Trend Micro

All posts tagged Trend Micro

Review ScanMail Suite for Microsoft Exchange

Exchange 2013 is available for a few months now and people may start to consider to implement it either in greenfield or in their current Exchange environment. The last one is an option which became an option with the release of Exchange 2013 CU1.

A lot has changed in Exchange 2013 the server which contains the Mailbox role does all the work and the CAS does only proxying and redirection. Redirection is only used for SIP request to the UM server.

From antivirus perspective also a lot has changed. This since Microsoft has announced that it will discontinue Forefront Protection for Exchange. So what options do we have for AV then in Exchange 2013? There are two options

  • Use the build-in AV solution from Exchange 2013
  • Use a 3rd party solution which supports Exchange 2013

The first one might be an option for organizations who can live with the limited functionality. However I think most organizations will start to use 3rd party solutions.

Starting from Exchange 2013 can’t hook in on the VSAPI which was available in previous releases and was used to perform scanning.

Currently all vendors are working hard or have already released their new versions of the product which is compatible with Exchange 2013.

Among those vendors is Trend Micro, they have just release the RTM version of ScanMail™ Suite for Microsoft® Exchange™  , also known as SMEX. You may think that it took long before they released the new version for Exchange 2013 but keep in mind Exchange 2013 is totally different then Exchange 2010 as discussed earlier.

SMEX console

With SMEX 11 Trend Micro does continue to build on previous releases of the product only then available for Exchange 2013. Starting from SMEX 11 you can’t install the product anymore on Exchange 2003. This is a logical result of the support for Exchange 2003 will end in April 2014.

Just like the previous releases SMEX will give organizations the possibility to perform both transport and mailbox scanning. It does contain several scan filters which can be used to perform scanning

As this blog would be to long too describe all of the filters in detail I have out them in the table below. In this table the scan filters are listed including a short description:

Scan Filter description
Attachment Blocking Allows you to scan for attachment types and block them
Content Filtering Allows you to verify messages for specific content and block them
Data Loss Prevention Solution to scan messages for certain content to prevent the leakage of data
Spam Prevention Rules Filter which allows you to perform basic antispam filtering
Web Reputation Filter which allows you to scan content for malicious url’s

All these methods are built on the years of experience Trend Micro has in the world of antivirus for Exchange.

Web Reputation Services

Now we know which filters are available let’s have a look at some new/enhanced features of SMEX 11. From the documentation there are 3 featured where they performed a lot of work to include these in the product.

At first the web reputation service (WRS), as already described in the table this feature will check url’s to websites in messages. For each url it sends a query to check the reputation of a url. If the url has a value which passes the threshold SMEX will perform the configured action.

Queries can be either send directly to the Smart Protection Network (a Cloud based solution) or a Smart Protection Server which is located on the local network. You can limit the Smart Protection Server to prevent queries to the Smart Protection Network but this will restrict the web reputation security level to low. The reason for this is that the Smart Protection Servers cannot maintain the complete repository of the Smart Protection Network.

New functionality introduced in WRS is the integration of the Trend Micro Command & Control (C&C) Contact Alert Services. Using this services you can benefit from the Global Intelligence list. This list is compiled by Trend Micro Smart Protection Network from sources all over the world and test and evaluates the risk level of each C&C callback address. The Web Reputation security level determines the action that needs to be taken on malicious websites or C&C servers bases on the assigned risk levels. Besides the C&C service integration it is also available on other Trend layered defense such as network, endpoint and server security. It will give you a holistic review of entire organization cyber security and targeted attack visibility.

Search and Destroy

The next feature is the search and destroy feature, I think most people will know what it does. Indeed search for items and destroy them. However this is the short story.

The search and destroy functionality is only available when SMEX is installed on an Exchange 2010 SP1 or Exchange 2013 server. When looking under the hood you will find out that SMEX does use the e-discovery functionality from Exchange for this.

So before you can use the functionality you will need to ensure that the service account you are going to use for search and destroy has the required permissions. For those who are unfamiliar with Exchange, since Exchange 2010 Microsoft has implemented Role-Based Access Control (RBAC) to specify what users can do. Exchange contains a default RBAC role called Discovery Management which is attached to the security group Exchange Discovery Management. So in this case add the service account to the group and you should be able to perform search and destroy tasks.

The search and destroy functionality uses two types of accounts which must be configured in addition to the Exchange part:

  • Search & Destroy Administrators, which can search for, monitor and delete undesirable content;
  • Search & Destroy operators, which can search for and monitor undesirable content;

At least one search & destroy administrator needs to be assigned, this since “normal” administrators won’t be able to perform the search & destroy tasks unless assigned this role.

Search & Destroy

The Search & Destroy feature has the ability to create PST files before removing the content. The content in that case will be exported to PST and stored in a folder on the local server. So if performing large search & destroy operations make sure you have enough space left on the volume where you install SMEX. This option does require the Exchange Mailbox Import Export role to be assigned to the user account.

So what happens when performing a search & destroy search:

  1. User specifies the search criteria;
  2. SMEX creates a new mailbox search in Exchange;
  3. Exchange performs the mailbox search, places the result in the discovery mailbox of Exchange and returns the results to SMEX;
  4. User can view the results and either chose to directly delete the content from the mailbox or first export it to PST;

I had a look at this specific feature of SMEX for a while during a co-existence scenario where both Exchange 2010 and Exchange 2013 were implemented. If you do plan to do this make sure to discovery mailboxes exist one for each environment at least else you won’t be able to perform searches. Despite this an additional throttling policy has to be assigned to the service account. This because Exchange will limit the amount of concurrent mailbox searches to a maximum of 2 by default.

Every step which need to be configure for search & destroy is very clear documented in the PDF which is available for download from the Trend Micro website.

Deep Discovery Advisor

New in SMEX 11 is the integration with Trend’s Deep Discovery Advisor. A new product which is currently only available as hardware appliance. Using Deep Discovery Advisor you will get a sort of virtual virus doctor in your network which offers:

  • Centralized location for aggregate, manage and analyze logs;
  • Advanced visualization and investigation tool which monitors, explores and diagnoses security events on your network;
  • Custom signature and custom defense against targeted attack.

To configuration in SMEX consists of a few steps:

  1. Enable the Advanced Threat Scan Engine;
  2. Configure the pickup directory on the Exchange Server;
  3. Specify the IP address of the appliance in SMEX;

Once configured SMEX will forward content that meets the criteria configured in the AV scanning method to the Deep Discovery Advisor. The Deep Discovery Advisor will analyze the content and will report back the results back to SMEX.

While they might have waited a bit longer than expected Trend Micro did a lot of good work which resulted in a new version of SMEX with a lot of new features.  Especially the search & destroy and enhancements in WRS are a great addition to the product. So if you decide to migrate to Exchange 2013 or have a current Exchange 2007 or Exchange 2010 environment and you are looking for an antivirus product for Exchange make sure you have a look at Scanmail.

A trail version of SMEX can be downloaded via the link below:

download

Review Trend Micro Scanmail 10

In this article we will have a look at Trend Micro Scanmail (SMEX) 10. This is the latest version of Trend Micro’s antivirus/antispam solution for Microsoft Exchange Server.

The product can be used with Exchange 2003, 2007 and the most current version of 2010. Let’s start with having a look at the new features of SMEX 10.

New features

Just like Exchange 2010 Trend Micro has also introduced the Role Based access. Using this method of assigning permissions it will let you create templates and assign those templates to users.

Another nice addition to the product is the ability to use AD objects in the policies you configure. This will give you the ability to create policy for a specific AD group. For example, you have got a group of developers in your company. These developers must have the ability to receive specific file types which are blocked by the default policy. In this scenario you can exclude the developers group from the default policy and apply the custom created policy.

SMEX 10 contains two types of reputation services:

  • Web reputation (WRS), which will check all url’s in a message
  • E-mail reputation (ERS), which checks the IP-address of the sending mail server

Especially the last option can decrease the amount of spam/viruses messages which will have to be processed by the policy or arriving at the end users mailbox.

The Web Reputation Services (WRS)  feature included in SMEX will check every e-mail for malicious URL’s. By enabling WRS you will add an extra detection layer on top of the Anti-spam/Anti-virus technology which is already used by the product. WRS can detect “0-Day” attack, as well as recently new type of spam and phishing attack like “Here you are “ spam and spear phishing.

If you are having a Trend Micro SmartScan server deployed you can configure SMEX 10 to use it. The advantage of using the smartScan method compared to the conventional scanning method is that the footprint on the server is smaller. This is caused by the fact that the pattern files are a lot smaller. Another advantage is better detection.  Cloud side (Trend file reputation service) always deploys latest anti-malware knowledge which is ahead of conventional anti-malware pattern. 

In the picture below you see how the process works:

As last major change, besides the optimization of the product, is integration of Data Leakage Prevention (DLP) Policies. Using these default DLP policies you can prevent data being leaked via e-mail from your company to the outside world.
The installation of SMEX 10 is pretty easy. But before starting the installation add the CGI component to the IIS server. Once this is done the setup can be launched. One of the first steps in the setup will ask you which Exchange version you have deployed. If deploying it on an Exchange 2007 or 2010 Server you must specify if you are installing it on an Edge or on a Hub Transport/Mailbox Server.Depending on the roles installed on your server a set of scan methods are available. For example on a mailbox server a mail store scan can be performed. While on a Hub Transport server scanning can be done during transport.

In the next step you will need to add one or multiple servers. This can either be done by adding a server manually or via the browse option. In this last scenario make sure you enable the Computer Browser service which might be disabled by default depending on your OS.

Next step is to provide the credentials of an account which is a member of the Organization Management Exchange security group. If you are planning to use the End User Quarantine option this account also needs to have domain admin permissions.

By default the installation will be performed on the C drive of the server. Scanmail will need to install a web application for management purposes. By default an additional website will be created in IIS for this purpose. Another option is to place it in the default website. My recommendation is to install it in a separate site. The reason for this is that Exchange uses the default website by default for all Exchange Web Services.

Optionally you can select the option to enable SSL. When enabling this option a self-signed certificate will be installed for the website.

The next step will verify if all prerequisites have been met. If this is not the case you will be warned and you will need to solve these issues before you can continue.

Because Scanmail will retrieve its updates from the internet you may need to provide a proxy server. If this is not the case leave the option unselected. After providing the activation key you get the option to participate in the World Virus Tracking Program. This program will gather real time data for the Virus Map of Trend Micro.

As already mentioned Scanmail will have the option to place spam messages in a specific folder. Scanmail will give you to options:

  • Integrate with Outlook Junk Mail
  • Integrate with EUQ which is a separate folder created by Scanmail

Personally I prefer the Outlook Junk Mail as this will provide users with one location where they can find they’re quarantined messages.

If you are having multiple Trend Micro solutions you might have implemented Trend Micro Control Manager. This program will give you the ability to manage all Trend Micro products via one interface.

Because of the Active Directory integration the setup will give you the option to select an Active Directory group which has access permissions to the Access Console.

Before starting the installation you will get a short summary. If you are satisfied with the settings then continue and start the installation.

Note:

One thing you should keep in mind is that the setup will install a SQL Express 2005 instance on your Exchange server. If you don’t want this prepare the database on an external SQL server and specify this SQL server during the setup.

After the installation has been completed make sure you install the latest service pack and patches available.

Configuration

Now SMEX has been installed let’s have a look at the configuration part. By default only the following antispam/antivirus components are enabled:

  • Security Risk Scan, which scans messages for viruses and spyware both on transport and store level;
  • Web reputation, which scans all messages for malicious URL’s;
  • Content Scanning, which is part of the Spam prevention option and scans messages for undesirable content. For example sensitive info and unprofessional info;

Because each environment is unique it might be necessary to adjust the default configuration settings. For example, you might want to scan all messages for all spyware/grayware. By default SMEX only scans for spyware and adware.

But how does the web reputation service work? Every url is checked against a database which contains a rate for the url. The Web Reputation rating is based on a number of factors including domain profiling, malware behavior related to the site, site content scanning, site categorization and correlation with phishing and spam intelligence among other things. To configure which ratings should be blocked you will need to configure the security level. SMEX does contain three security levels:

  • High, blocks a greater number of Web threats, each url with a rating of 80 or lower. Change of false positives increases.
  • Medium, blocks most Web threats and limits the amount of false positives. Each url with a rating of 65 or lower
  • Low, blocks fewer Web threats and decreases the amount of false positives. Each url with a rating of 50 or lower

In the diagram below you can see a diagram of the complete process:

When a message arrives the following steps are performed:

  • A message arrives at the Edge or Hub Transport server which contains SMEX 10;
  • SMEX detects a url in the message and sends it to the WRS Cloud service;
  • WRS checks the url and returns the rating to SMEX 10;
  • If the rating is passes the threshold the message will be either delivered using a modified subject or placed in quarantine;

Additionally you might want to enable some extra components. For example block all attachments which have program/scripting extensions such as bat, cmd and wsh or just block specific file types.

A second option which you might want to enable is the content filtering component. This component contains some predefined policies. These policies can be split up in:

  • Specific word categories: such as profanity, hoaxes and chainmail;
  • DLP, default DLP policies for specific countries/continents;

As already explained every environment requires different policies. For example you might receive a lot of spam which is not detected by other filters. In this case create a custom policy which filters specifically those words.

The second component I would highly recommend is the E-mail Reputation Service (ERS) which is part of the Spam Prevention part of SMEX. ERS works just like a black list is an IP address found then the connection is dropped. The advantage of ERS compared to blacklists is that you can configure them using a web portal provided by Trend Micro. For example, if you don’t want to block messages from a specific country even if they are listed make the configuration change in the ERS web portal.

As you can see in the screenshot above you can also add specific ISP’s and ip addresses to the approved list. Besides approving it’s also possible to block a country, ISP or ip address using this website.

One important note about the ERS is that there must be no other MTA between the sending server and Exchange. This will cause ERS not be able to work correctly because it only checks the last MTA’s ip address.

Once you are satisfied with the configuration you can replicate the configuration to other servers. This option is very useful if you are having multiple SMEX instances but want to keep the configuration the same on all of them.

By selecting the Server Management option you will get an overview of all SMEX instances:

Select the server(s) to which you would like to replicate and press the replicate button. The next step is to select which configuration settings will need to be replicated. By default all settings will be replicated. In this case you would like to replicate only a subset select only those features which you would like to replicate.

Reporting and logging

In addition to the real time monitoring of the traffic SMEX has the option to generate reports. These reports can either be created manually or automatically via a schedule.

In the screenshot below you can see an example of which content you can add to a report. A scheduled report can be created daily, weekly or monthly. As you can see you can add a lot of content to the report. Using these reports you might see some trends for example one specific user is receiving a lot of spam. Or you just want to know how much traffic passes the SMEX solution.

Compared to a manual report a scheduled report also has the option to send the report to one or multiple e-mail addresses. Which might be very useful if you do not want to login to the admin console daily.

But how does a report looks like? Well in the screenshot below a small part of the report being generated. In this example you can see the Spam Prevention statistics. It starts with a summary which gives you a quick overview. Because you might want to distribute this report to the management it might be nice to also include the graph. The graph will display the percentage of spam messages compare to the complete amount of messages.

Below the graph an overview of the top 5 spam senders will be displayed. Due to privacy I haven’t included them in the screenshot above.

In addition to the reports you may also consult the log files available. The logs are divided in a few types:

  • Security risk scan, gives an overview of messages  which did break the security risks configured;
  • Attachment blocking, gives an overview of attachments blocked;
  • Content filtering, gives an overview of messages which are tagged by the content filter;
  • Update, an overview of the update process, here you will find if an update has succeeded or failed;
  • Scan event, an overview of manual and scheduled scan tasks;
  • Backup for security risk, information about the files that the Security Risk Scan moved to the backup folder;
  • Backup for content filter, information about the files that Content Filtering moved to the backup folder;
  • Unscannable message parts, gives an overview of messages which couldn’t be scanned partitially;
  • Event tracking, gives an overview of administrative tasks performed, for example log in/outs, configuration changes made or messages released from quarantine;
  • Web reputation, gives an overview of web reputation checks performed;

In the screenshot below a part is displayed of the Content filtering log. As you can see a lot of information is displayed:

But this is not all information when scrolling to the right you will find the most interesting information:

In this piece of the logging you can see detailed information about:

  • which policy did get applied to the message;
  • which action has been taken;
  • which matching keyword(s) where found;

So as you can see a lot of information is stored in the logs which might be very useful during troubleshooting.

Conclusion

Here ends my article about Trend Micro’s Scanmail for Exchange 10. Trend Micro did include a lot of nice new features.  By default the antispam and antivirus settings might require you to make some modifications. For example Email Reputation is disabled by default; it might be worth to enable the option if possible. Enabling this option will prevent a lot of spam arriving in the end users mailbox but also saves a lot of processing time from Scanmail.

To fine tune your solution you might consider creating a custom content filter. By using this custom filter you can block specific messages which pass the other filters. This will result in less spam arriving at the end users mailbox. If you are finding it a little bit tricky to just delete the message use the quarantine option. This will place the message in the junk mail folder or EUQ folder from the user. If a user misses a message he or she can retrieve the message easily.

At this moment the beta for SMEX 10.2 will almost start I am very curious which new features will be added.

During the removal of an Exchange 2003 cluster I found an issue after the removal of Trend Micro Scanmail (SMEX) 8.0. After the deinstallation was completed the Cluster Administrator started with an error. Once of the things I expected to cause the issue was the resource object from SMEX which was still there. This could be solved easily by removing the default procedure for removing cluster resources.

Despite removing the resource the Cluster Administrator kept prompting with and error. After some research I discovered that the issue was caused by a resource type clusRDLL which was still their.

To cleanup this resource type you will need to use the cluster command:

cluster restype clusRDLL /delete /type

After this command was executed the error did dissapear and I could remove the Exchange 2003 Virtual Server.

Trend Micro has published a knowledge article about this issue:

Uninstalling Scanmail for Exchange (SMEX) 8.0 from cluster servers open

Block unknown internal domains with Trend Micro IMSS

Maybe you have seen it mails from unknown domains will be relayed via the internal mailserver or mailserver that is placed in the DMZ. Normally when configuring the mailservers correctly it’s not possibly to send mail from a domain which is not hosted on the internal mailserver. But it can also be that a virus is active on a mailserver which is allowed to relay.

In this tutorial I will explain how you can create a policy in Trend Micro IMSS to prevent this. The way of configuring is not really the way you think you have to do it, but the endresult will work.

open

Block unknown internal domains with Trend Micro IMSS

Maybe you have seen it mails from unknown domains will be relayed via the internal mailserver or mailserver that is placed in the DMZ. Normally when configuring the mailservers correctly it’s not possibly to send mail from a domain which is not hosted on the internal mailserver. But it can also be that a virus is active on a mailserver which is allowed to relay.

In this tutorial I will explain how you can create a policy in Trend Micro IMSS to prevent this. The way of configuring is not really the way you think you have to do it, but the endresult will work.

First we will create a rule which matches incoming messages.

Select the button add and choose the option other.

Ensure that the this rule will apply to option is set to incoming , we wil change this later to both incoming and outgoing messages. We could not do this right now because the policy will not be created correctly then.

Next select on the link recipients a new window will be opened.

Select the option anyone and select save, the window will close. Next click on senders a new windows will be opened again.

Select the option anyone and select save, the last parameter we need to define in this step is the exceptions.

Add the following exception:

Repeat this for each domain.

When ready click on save to save the changes, you will get the following overview after this.

Click on the next button to continue. In this step we will define the conditions when a mail must be scanned by this policy.

In this case we want to scan all messages so we don’t select anything en click on the next button.

You will get a warning that all messages will be scanned if not choosing any condition. Confirm this by clicking on the OK button.

The next step is the action that needs to be executed when a mail meets the conditions. In this case we will delete all messages which meet the conditions. You could choose to quarantine the messages, if you would like to do this change the action.

Next we will define the name and number of the policy. Keep in mind that the policy always needs to be created below the Global Antivirus Rule and Default Spam Rule. You may choose to not activate the policy right now but activate it after the steps below.

When you return to the policy overview you can see that the policy is added.

Now we have added the policy we need to change it. This because it’s not possible to add *@* as sender/recipient in this policy when choosing the option to apply this policy on both incoming and outgoing messages.

Click on the policy to view the details

Click on if recipient and senders are

Change the option this rule will apply to to both incoming and outgoing messages. Next we will change the exceptions. This can be done by clicking the link Senders and Recipients after the option exceptions.

Add the following exception:

Add the exception for each domain, when ready click save 4 times to return to the policy overview. If you have not activated the policy activate it.

Prevend spoofing with IMSS

It’s time for a new tutorial, this time about IMSS from Trend Micro. IMSS is the antivirus/antispam solution from Trend Micro. In this tutorial I will explain how you can create a policy to prevend spoofing mails reaching the end-users mailbox.

open

Prevend spoofing with IMSS

It’s time for a new tutorial but this time with another subject Trend Micro Interscan Messaging Security Suite, IMSS for short. IMSS is the antivirus/imss solution from Trend Micro which is available for Windows, Linux, Solaris and as appliance.

With policies we can define our own rules, we will create a rule which will prevend spoofing. To do this we need to login to the admin console of IMSS. This can be done by selecting the option policy and then select the option policy list in the left menu.

Next we will choose the option new and choose the option other from the drop-down menu. Standard the option is selected that this rule needs to be applied to incoming mails.

First we define the sender/recipient en exclusions.

First the recipient, this can be done by clicking on the link recipient

As recipient we select all the users in the domain trendmicro.dyndns.org

When you are responsible for multiple domains you can fill in all domains here. When all domains are added you can click on the save button. The next step is choosing the sender, this can be done by clicking on the link sender. Here we fill in the same domains as defined in the recipient option. When ready we will click on save again when all domains are added.

The last option is to define the exceptions, this can be done when using a form on your website which uses an e-mail address which exists in your domain as the sender. In this case we choose the address info@trendmicro.dyndns.org

In this case we only allow from info@trendmicro.dyndns.org to info@trendmicro.dyndns.org but this can also be the complete domain.

When we have defined all three options it’s time to define the scanning conditions. Here we only need to specify one thing. In this case we want to check every mail which is bigger then 1 Kb.

When we are statisfied with the settings we click on next to continue and specify the action.

Because we don’t want the spoofing mails to arrive in the mailbox of users we select the option delete entire message. In case you want to first have a look what the result is you can choose the option quarantine to this will ensure that mail is placed in quarantine.

When the action is defined it’s time for the last step, define the name and rulenumber. This last two fields can be defined with whatever you like. In our case we defined the name of the rule as anti-spoofing and placed it as the 8th rule.

Were finished now with creating the anti-spoofing rule. Keep in mind that this wil also block mails from sites which let you forward articles and use your e-mail address as sender, inform your users about this.

This is not good news!

That were the words of David Rand (CTO Trend Micro) yesterday on the Trend Micro University. He showed us statistics of the amount of published malicious codes in the first trimester. There has been an explosion; for a long time it was stable in 2007 but in the 2008 the amount exploded. This causes that the virus patterns grow to very huge files. Trend will bring a lot of new things in the following months, I can’t say much about it because the information was only for partners and not for the world.

Trend Labs

Waiting on Schiphol

I am waiting on Schiphol to depart to Cork. The checkin has been automated this days, it is really nice. Just had some lunch and now I have to wait till 20:10 because boarding then starts. I read on the Xs4all site that if you are a member of them you can use KPN Hotspots for free. It doens’t go really fast but for surfing the internet it’s OK, at home I have a 20 Mbps connection so comparing with that it’s slow 😉

I am very curious what Trend will present in Cork, but when I have some time I will publish it on my site. I can’t bring to much outside I think but  I will keep you informed.

I am back again

As many other people may website was also suffering the KPN/Xs4all problems which were in the Netherlands. Since today everything is working fine, although the line is dropping sometimes, but maintenance will be done in a couple of days. Meanwhile the infrastructure behind the ADSL modem is adjusted because there was a cable between it which gave some issues. But the site is online again and that is the importantst. I think the problems last week have shown use how weak the network is and that you really are dependent now a days. Tomorrow evening I will travel to Cork (Ireland) to the Trend Micro University. I really wander what I will see there, when I have time I will put some info on my blog about it.