Documentation for Kerio MailServer

Antivirus Control of Email And Attachment Filtering

Kerio MailServer allows you to check all incoming and outgoing messages for viruses using an external antivirus program. The antivirus program must be installed on the same computer where Kerio MailServer is running. The antivirus program license must be the same as that of Kerio MailServer (the same number of users or a special server license).

The interface between Kerio MailServer and an antivirus program is a special module (there is one module for each antivirus program). The mailserver administrator must choose an appropriate module, depending on the desired antivirus program for email messages. If the antivirus program is not installed on the computer or is not working correctly, Kerio MailServer will work correctly whereas messages will not be scanned for viruses. An error report informing that the antivirus is not available will be logged into the Error log.

Kerio MailServer is also distributed in a special version with integrated McAfee antivirus. The antivirus security settings in Kerio MailServer are slightly different in this version (see section Integrated McAfee AntiVirus). External McAfee AntiVirus is not supported by Kerio MailServer.

Besides cooperation with an antivirus program, Kerio MailServer allows you to filter certain file types from email attachments (using file extension or MIME type), regardless of whether they are infected by a virus or not.

Choosing a Module for an Antivirus Program

Parameters for antivirus control are set in the Configuration Antivirus section with the Antivirus tab. This tab is divided into two parts, where the first one enables users to select the antivirus software and specify its settings. The other part contains details about the McAfee integrated engine.

Figure 20. Antivirus tab

Do not use antivirus

The Do not use antivirus option turns off antivirus protection.

Use integrated McAfee antivirus engine

This option turns on the integrated McAfee antivirus engine.

Use external antivirus

This menu shows the antivirus software which is used for email scanning. In this menu, users can select the plugin for cooperation with external antivirus software. The antivirus software must be installed prior to making a selection (we recommend stopping the MailServer Engine before the antivirus installation). The installed antivirus may not be run automatically. In such case, use the Options button to specify advanced settings of the external antivirus program. Note:If the external Symantec Antivirus Scan Engine is selected, it is necessary to define the IP address and port of the computer used by the antivirus in the Options dialog box.

Supported antivirus programs

Kerio MailServer supports several external antivirus programs for Windows and Linux operating systems from different vendors (e.g. Eset Software, Grisoft, F-Secure, McAfee, Sophos, etc.). For the most current list of supported antivirus vendors refer to the Kerio Technologies website at http://www.kerio.com/.

Integrated McAfee Antivirus

Check Scan mail using McAfee Anti-virus engine in the Antivirus tab of the integrated version.

Check for update every

Interval for automatic update of the antivirus database and of the antivirus itself (in hours). Information about accomplished updates can be found in the Security log (see chapter Security). Note:To enable automatic updates well-working connection to the Internet must be provided. Atomated dialing is not supported. In case of dial-ups we recommend you to perform updates by hand (see below). Virus definition updates are downloaded via HTTP. If the Kerio MailServer is behind a firewall you must allow for outbound communication over an appropriate TCP port (port 80 by default). Click Update now to start the update of the virus database and antivirus software manually. When this button is pressed, the update progress window is displayed. Information about updates can be found in the Security log (see chapter Security). Note: The update progress window can be closed anytime by pressing the OK button (it is not necessary to wait until the update is finished).

Current virus database is xxx old

Age of virus database (in minutes). This information represents the real age of the virus database, not the time elapsed from the last update attempt.

Last update check performed xxx ago

The time elapsed from the last successful update attempt. If the time is significantly (several times) greater than the interval set for automatic update, then the automatic updates are not working correctly. In this case we recommend updating the database manually and to inspect the Error log for a failure explanation.

Virus database version...

Version of the current virus database and antivirus program.

Scanning engine version

Current version of the antivirus engine.

Filtering Email Attachments

The attachment filter can be set in the Attachment Filter tab.

Figure 21. Attachment Filter tab

Enable attachment filter

Switches the attachment filter on or off.

The list of filters

Displays individual filters. To the left of each filter there is a checkbox that you can use to enable or disable the filter. Use these checkboxes to switch filters off without the need to remove them. After the Kerio MailServer installation, there is a list of several predefined filters. All filters are turned off and the administrator can choose to enable or remove them. This way for example executables (.com and .exe), Visual Basic scripts (.vbs), etc. can be filtered.

Use the Add button to add a new filter:

Description

Text description of defined filter.

Filter type (MIME type/File name)

Defines if attachments will be filtered based on file names or MIME type (Multi-purpose Internet Mail Extension).

Filename or filetype specification

Enter either the file name (you can use the asterisk convention for e.g. filtering files with a certain extension e.g. *.exe) or the MIME type name (for example application/x-msdownload or application/*). You can also choose one of the pre-set or MIME types.

Block the attachment...

An action will be performed as defined in the Action tab (described below).

Accept the attachment

Attachments will not be removed from messages and no other rules will be applied.

MailServer's behavior when a Virus or a Forbidden Attachment Is Found

The Kerio MailServer administrator can set a detailed course of action for the mailserver if a virus or a forbidden attachment is detected in an email. Use the Action tab to set this.

Figure 22. Action tab

Forward the message to the administrator address

The message will be forwarded (as it is with the infected or forbidden attachment) to a defined email address, regardless of whether it is a local or an external address.

Forward the filtered message to administrator address

The message without an infected or prohibited attachment will be (apart from the actions selected below) forwarded to the specified email address as well. This can be used for verification of proper functionality of the antivirus and/or attachment filter.

Deliver the message with the attachment removed

The message will be delivered to the recipient but without the attachment. Instead, a server message will be attached saying that the attachment has been removed.

Also send warning to sender

A warning message will be sent to the message server informing it that it sent an infected or forbidden attachment.

Only if sender is local

The warning message will be sent only if the sender is a local user.

Bounce the message to sender

The message will be refused and will be returned to the sender (in its original form).

Discard the message

The message will be removed.

If an attachment cannot be scanned ...

This section defines actions to be taken if one or multiple files attached to a message cannot be scanned for any reason (e.g. password-protected archives): Perform the action defined in the Action frame the system will react the same way as when a virus was detected (i.e. the message will be delivered without any attachment or rejected). This option is safe, but sending password-protected archives is virtually impossible. Allow the attachment to be delivered the message (or attachment) will be delivered unchecked. In this case, it is recommended to enable the Append a warning to the message option (the user should be warned that the message may still contain viruses).

Note:Each message is evaluated first by an antispam system, then by antivirus. This saves CPU time, since the antispam check is considerably less demanding than the antivirus check. If the messages marked as spam are set to be discarded automatically (in the Spam filter section), all spam messages containing viruses will be discarded as well.