens.

354
Type FSAVMSEQS$ as Share name and make sure that User limit is
set to Maximum Allowed.
Click Permissions
5. Permissions dialog opens.
Add Administrator, Exchange Domain Servers and SYSTEM to the
Group or user names. Remove Everyone account. Grant Change and
Read permissions for Exchange Domain Servers and SYSTEM, and
Full Control, Change and Read permissions for Administrator
account. Click OK.
6. In the directory properties dialog, go to the Security tab.

APPENDIX A 355
Deploying the Product on a Cluster
Remove all existing groups and users and add Administrator,
Exchange Domain Servers and SYSTEM to the Group or user
names. Grant all except Full Control permissions for Exchange
Domain Servers and SYSTEM. Grant all permissions for
Administrator. Click OK.
7. To verify that the quarantine storage is accessible, log on as the
domain administrator to any node in the cluster and try to open
\\\FSAVMSEQS$\ with Windows Explorer, where
is the name of the server where you created the quarantine storage
share.

356
A.4 Installing the Product
Follow the instructions in this section to install the product on a cluster
installation.
A.4.1 Installing on Active-Passive Cluster
This section describes how to install the product on an active-passive
cluster.
1. Log on to the active node of the cluster using a domain administrator
account.
2. Run F-Secure Anti-Virus for Microsoft Exchange setup wizard. Install
the product in the centralized management mode. Specify the IP
address of F-Secure Policy Manager Server and admin.pub that you
created during the F-Secure Policy Manager installation. For more
information, see “Installation”, 32.
3. The setup wizard asks for the location of the quarantine directory.
Specify the UNC path to the Quarantine Storage share that you
created before the installation as the Quarantine Directory. For
example, \\\FSAVMSEQS$, where is the
network name of your Exchange Virtual Server.

APPENDIX A 357
Deploying the Product on a Cluster
4. The setup program asks to specify the SQL Server to use for the
quarantine database.
Select the server running Microsoft SQL Server.
5. Complete the installation on the active node.
6. Log on to the passive node of the cluster using a domain
administrator account. Repeat steps 2-4.
7. After you specify the SQL Server to use, the setup wizard asks you to
specify the quarantine database.

358
Select Use the existing database.
8. Complete the installation on the passive node.
A.4.2 Installing on Active-Active Cluster
This section describes how to install the product on an active-active
cluster.
1. Log on to the first node of the cluster using a domain administrator
account.
2. Run F-Secure Anti-Virus for Microsoft Exchange setup wizard. Install
the product in the centralized management mode. Specify the IP
address of F-Secure Policy Manager Server and admin.pub that you
created during the F-Secure Policy Manager installation. For more
information, see “Installation”, 32.
3. The setup wizard asks for the location of the quarantine directory.

APPENDIX A 359
Deploying the Product on a Cluster
Specify the UNC path to the Quarantine Storage share that you
created before the installation as the Quarantine Directory. For
example, \\\FSAVMSEQS$, where is the name of
the server where you created the quarantine storage share.
4. The setup program asks to specify the SQL Server to use for the
quarantine database.
Select the server running Microsoft SQL Server.

360
5. Complete the installation on the first active node.
6. Log on to the second node of the cluster using a domain
administrator account and repeat steps 2-4.
7. After you specify the SQL Server to use, the setup wizard asks you to
specify the quarantine database.
Select Use the existing database.
8. Complete the installation on the second node.
A.5 Administering the Cluster Installation with
F-Secure Policy Manager
To administer the product installed on a cluster, create a new subdomain
under your organization or network domain. Import all cluster nodes to
this subdomain.

To change product configuration on all cluster nodes, follow these
instructions:
1. Select the cluster subdomain in the Policy Domains tree.
APPENDIX A 361
Deploying the Product on a Cluster
2. Change required settings.
3. Distribute the policy.
4. All nodes receive new settings next time they poll the F-Secure Policy
Manager Server.

362
If you need to change settings on a particular node, follow these
instructions:
1. Select the corresponding host in the Policy Domains.
2. Change required settings.
3. Distribute the policy.
4. The host receives new settings next time it polls the F-Secure Policy
Manager Server.

APPENDIX A 363
Deploying the Product on a Cluster
A.6 Using the Quarantine in the Cluster Installation
A.7 Troubleshooting
Configure the F-Secure Anti-Virus for Microsoft Exchange Web
Console to accept connections from authorized hosts. By default,
the Web Console accepts connections from the local host only.
You can manage all quarantined items by connecting to any node
of the cluster. You can release, reprocess or download
quarantined messages and attachments when at least one node
of the cluster is online.
Use the IP address of the Exchange Virtual Server(s) when you
connect to F-Secure Anti-Virus for Microsoft Exchange Web
Console.
If the product fails to quarantine a file or reports that the
quarantine storage is not accessible, make sure that directory
sharing and security permissions are set as follows: change, write
and read operations are allowed for SYSTEM and Exchange
Domain Servers, and full control is allowed for Administrator.
To change the location of the quarantine storage from F-Secure
Policy Manager Console, use the Final flag to override the setting
set during product installation on the host.

B
APPENDIX:
Variables in Warning
Messages
List of Variables ........................................................................ 365
Outbreak Management Alert Variables..................................... 367
364

List of Variables
APPENDIX B 365
Variables in Warning Messages
The following table lists the variables that can be included in the warning
and informational messages sent by the product if an infection is found or
content is blocked.
If both stripping and scanning are allowed and the Agent found both types
of disallowed content (infected and to be stripped) in an e-mail message,
a warning message will be sent to the end-user instead of an
informational one, if it is required.
These variables will be dynamically replaced by their actual names. If an
actual name is not present, the corresponding variable will be replaced
with [Unknown].
Variable Description
$ANTI-VIRUS-SERVER The DNS/WINS name or IP address of
F-Secure Anti-Virus for Microsoft Exchange.
$CSS-NAME The DNS/WINS name or IP address of
F-Secure Content Scanner Server.
$NAME-OF-SENDER The e-mail address where the original content
comes from.
$NAME-OF-RECIPIENT The e-mail addresses where the original
content is sent.
$SUBJECT The original e-mail message subject.
$REPORT-BEGIN Marks the beginning of the scan report. This
variable does not appear in the warning
message.
$REPORT-END Marks the end of the scan report. This variable
does not appear in the warning message.
When using Microsoft Outlook Web Access and Microsoft Internet
Explorer, the $NAME-OF-RECIPIENT variable may contain an
incorrect value when posting messages to protected public folders.

366
The following table lists variables that can be included in the scan report,
in other words the variables that can be used in the warning message
between $REPORT-BEGIN and $REPORT-END.
Variable Description
$AFFECTED-FILENAM
E
The name of the original file or attachment.
$AFFECTED-FILESIZE The size of the original file or attachment.
$THREAT The name of the threat that was found in the
content. For example, it can contain the name
of the found infection, etc.
$TAKEN-ACTION The action that was taken to remove the
threat. These include the following: dropped,
disinfected, etc.
$QUARANTINE-ID The identification number of the quarantined
attachment or file.

Outbreak Management Alert Variables
$INTERVAL-TIME Detection interval in minutes.
APPENDIX B 367
Variables in Warning Messages
$INTERVAL-MINUTES Outbreak limit of infections within detection
interval.
$INFECTIONS-LIMIT Actual number of infections found within the
detection interval.
$INFECTIONS-FOUND Detection interval in minutes.

C APPENDIX:
Services and
Processes
F-Secure Anti-Virus for Microsoft Exchange ............................ 369
F-Secure Content Scanner Server ........................................... 370
F-Secure Anti-Virus for Microsoft Exchange Web Console...... 370
F-Secure Management Agent (FSMA)..................................... 371
F-Secure Automatic Updates Agent......................................... 373
368

The following tables list the services and processes that are running on
the system after the installation.
F-Secure Anti-Virus for Microsoft Exchange
Service Process Description
F-Secure
Anti-Virus for
Microsoft
Exchange
F-Secure Outbreak
Manager
fshkmngr.exe The F-Secure Hook Manager
is a central component of
F-Secure Anti-Virus for
Microsoft Exchange and it is
used to get the whole system
up and running.
fswbsthk.exe The F-Secure Web Storage
Hook processes mail in
mailboxes and public folders,
as well as composes and
sends warning and notification
messages to end users.
fsstrods.exe The F-Secure Web Storage
On-Demand Scanner
performs manual and
scheduled operations under
mailboxes and public folders.
fsobmngr.exe The Outbreak Manager reacts
on a virus outbreak by sending
an alert, a notification e-mail
message and running a
specified program or a script.
APPENDIX C 369
Services and Processes

370
F-Secure Content Scanner Server
Service Process Description
F-Secure Content
Scanner Server
Daemon
fsavsd.exe The back-end component that
provides anti-virus scanning
and spam filtering services for
Simple Content Inspection
Protocol (SCIP) compliant
clients.
F-Secure Management Agent
starts and controls the service
automatically.
fsdbuh.exe The Database Update Handler
process verifies and checks
the integrity of virus definition
and spam control database
updates.
F-Secure Anti-Virus for Microsoft Exchange Web
Console
Service Process Descriptions
F-Secure Web UI
Daemon
fswebuid.exe HTTP server that hosts
F-Secure Anti-Virus for
Microsoft Exchange Web
Console. Supports HTTP/1.0,
HTTP/1.1 and HTTPS.
F-Secure Management Agent
starts and controls the service
automatically.

F-Secure Management Agent (FSMA)
Service Process Description
F-Secure
Management
Agent
F-Secure Network
Request Broker
fsma32.exe F-Secure Management Agent
is an FSMA service
responsible for starting other
services and monitoring them.
fnrb32.exe The service handles the
communication with F-Secure
Policy Manager via the
network shared directory or
HTTP interface.
F-Secure Management Agent
starts and controls the service
automatically.
fsmb32.exe F-Secure Message Broker
provides the inter-process
communication interface for
integrated services and
applications.
fch32.exe F-Secure Configuration
Handler that works with
F-Secure Policy Manager
driver and enables other
components to read base
policy settings and to update
incremental policy settings and
statistics.
APPENDIX C 371
Services and Processes

372
Service Process Description
fameh32.exe Alert and Management
Extensions Handler is used to
send alerts and reports to
F-Secure Policy Manager
Console, LogFile.log,
Windows event log and SMTP
server.
fih32.exe F-Secure Installation Handler
enables the remote installation
and updating of integrated
F-Secure products.
fsm32.exe The F-Secure Settings and
Statistics User Interface. The
process is not running unless
the user is logged in to the
system.

F-Secure Automatic Updates Agent
Service Process Description
F-Secure
Automatic Updates
Agent
servic~1.exe The service starts and controls
the F-secure Automatic
Update Agent client process.
f-secu~1.exe F-Secure Automatic
Update.exe. This is the client
process that polls and
automatically downloads virus
and spam definition database
updates from F-Secure. It also
handles F-Secure Automatic
Updates Agent settings and
provides the local user
interface for a logged-on user.
FSBWSYS.exe The Automatic Update Agent
process provides automatic
updates of virus definition
databases for F-Secure
Content Scanner Server.
THe process receives virus
definition database updates
from F-Secure Automatic
Updates Agent Server via the
HTTP or UDP-based protocol.
APPENDIX C 373
Services and Processes

D
TROUBLESHOOTING
Overview................................................................................... 375
Starting and Stopping........................................................... 375
Viewing the Log File ................................................................. 375
Common Problems and Solutions............................................ 376
Frequently Asked Questions .................................................... 381
F-Secure Automatic Update Agent Troubleshooting ................ 386
374

D.1 Overview
D.2 Starting and Stopping
D.3 Viewing the Log File
If you have a problem that is not covered in here, see “Technical Support”,
392.
If you ever need to start or stop F-Secure Anti-Virus for Microsoft
Exchange, you can do it in the following ways:
Open the Services applet from the Administrative tools folder in
the Windows Control Panel and select F-Secure Anti-Virus for
Microsoft Exchange. To stop F-Secure Anti-Virus for Microsoft
Exchange, click Stop. To start the service, click Start.
Open the F-Secure Anti-Virus for Microsoft Exchange Web
Console and select the F-Secure Anti-Virus for Microsoft
Exchange tab. Select the Summary page and click Start to
activate F-Secure Anti-Virus for Microsoft Exchange. Click Stop
to stop it.
From the command line - enter NET STOP FSAVAG4MSE to the
command line to stop the service, and NET START FSAVAG4MSE to
start the service.
F-Secure Anti-Virus for Microsoft Exchange uses the log file Logfile.log
that is maintained by F-Secure Management Agent and contains all alerts
generated by F-Secure components installed on the host. Logfile.log can
be found on all hosts running F-Secure Management Agent. You can view
the Logfile.log with any text editor, for example Windows Notepad. Open
the logfile.log from F-Secure Settings and Statistics / F-Secure
Management Agent properties / Show log file, or from the Home page of
F-Secure Anti-Virus for Microsoft Exchange Web Console by clicking
Show F-Secure Log.
CHAPTER D 375
Troubleshooting

376
F-Secure Management Agent uses Logfile.log (in F-Secure / Common
directory) for logging of all the alerts on the host.
Logfile.log contains all the alerts generated by the host, regardless of the
severity. Logfile.log file size can be configured in F-Secure Management
Agent / Settings / Alerting / Alert Agents / Logfile / Maximum File Size.
D.4 Common Problems and Solutions
If you think that you have some problem with F-Secure Anti-Virus for
Microsoft Exchange, check that both F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Content Scanner Server are up and running.
Checking F-Secure Anti-Virus for Microsoft Exchange
1. Make sure that F-Secure Anti-Virus for Microsoft Exchange service
and all its processes have started.
Open Services in the Windows Control Panel and check that the
F-Secure Anti-Virus for Microsoft Exchange service has started.
Open the Windows Task Manager and check that the following
processes are running:
fshkmngr.exe fsmb32.exe
fswbsthk.exe fameh32.exe
fsobmngr.exe fch32.exe
fsma32.exe fsm32.exe
fnrb32.exe
2. To make sure that F-Secure Content Scanner Server accepts
connections, start a telnet session to the F-Secure Content Scanner
Server machine to the port 18971. If you have specified a different
SCIP port, use that port instead.

If you get the cursor blinking in the upper left corner, it means that the
connection has been established and F-Secure Content Scanner
Server can accept incoming connections.
If you get "Connection to the host lost" or other error message or if the
cursor does not go to the upper left corner, it means that the
connection attempt was unsuccessful.
If your connection attempt was unsuccessful, (1) make sure that
F-Secure Content Scanner Server is up and running, and (2) check
the physical connection between F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Content Scanner Server.
The connection must be direct (without firewalls or scanners in
between) and at least 100 Mbps fast. If the computer running
F-Secure Anti-Virus for Microsoft Exchange has two or more network
interfaces (including dial-up modem connection), make sure that all
files forwarded to F-Secure Content Scanner Server use the right
network interface. Edit the routing table if needed.
Checking F-Secure Content Scanner Server
Problem:
When the F-Secure Anti-Virus for Microsoft Exchange tries to send an
attachment to F-Secure Content Scanner Server, the attachment is not
scanned and the e-mail does not reach the recipient.
Solution:
The problem is that F-Secure Anti-Virus for Microsoft Exchange is unable
to contact F-Secure Content Scanner Server(s).
There are several possible causes for this:
1. Incorrect keycode might have been used when installing F-Secure
Content Scanner Server. When installing F-Secure Content Scanner
Server you should use the keycode for F-Secure Anti-Virus for
Microsoft Exchange, and not the keycode for F-Secure Content
CHAPTER D 377
Troubleshooting

378
Scanner Server. If you have entered a wrong keycode, the installation
did not install all the components required for F-Secure Anti-Virus for
Microsoft Exchange.
2. A service or process may not be running on F-Secure Content
Scanner Server. Make sure that all processes and services of
F-Secure Content Scanner Server have started. Check the Services
in Windows Control Panel. The following services should be started:
F-Secure Content Scanner Server
F-Secure Management Agent
F-Secure Network Request Broker
Check the Task Manager. The following processes should be running:
fsmb32.exe fsma32.exe
fsavsd.exe fih32.exe
fsdbuh.exe fch32.exe
fnrb32.exe fameh32.exe
If any of these processes are not started, uninstall and reinstall the
F-Secure Anti-Virus Content Scanner Server.
Checking F-Secure Anti-Virus for Microsoft Exchange Web
Console
Problem:
I cannot open or access F-Secure Anti-Virus for Microsoft Exchange Web
Console.
Solution:
1. Make sure that F-Secure Web Console daemon has started and is
running. Check the Services in Windows Control Panel. The following
service should be started:
F-Secure Web Console Daemon

D.4.1 Installing Service Packs
D.4.2 Securing the Quarantine
Check the Task Manager. The following process should be running:
fswebuid.exe
2. If you try to connect to the F-Secure Anti-Virus for Microsoft
Exchange Web Console from a remote host, make sure that the
connection is not blocked by a firewall or proxy server.
If you wish to install a Microsoft Exchange Server Service Pack and
F-Secure Anti-Virus for Microsoft Exchange is already installed, stop
F-Secure Anti-Virus for Microsoft Exchange before installing the Service
Pack and restart it after the Service Pack installation.
Problem:
I have installed F-Secure Anti-Virus for Microsoft Exchange and I'm
worried about security of the local Quarantine storage where stripped
attachments are quarantined. What do you recommend me?
CHAPTER D 379
Troubleshooting

380
Solution:
D.4.3 Administration Issues
F -Secure Anti-Virus for Microsoft Exchange creates and adjusts access
rights to the local Quarantine storage during the installation. Keep in mind
the following when setting up the local Quarantine storage:
Do not place the Quarantine storage on a FAT drive. FAT file
system does not support access rights on directories and files for
different users. If you place the Quarantine storage on a FAT
drive everyone who has access to that drive will be able to get
access to the quarantined content.
Create and adjust access rights to the Quarantine storage
manually if you use one on a network drive.
Create and adjust access rights to the Quarantine storage
manually when you change its path from F-Secure Policy
Manager Console or F-Secure Anti-Virus for Microsoft Exchange
Web Console.
Some settings are initially configured during the installation of
F-Secure Anti-Virus for Microsoft Exchange and F-Secure
Content Scanner Server. They can be viewed on the Status tab of
F-Secure Policy Manager Console.
When changing such settings in F-Secure Policy Manager
Console for the first time, you must enforce the change by
selecting the Final check box. This applies to the Primary and
Backup Content Scanner Servers, Port, and Quarantine storage
settings of F-Secure Anti-Virus for Microsoft Exchange and to the
Working directory and Quarantine storage settings of F-Secure
Content Scanner Server.

D.5 Frequently Asked Questions
Performance
Q. Why does the time to open a message in mailboxes and Public
Folders increase after installation of F-Secure Anti-Virus for
Microsoft Exchange?
A. F-Secure Anti-Virus for Microsoft Exchange scans each message for
viruses, hence the delay with opening the message. A message
scanned once is marked as scanned and will be opened quickly next
time. Of course, if a message has been changed, it will be scanned
for viruses again.
Q. Microsoft Outlook displays an error message stating something
like “Cannot open message” or “Cannot open message in
preview pane”. What should be done?
A. Check that F-Secure Content Scanner Server is up and running. If a
mail cannot be scanned, access to it is not allowed.
Q. Why does e-mail stay in the Outbox for a while after being sent?
A. F-Secure Anti-Virus for Microsoft Exchange scans each message for
viruses, hence the delay with sending the message.
Q. F-Secure Anti-Virus for Microsoft Exchange complains about
connection timeout to F-Secure Content Scanner Server. What
should be done?
A. Make sure that F-Secure Content Scanner Server is running, that it
has been installed with the correct keycode for F-Secure Anti-Virus
for Microsoft Exchange, and that the connection to F-Secure Content
Scanner Server is direct and at least 100 Mbps fast. If the computer
running F-Secure Anti-Virus for Microsoft Exchange has multiple
network interfaces (including dial-up connections), make sure that all
files forwarded to F-Secure Content Scanner Server(s) use the right
network interface.
CHAPTER D 381
Troubleshooting

382
Settings
Q. Every time when the server shuts down I get error reports that
F-Secure SMTP and Real-Time Scanners cannot connect to the
server. What is the problem?
A. When you shut down the computer with F-Secure Content Scanner
Server and F-Secure Anti-Virus for Microsoft Exchange components,
F-Secure Content Scanner Server may shut down before F-Secure
Anti-Virus for Microsoft Exchange components, which may cause
them to report that they have lost the connection to F-Secure Content
Scanner Server.
Q. Is it possible to strip attachments with size greater than or equal
to a given value?
A. No, this is not possible at the moment. Use the Exchange Manager to
limit the size of attached files.
Q. Are the newly created mailboxes and Public Folders
automatically covered by F-Secure Anti-Virus?
A. Yes. The default polling interval for newly created mailboxes and
Public Folders is 1 hour. For more information, see “Advanced”, 182.
For more information on how to set the polling interval in stand-alone
mode, see “Advanced”, 267.

Q. I am trying to change Primary and Backup Content Scanner
Servers settings through F-Secure Policy Manager Console, but
the changes did not affect F-Secure Anti-Virus for Microsoft
Exchange. Why?
A. Primary and Backup Content Scanner Servers settings are initially
configured during the installation of F-Secure Anti-Virus for Microsoft
Exchange and can thus be viewed on the Status tab of F-Secure
Policy Manager Console. To override the settings made by the setup
program, select the Final check box when changing this setting in
F-Secure Policy Manager Console for the first time. This also applies
to the Port and Quarantine storage settings of F-Secure Anti-Virus for
Microsoft Exchange and to the Working directory and Quarantine
storage settings of F-Secure Content Scanner Server.
Q. A message has an attachment with a file extension that should
be stripped. Why the attachment was not stripped?
A. F-Secure Anti-Virus for Microsoft Exchange does not strip
attachments with a size of 0 Kb, as they cannot contain any malicious
code.
Q. I have a Public Folder that is excluded from the virus scan, but
some messages are scanned and disinfected before they arrive
to the excluded Public Folder. Why?
A. If you send a message from a MAPI client, the message goes to the
Outbox folder before it is sent to the Public Folder. The message is
scanned when it is in the Outbox folder according to the processing
settings for this mailbox. When the message arrives in the Public
Folder, it is scanned according to the Public Folder processing
settings. Thus, messages sent with SMTP are not scanned in
excluded Public Folders.
CHAPTER D 383
Troubleshooting

384
Q. A message is not scanned if it comes from a trusted mailbox.
Why?
A. If an infected attachment arrives to a mailbox, it passes the virus
scanner but it is not disinfected or stopped. The real-time scanner
scans messages in the message store only once, so when the
infected message is sent from the trusted mailbox to another mailbox
inside the same message store, the real-time scanner does not scan
it again.
If you use trusted mailboxes, store those messages in a different
message store. When a message moves between message stores, it
is scanned and infected attachments can be disinfected. You can also
run the manual scan periodically to remove infected attachments.
Q. When I release an e-mail from the Quarantine, sometimes two
warning messages are sent to the recipient. Why?
A. When you release an e-mail that has an infected attachment from the
Quarantine and the user uses POP3 to retrieve mail from the server,
the user may receive two warning messages while the infected
attachment remains in the Quarantine.
Local Protection with F-Secure Anti-Virus for Windows Servers
Q. Can all files on a Microsoft Exchange computer be scanned for
viruses, or are some files and folders excluded from scanning
automatically?
A. The working and quarantine directories of F-Secure Anti-Virus for
Microsoft Exchange are added to the OAS excluded list during the
installation.
Microsoft Knowledgebase article #245822 ‘Recommendations for
troubleshooting an Exchange computer with antivirus software
installed’ describes what files and folders should never be scanned
with file-based antivirus software: http://support.microsoft.com/
default.aspx?scid=kb;en-us;245822.

Quarantined and Disinfected Files
Q. When examining a raw message that has been disinfected, there
seems to be some data that should be stripped. Is the message
still infected?
A. Disinfected messages do not contain any malicious code. The
Microsoft Exchange server keeps the original message header in the
message, so MIME-part headers may appear in the raw message
data.
Q. A message has an Attachment_Information.txt file as an
embedded OLE object. What is this file and why do I get a
warning message when I try to open the file?
A. The original message had an infection which F-Secure Anti-Virus for
Microsoft Exchange removed and replaced with the
Attachment_Information.txt file. As embedded OLE objects have to
be replaced with text attachments to avoid corrupting OLE objects,
the Attachment_Information.txt is an embedded OLE object that
causes the warning message. The VirusInfo text file contains
information about the infection that has been removed.
The Attachment_Information.txt file may appear also in Public Folder
messages for the same reason.
Q. During the installation, I get a notification that an application is
requesting access to a protected system. What causes this?
A. You are using Windows 2000 Certificate Service and this behavior is
normal with it.
Q. What happens to e-mails saved in the Drafts folder during the
real-time scanning?
A. Messages saved temporarily into the Drafts folder are considered to
be inbound and they are scanned and stripped accordingly.
CHAPTER D 385
Troubleshooting

386
Q. Why users cannot attach some attachments to e-mail messages
when using Microsoft Outlook Web Access and Microsoft
Internet Explorer?
A. When using Microsoft Outlook Web Access and Microsoft Internet
Explorer, you cannot send a message that has an attachment that
cannot be disinfected or an attachment that is set to be stripped.
When users try to attach the attachment, they receive an error
message and the sending will fail.
D.6 F-Secure Automatic Update Agent
Troubleshooting
The F-Secure Automatic Update Agent log file may be useful when
solving problems when virus and/or spam definition databases do
not update properly. Open the F-Secure Automatic Update Agent
from F-Secure Settings and Statistics and click Show log file to
view a detailed log of actions of the F- Secure Automatic Update
Agent.

Q. How can I verify that updating the virus and spam definition
databases really works?
A. First, open the F-Secure Automatic Update Agent window from
F-Secure Settings and Statistics and select the Received Packages
tab. If a virus definitions database update has been downloaded, you
should see something like “F-Secure Anti-Virus Update 2004-06-09”
under Title.
Check the Last Result column. If the update has been successfully
placed into the destination directory, the Latest Result displays
Installed. If the Latest Result is Not installed, the update has been
downloaded but the F-Secure Automatic Update Agent could not
copy it into the destination directory. The F-Secure Automatic Update
Agent tries to copy it there again in one minute intervals. Click
Package Properties to see the error message.
If the Last Result value is Installed, check the date and time in the
First Installed column at the bottom of the Received Packages page.
Then, open Windows Explorer and select the F-Secure Anti-Virus
folder, select Details from the View menu, and click the Modified
column title above the file list to display the files sorted by date and
time. The F-Secure Anti-Virus folder should have files (with filename
extensions .def, .avc, .set or .dat) which have the same date and time
as the First Installed column.
CHAPTER D 387
Troubleshooting

388
Q. The Received Packages page states that a virus definition
database update is “Not installed”. What should I do?
A. Click on the package title and then Package Properties to view the
error message.
Unable to locate
anti-virus database
update directory
Not enough free disk
space
Could not create
temporary directory
Could not switch
database update
directory to a new one
The directory does not exist, the
communication directory is corrupted, or
your client is in Standard mode and the
update directory is in a network drive. Open
the Settings page in the F-Secure Automatic
Update Agent window and click Change to
select the destination directory again.
The drive of the destination directory is full.
Free some disk space.
Check that the current user has appropriate
access rights to the destination directory.
Note that if the destination is a
communication directory, the same rights are
also required for its subdirectories. If the
destination is the “Other” subdirectory, the
same rights are required for its parent
directory.
Another application has a file open in the
destination directory, so it cannot be deleted.
This can occasionally happen if multiple
hosts are retrieving the update at the same
time. The client will retry in one minute
intervals, so wait and see if the result
changes to “Installed”.
If the update is still uninstalled, close all
applications on the computer where the
destination directory is, or reboot it. If the
client is in NT application mode, see the
explanation above for “Could not create
temporary directory”.

Q. The Received Packages page states that a virus definition
database update is “Installed”, but there are no new files in the
Anti-Virus directory. Why?
A. After downloading the update and placing it into a communication
directory, F-Secure Content Scanner Server does not immediately
retrieve the files from there. The delay depends on the polling interval
of F-Secure Management Agent, with a default interval of 10 minutes
the delay can be up to 20-30 minutes.
In a stand-alone installation, make sure F-Secure Automatic Update
Agent is installed in Stand-alone mode. Open the Settings page in
F-Secure Automatic Update Agent window. The Change button
should be disabled.
With centrally managed installations, check that you have enabled
“Poll Automatically” for Virus Definitions Updates in F-Secure Policy
Manager Server. Open the Settings page in the F-Secure Automatic
Update Agent window and check that you have selected the correct
communication directory as the destination for the updates. If you are
not sure, try downloading Latest.zip from
http://www.F-Secure.com/download-purchase/updates.shtml, and
import it to F-Secure Policy Manager Console. If the update succeeds
this way, but not with F-Secure Automatic Update Agent, and the
Received Packages page states that an update is “Installed”, the
F-Secure Automatic Update Agent is most probably configured to
place the updates in a wrong directory.
Q. The Installed Packages page states that a virus definition
database update fas “Failed” after I upgraded the product. What
should I do?
A. During the upgrade, F-Secure Automatic Update Agent retrieves the
latest virus definition update. If the previous version of the product
had the same version of the database installed already, F-Secure
Automatic Update Agent does not overwrite files and marks the
update as failed. The message disappears automatically during the
next virus database update.
CHAPTER D 389
Troubleshooting

390
Q. I installed the F-Secure Automatic Update Agent, but it has not
downloaded any virus definition updates. What’s wrong?
A. Select the Received Packages tab in the F-Secure Automatic Update
Agent window and check that no virus definitions update packages
are listed in there.
Select the Channel Status page in the F-Secure Automatic Update
Agent. If the Channel Name and Channel Address fields are empty,
the client has not yet connected to F-Secure Automatic Update
server. Make sure that your Internet connection is working, and if the
Current Status is Ready, click Connect Now to force the client to
connect to the server immediately. Downloading the virus definitions
database update for the first time can take a while if you have a lot of
other Internet traffic open at the same time.
If the client cannot connect to the server, make sure that your browser
can access the Internet. Open your browser and connect to
http://fsbwserver.f-secure.com/. If you cannot connect to the web
page, check your network settings. If the connection was successful,
open the Settings page. If Polite Agent is selected in the
Communication section, change it to HTTP. If you change the
protocol from Polite Agent to HTTP or vice versa, you have to restart
the F-Secure Automatic Update Agent.
If changing to HTTP communication did not help, open the Internet
options in your browser to determine if you are connected through an
HTTP proxy server. A few examples:
Internet Explorer 6.0: Under the Tools menu, select Internet
Options. Select the Connection tab and click LAN Settings....
Check the settings in the Proxy server section. If you have the
Use a proxy server for your LAN option selected and there is an
address and port defined, you are using an HTTP proxy server. If
the Use a proxy server for your LAN option is not selected and

you see a proxy server setting in the Address section but it is
grayed out, click Advanced, remove the address and specify port
0.
Mozilla Firefox 1.0: Under the Tools menu, select Options. Select
the General category, and click Connection Settings.... If the
Manual proxy configuration option is selected, you can see the
address and port number of the HTTP proxy server in the
Connection Settings window.
If you have determined that you are connecting through an HTTP
proxy server, enable the “Use HTTP proxy” checkbox on the
F-Secure Automatic Update Agent window’s Settings page and type
in the field the proxy server address and port number that you
retrieved from your browser (i.e. myproxy.mydomain.com:80).
If you are not connected through a proxy server ensure that the Use
HTTP proxy option is not selected.
After these operations, your Automatic Update Agent client should be
able to connect and receive content. If you are not able to receive
content and your client is configured correctly you will have to contact
your network administrator and have them verify your firewall is
configured to accept outgoing HTTP requests and incoming
responses to these requests.
CHAPTER D 391
Troubleshooting

Technical Support
F-Secure Online Support Resources........................................ 393
Web Club.................................................................................. 395
Virus Descriptions on the Web ................................................. 395
392

F-Secure Online Support Resources
Technical Support 393
F-Secure Technical Support is available through F-Secure support web
pages, e-mail and by phone. Support requests can be submitted through
a form on F-Secure support web pages directly to F-Secure support.
F-Secure support web pages for any F-Secure product can be accessed
at http://support.f-secure.com/. All support issues, frequently asked
questions and hotfixes can be found under the support pages.
If you have questions about F-Secure Anti-Virus for Microsoft Exchange
not covered in this manual or on the F-Secure support web pages, you
can contact your local F-Secure distributor or F-Secure Corporation
directly.
For technical assistance, please contact your local F-Secure Business
Partner. Send your e-mail to:
Anti-Virus-@f-secure.com
Example: Anti-Virus-Norway@f-secure.com
If there is no authorized F-Secure Anti-Virus Business Partner in your
country, you can submit a support request directly to F-Secure. There is
an online "Web submit form" accessible through F-Secure support web
pages under the "Contact Support" page. Fill in all the fields and describe
the problem as accurately as possible. Please include the FSDiag report
taken from the problematic server with the support request.
Before contacting support, please run the F-Secure Diagnostic utility
FSDiag.exe on each of the hosts running F-Secure Anti-Virus for
Microsoft Exchange and F-Secure Content Scanner Server. This utility
gathers basic information about hardware, operating system, network
configuration and installed F-Secure and third-party software. You can run
the F-Secure Diagnostics tool from the F-Secure Anti-Virus for Microsoft
Exchange Web Console as follows:
1. Log in to the Web Console.
2. Type https://127.0.0.1:25023/fsdiag/ in the browser’s address field.
3. The F-Secure Diagnostics tool starts and the dialog window displays
the progress of the data collection.

394
4. When the tool has finished collecting the data, click Get Report to
download and save the collected data.
You can also find and run the FSDiag.exe utility under the
F-Secure\Common folder, if you prefer not to do it through the F-Secure
Anti-Virus for Microsoft Exchange Web Console. The tool generates a file
called FSDiag.tar.gz.
Please include the following information with your support request:
Version number of F-Secure Management Agent, F-Secure
Anti-Virus for Microsoft Exchange, F-Secure Policy Manager
Server, and F-Secure Policy Manager Console. Include the build
number if available.
Description how F-Secure components are configured.
The name and the version number of the operating system on
which F-Secure products and protected systems are running. For
Windows, include the build number and Service Pack number.
The version number and the configuration of your Microsoft
Exchange Server. If possible, describe your network
configuration and topology.
A detailed description of the problem, including any error
messages displayed by the program, and any other details that
could help us replicate the problem.
Logfile.log from the machines running F-Secure products. This
file can be found under Program Files\F-Secure\Common. If you
are sending the FSDiag report you do not need to send the
Logfile.log separately, because it is already included in the
FSDiag report.
If the whole product or a component crashed, include the
drwtsn32.log file from the Windows NT directory and the latest
records from the Windows Application Log.

Web Club
Virus Descriptions on the Web
Technical Support 395
The F-Secure Web Club provides assistance and updated versions of the
F-Secure products. To connect to the Web Club on our Web site, open the
F-Secure Anti-Virus for Microsoft Exchange Web Console, and click the
Web Club link in the banner.
Alternatively, right-click on the F-Secure icon in the Window taskbar, and
choose the Web Club command.
To connect to the Web Club directly from within your Web browser, go to:
http://www.f-secure.com/anti-virus/webclub/corporate/
F-Secure Corporation maintains a comprehensive collection of
virus-related information on its Web site. To view the Virus Information
Database, connect to: http://www.f-secure.com/virus-info/.

About F-Secure Corporation
F-Secure Corporation is the fastest growing publicly listed company in the
antivirus and intrusion prevention industry with more than 50% revenue
growth in 2004. Founded in 1988, F-Secure has been listed on the Helsinki
Stock Exchange since 1999. We have our headquarters in Helsinki, Finland,
and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and
Japan. F-Secure is supported by service partners, value added resellers and
distributors in over 50 countries. F-Secure protection is also available through
mobile handset manufacturers such as Nokia and as a service through major
Internet Service Providers, such as Deutsche Telekom, France Telecom and
Charter Communications. The latest real-time virus threat scenario news are
available at the F-Secure Antivirus Research Team weblog at
http://www.f-secure.com/weblog/.
Services for Individuals and Businesses
F-Secure services and software protect individuals and businesses against
computer viruses and other threats coming through the Internet or mobile
networks. Our award-winning solutions include antivirus and desktop firewall
with intrusion prevention, antispam and antispyware solutions. Our key
strength is our proven speed of response to new threats. For businesses our
solutions feature a centrally-managed and well-integrated suite of solutions
for workstations and servers alike. Focused partners offer security as a
service for companies that do not wish to build in-house security expertise.
Visit our website at http://www.f-secure.com/products/ to learn more about our
products and services.