Configuring a threat detection

Article Id: 181274
Status: Published
Updated On: 06-06-2016 03:01
Legacy Id: HOWTO82400
Products:
Mail Security for Microsoft Exchange
Issue/Introduction:

 

Resolution:

To configure threat detection, do the following:

Enable threat detection scanning

Mail Security detects viruses, worms, and Trojan horses in all major file types. Antivirus scanning must be enabled for Mail Security to detect threats.

Threat detection scanning applies to all types of scans.

See About the types of scanning that you can perform

Set the Bloodhound detection level

Mail Security uses Bloodhound technology to supplement the detection of threats by signature.

You can customize your level of protection against new threats, from zero protection to a high level of protection. A high level of protection increases protection of your network; however, server performance might be affected. At lower levels of protection, an unknown threat might escape detection, but the trade-off with server performance decreases. In most cases, the default (Medium) setting is appropriate.

See How Mail Security detects risks.

Enable mass-mailer worm-infected message detection

Mail Security detects that an email message is a mass-mailer worm or virus when this feature is enabled. If Mail Security detects that an email message is a mass-mailer worm or virus, it deletes the infected email message and any attachments. Mail Security does not send notifications after deleting a mass-mailer worm or virus message and any attachments. When the mass-mailer detection feature is not enabled, an infected mass-mailer email message is treated the same as an infected message.

Enable advanced heuristics detection

Mail Security provides a better antivirus protection if you enable the Advanced heuristics detection check box.

Modify default threat detection rules, as needed

Mail Security provides default antivirus rules, which are always enabled. You can modify these rules.

To configure a threat detection

  1. In the console on the primary navigation bar, click Policies.

  2. In the sidebar under Antivirus, click Antivirus Settings.

  3. In the content area under Antivirus Settings, check Enable virus scanning.

    Virus scanning is enabled by default.

  4. In the Bloodhound detection list, select one of the following using the drop-down menu:

    Off

    Disables the Bloodhound detection.

    Low

    Optimizes the server performance, but might not detect potential threats.

    Medium

    Provides a balance between threat detection and server performance.

    The default setting is Medium.

    High

    Increases the detection of threats, but might affect server performance.

  5. Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages.

    This feature is enabled by default.

  6. In the Rules table, select any of the following rules to view or modify them in the preview pane:

    Basic Virus Rule

    Applies to the messages or the attachments that contain repairable threats.

    This option is always enabled.

    Unrepairable Virus Rule

    Applies to the messages or the attachments that contain the threats that cannot be repaired.

    This option is always enabled.

    Security Risk Rule

    Applies to messages that contain security risks, such as adware or spyware.

    See Configuring a security risk detection.

    This option is enabled by default.

    The settings for the rule that you select appear in the preview pane.

  7. In the preview pane, in the Action to take list, select the action to take when a threat is detected using the drop-down menu.

  8. In the Replacement text box, type your customized message if you want to replace the message or the attachment body with a text message.

    The default text is: Symantec Mail Security replaced %attachment% with this text message. The original file contained %violation% and was %action%.

    You can use variables in your customized text.

    See Alert and notification variables

  9. Check one or more of the following to send email notifications about the detection:

    • Notify administrators

      Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Administrator Alert: Symantec Mail Security detected %violation%

      • Default message body text: Location of the infected item: %location% Sender of the infected item: %sender% Subject of the message: %subject% The attachment(s) "%attachment%" was %action% for the following reasons: %information% This was done due to the following Symantec Mail Security settings: Scan: %scan% Rule: %rule%

    • Notify internal sender

      Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Symantec Mail Security detected %violation% in a message sent from your address

      • Default message body text: %subject% Recipient of the message: %recipient%

    • Notify external sender

      Click the down arrow and type your customized text in the Subject line box and the Message body box. The default Subject line and Message body text is as follows:

      • Default subject line text: Symantec Mail Security detected %violation% in a message sent from your address

      • Default message body text: Subject of the message: %subject% Recipient of the message: %recipient%

      See Alert and notification variables

  10. On the toolbar, click Deploy changes to apply your changes.

    See Deploying settings and changes to a server or group