traffic
This section contains examples of Kaspersky Mail Gateway‟s anti-virus protec- tion of e-mail traffic. The settings described in the examples can be combined to produce more sophisticated e-mail traffic protection schemes.
5.3.1.
Delivery of messages with clean or
disinfected objects only
Example:
Scan all the server‟s incoming and outgoing e-mail traffic for viruses.
Cure infected objects.
Remove from e-mail messages all infected objects which could not be cured.
Deliver messages to recipients containing clean and disinfected objects only.
To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages: CheckAV=true
2. Enable disinfection mode for infected objects: AVCure=true
3. Specify the operations, which must be performed with the objects: ActionDisinfected=cure
60 Kaspersky Mail Gateway 5.6 ActionSuspicious=remove ActionProtected=remove ActionError=remove BlockMessage= Note
Notifications can be delivered to the administrator, message recipient and sender, informing them of the detection of infected or suspicious objects (see section 5.3.4 on p. 62). Also, messages containing infected, suspicious or password-protected objects can be saved in the quarantine directory (see section 5.3.6 on p. 64).
5.3.2.
Replacement of infected objects by
standard notifications
Task:
Scan all e-mail traffic on the server for viruses, and cure infected ob- jects in e-mail messages.
Objects which cannot be cured, and suspicious, damaged or password- protected objects, must be deleted and replaced with a standard notifi- cation.
Solution: To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages: CheckAV=true
2. Enable disinfection mode for infected objects: AVCure=true
3. Specify the operations, which must be performed with the objects: ActionDisinfected=cure ActionInfected=placeholder ActionSuspicious=placeholder ActionProtected=placeholder ActionError=placeholder BlockMessage=
Note
In addition to replacing infected and suspicious objects with standard sages, the application can deliver notifications to the administrator with in- formation about the detection of the objects (see section 5.3.4 on p. 62) and save the messages containing the objects in the quarantine directory (see section 5.3.6 on p. 64).
5.3.3.
Blocking delivery for messages
containing suspicious objects
Example:
Scan all e-mail traffic on the server for viruses, and cure infected ob- jects in e-mail messages;
Block the delivery of messages containing objects which cannot be cured, and suspicious, damaged or password-protected objects. Attention!
While implementing this task, please note that if a message contains several objects, one of which cannot be disinfected or is suspicious or password
protected, the delivery of the whole message will be blocked.
To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages: CheckAV=true
2. Enable disinfection mode for infected objects: AVCure=true
3. Specify the operations, which must be performed with the objects: ActionDisinfected=cure ActionInfected=pass ActionSuspicious=pass ActionProtected=pass ActionError=pass BlockMessage=av/infected,av/suspicious, av/protected,av/error
62 Kaspersky Mail Gateway 5.6
Note
The application can also be configured to send notifications to the administrator with information about the detection of infected or suspicious objects (see tion 5.3.4 on p. 62) and save the messages containing those objects in the quarantine directory for later delivery to Kaspersky Lab for examination (see section 5.3.6 on p. 64).
5.3.4.
Delivery of notifications to the
sender, administrator and recipients
Example:
Scan all e-mail traffic on the server for viruses, and cure all infected ob- jects.
Deliver messages to recipients containing only clean and disinfected objects.
Delete all objects which cannot be cured, as well as suspicious, dam- aged or password-protected objects.
Notify the senders, recipients and the administrator about cured, incur- able, deleted and suspicious and damaged objects in e-mail messages. To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Enable disinfection mode for infected objects: AVCure=true
2. Specify the operations, which must be performed with the objects: ActionDisinfected=cure ActionInfected=remove ActionSuspicious=remove ActionProtected=remove ActionError=remove BlockMessage=
3. Specify the cases in which notifications should be sent, and their recipi- ents:
NotifyAdmin=av/disinfected,av/infected, av/suspicious,av/protected,av/error
NotifyRecipient=av/disinfected,av/infected, av/suspicious,av/protected,av/error
NotifySender=av/disinfected,av/infected, av/suspicious,av/protected,av/error
5.3.5.
Additional filtering of objects by
name and type
E-mail messages frequently contain objects for which virus infection is highly probable (e.g., executable files). To avoid infection, you are advised to configure the application to filter e-mail by name and/or attachment types, and save these objects in a separate directory.
There are also objects which cannot be infected with viruses (e.g., plain text files). To reduce the load on the server during anti-virus scanning of e-mail mes- sages, you are advised to specify the types and/or the names of such attach- ments in advance so that the application does not scan them.
Filtering of objects is performed using name masks (IncludeByName, Exclude- ByName parameters) and MIME types (IncludeByMime, ExcludeByMime pa- rameters).
Example:
Delete .exe and .reg attachments from the e-mail of users in the man- agers group.
For users in the accounts group, delete all attached objects except for .doc files .
For users in the sales group, block messages containing attached .exe files.
To perform the above task, do the following:
Create in the application‟s configuration file three [mailgw.group:group_name] sections, which will contain processing rules for the e-mail of users in the managers, accounts and sales groups respectively: [mailgw.group:managers] Recipients=*@managers.example.com IncludeByName=*.exe IncludeByName=*.reg ActionFiltered=remove …
64 Kaspersky Mail Gateway 5.6 [mailgw.group:accounts] Recipients=*@accounts.example.com ExcludeByName=*.doc ActionFiltered=remove … [mailgw.group:sales] Recipients=*@sales.example.com IncludeByName=*.exe BlockMessage=av/filtered
5.3.6.
Saving messages in the quarantine
directory
Kaspersky Mail Gateway can be configured to store messages with specified statuses in the quarantine directory.
This feature may be used, for example, if an infected attachment containing im- portant data was detected during anti-virus scanning. Attempting to disinfect the file may corrupt the data. The message can be isolated in a separate directory and subsequently sent to Kaspersky Lab for analysis. Our experts will probably be able to disinfect the file, and preserve the data‟s integrity.
Example:
Scan all e-mail traffic on the server for viruses and cure all infected ob- jects.
Deliver messages to the recipients containing only clean and disinfected objects.
Messages with incurable attachments or suspicious, damaged or pass- word-protected objects must be saved in the quarantine directory /opt/quarantine; delivery of these messages must be blocked.
To perform the above task, do the following:
1. Create the directory /opt/quarantine, which will be used to store blocked messages, and grant the right to write to that directory to the account used to run the application (kluser by default).
2. Enable the cure mode for infected objects, by setting the following pa- rameter value in the [mailgw.policy] section of the configuration file:
3. Specify these parameter values in the [mailgw.policy] section of the configuration file: ActionDisinfected=cure ActionInfected=pass ActionSuspicious=pass ActionProtected=pass ActionError=pass BlockMessage= av/infected,av/suspicious,av/protected,av/error QuarantineMessage=av/infected,av/suspicious, av/protected,av/error AVQuarantinePath=/opt/quarantine